Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: BackOrifice service probe
From: Gorjan Petrovski <mogi57 () gmail com>
Date: Wed, 20 Apr 2011 01:46:03 +0200


Thanks for the reply.

Thank you Gorjan, I have added this new probe.

The match line skips 9 bytes. The first four bytes are a length and the
next four are an ID. The ninth is an operation type--shouldn't we
include that as part of the match? What is that byte in the response
that your server sends?

The usage of that byte when a command is sent from the client is to
specify command type (ex. ping, process kill, process list, etc).
According to the client source, when a packet is sent from the server
as a reply, the type is only used to define whether the packet is a
single packet or a stream of multiple packets. The probe sends a
PING_TYPE packet, and the reply is nothing else but a single packet.
However, since I have no access to the server source code I cannot
reliably say whether the type that the server returns isn't combined
with some other info, so I chose not to rely on it for identification.

If you have a good script, then we can replace this service probe with

I'll have the script soon.

Gorjan Petrovski
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]