mailing list archives
Re: BackOrifice service probe
From: Gorjan Petrovski <mogi57 () gmail com>
Date: Wed, 20 Apr 2011 01:46:03 +0200
Thanks for the reply.
Thank you Gorjan, I have added this new probe.
The match line skips 9 bytes. The first four bytes are a length and the
next four are an ID. The ninth is an operation type--shouldn't we
include that as part of the match? What is that byte in the response
that your server sends?
The usage of that byte when a command is sent from the client is to
specify command type (ex. ping, process kill, process list, etc).
According to the client source, when a packet is sent from the server
as a reply, the type is only used to define whether the packet is a
single packet or a stream of multiple packets. The probe sends a
PING_TYPE packet, and the reply is nothing else but a single packet.
However, since I have no access to the server source code I cannot
reliably say whether the type that the server returns isn't combined
with some other info, so I chose not to rely on it for identification.
If you have a good script, then we can replace this service probe with
I'll have the script soon.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/