Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: BackOrifice service probe
From: David Fifield <david () bamsoftware com>
Date: Tue, 19 Apr 2011 23:52:54 -0700

On Wed, Apr 20, 2011 at 01:46:03AM +0200, Gorjan Petrovski wrote:

Thanks for the reply.

Thank you Gorjan, I have added this new probe.

The match line skips 9 bytes. The first four bytes are a length and the
next four are an ID. The ninth is an operation type--shouldn't we
include that as part of the match? What is that byte in the response
that your server sends?

The usage of that byte when a command is sent from the client is to
specify command type (ex. ping, process kill, process list, etc).
According to the client source, when a packet is sent from the server
as a reply, the type is only used to define whether the packet is a
single packet or a stream of multiple packets. The probe sends a
PING_TYPE packet, and the reply is nothing else but a single packet.
However, since I have no access to the server source code I cannot
reliably say whether the type that the server returns isn't combined
with some other info, so I chose not to rely on it for identification.

Okay, but in my opinion the byte should be used for matching, or at
least be documented. So what is it? Can you send me the hex of a server
reply with all of the bytes?

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]