Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: backorifice-info
From: David Fifield <david () bamsoftware com>
Date: Wed, 20 Apr 2011 00:48:21 -0700

On Wed, Apr 20, 2011 at 04:41:15AM +0200, Gorjan Petrovski wrote:

Thanks for the reply, the script is now much more readable :-)
You will find the updated script attached to this mail and comments
below the quoted reply.

I've looked into writing a backorifice-brute script, which would
actually initiate the backorifice-info script by identifying the
service. The thing is that backorifice-brute would not search for the
password to the service, instead it would search for the initial seed.
This is because of the encryption algorithm: First, an initial seed is
generated from the password and every next seed is generated from the
initial seed and has no other correlation to the password. So in order
to break the encryption, only an initial seed is necessary. The set of
values for an initial seed is much smaller than the set of values for
a password. That is why backorifice-brute will search for an inital
seed and pass that to backorifice-info. I've modified backorifice-info
to work with that initial seed if it has a value even though I haven't
written backorifice-brute yet. You could wait until I write
backorifice-brute, or add it now, it will work either way.

Thanks, Gorjan! I just added your script. Could you make another patch
that causes the script to call nmap.set_port_version to set the service
version and hostname?

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]