mailing list archives
Re: BackOrifice service probe
From: Gorjan Petrovski <mogi57 () gmail com>
Date: Thu, 21 Apr 2011 02:30:40 +0200
Oh, I'm sorry I misunderstood, I thought that you wanted a description
of the byte instead of the value itself. Here you go, the complete
decrypted hex dump in the attachment (so the mail client doesn't cut
the alignment). The type byte contains \x01 which is the code for the
BackOrifice PING command.
On Wed, Apr 20, 2011 at 8:52 AM, David Fifield <david () bamsoftware com> wrote:
On Wed, Apr 20, 2011 at 01:46:03AM +0200, Gorjan Petrovski wrote:
Thanks for the reply.
Thank you Gorjan, I have added this new probe.
The match line skips 9 bytes. The first four bytes are a length and the
next four are an ID. The ninth is an operation type--shouldn't we
include that as part of the match? What is that byte in the response
that your server sends?
The usage of that byte when a command is sent from the client is to
specify command type (ex. ping, process kill, process list, etc).
According to the client source, when a packet is sent from the server
as a reply, the type is only used to define whether the packet is a
single packet or a stream of multiple packets. The probe sends a
PING_TYPE packet, and the reply is nothing else but a single packet.
However, since I have no access to the server source code I cannot
reliably say whether the type that the server returns isn't combined
with some other info, so I chose not to rely on it for identification.
Okay, but in my opinion the byte should be used for matching, or at
least be documented. So what is it? Can you send me the hex of a server
reply with all of the bytes?
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/