Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Trend Micro OfficeScan service fingerprint

From: Tom Sellers <nmap () fadedcode net>
Date: Fri, 28 Dec 2007 18:39:29 -0600
While working on some problems with Trend Micro's OfficeScan
antivirus I realized that I had never seen the associated
client network port identified by Nmap.  I saw that there are
two entries in nmap-service-probes but these did not seem
to work in my environment.  After some testing I found the
following:

1.  Random data and commands submitted to the port would eventually
     time out between 3 and 5 seconds after the last data.

2.  When it does time out it generates a HTTP 400 error.

It turns out that the problems that caused me to start looking
at the service originally are related to the fact that it
takes so long to timeout in response to invalid data.  I am
guessing that this is also the reason that nmap has not been
identifying the service.  I would imagine that 3 seconds
for each fingerprint probe adds up and the fingerprinting
process hits a timeout.

To address this I performed some packet captures and testing
and came up with the following.

1.  GET /?CAVIT HTTP/1.1 is a valid request and **returns
     immediately**.

2.  The result is a HTTP 200 response.

        HTTP/1.0 200 OK
        Server: OfficeScan Client
        Date: Fri, 28 Dec 2007 13:36:56 GMT
        Content-Type: text/html
        Accept-Ranges: bytes
        Content-Length: 410

        <snip data>

3.  OfficeScan client version 7 and below are on port 12345.
     Version 8 is on a random port.


The following nmap-service-probes entries successfully detected
Officescan 7.3 and 8 on every host I tested it against:

Probe TCP OfficeScan q|GET /?CAVIT HTTP/1.1\r\n\r\n|
match http m|^HTTP/1.0 200 OK\r\nServer: OfficeScan Client| p/Trend Micro OfficeScan Antivirus http config/

They should work against OfficeScan 6.x as well.

the p/ / strings were taken from the existing nmap-service-probes
file entries.

I think these should be added and the two existing lines (685 and
2984)should be removed.  The entries above should be added as early
as posible in the fingerprinting process in order to save time.


What do you folks think?

Tom

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: