Nmap Development mailing list archives
Trend Micro OfficeScan service fingerprint
From: Tom Sellers <nmap () fadedcode net>
Date: Fri, 28 Dec 2007 18:39:29 -0600
While working on some problems with Trend Micro's OfficeScan antivirus I realized that I had never seen the associated client network port identified by Nmap. I saw that there are two entries in nmap-service-probes but these did not seem to work in my environment. After some testing I found the following: 1. Random data and commands submitted to the port would eventually time out between 3 and 5 seconds after the last data. 2. When it does time out it generates a HTTP 400 error. It turns out that the problems that caused me to start looking at the service originally are related to the fact that it takes so long to timeout in response to invalid data. I am guessing that this is also the reason that nmap has not been identifying the service. I would imagine that 3 seconds for each fingerprint probe adds up and the fingerprinting process hits a timeout. To address this I performed some packet captures and testing and came up with the following. 1. GET /?CAVIT HTTP/1.1 is a valid request and **returns immediately**. 2. The result is a HTTP 200 response. HTTP/1.0 200 OK Server: OfficeScan Client Date: Fri, 28 Dec 2007 13:36:56 GMT Content-Type: text/html Accept-Ranges: bytes Content-Length: 410 <snip data> 3. OfficeScan client version 7 and below are on port 12345. Version 8 is on a random port. The following nmap-service-probes entries successfully detected Officescan 7.3 and 8 on every host I tested it against: Probe TCP OfficeScan q|GET /?CAVIT HTTP/1.1\r\n\r\n| match http m|^HTTP/1.0 200 OK\r\nServer: OfficeScan Client| p/Trend Micro OfficeScan Antivirus http config/ They should work against OfficeScan 6.x as well. the p/ / strings were taken from the existing nmap-service-probes file entries. I think these should be added and the two existing lines (685 and 2984)should be removed. The entries above should be added as early as posible in the fingerprinting process in order to save time. What do you folks think? Tom _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Trend Micro OfficeScan service fingerprint Tom Sellers (Dec 29)
- <Possible follow-ups>
- Trend Micro OfficeScan service fingerprint Tom Sellers (Dec 29)
- Re: Trend Micro OfficeScan service fingerprint doug (Dec 30)
- Re: Trend Micro OfficeScan service fingerprint Tom Sellers (Dec 30)
- Re: Trend Micro OfficeScan service fingerprint doug (Dec 30)
- Re: Trend Micro OfficeScan service fingerprint doug (Dec 30)