Nmap Development mailing list archives

Re: Some scripts for analyzing NetBus

From: Toni Ruottu <toni.ruottu () iki fi>
Date: Sun, 16 Jan 2011 10:11:19 +0200

It is not a typo. The netbus-version script checks whether or not the
service responds to a netbus authentication message. Thus if the
service has already been detected as a netbus service and it does not
respond to authentication attempt, we know that it is not the official
service, and mark it as a Netbuster service. However we can not reason
much about some non-netbus service running on port 12345 that does not
respond to netbus authentication.

There are other differing characteristics as well, such as the
connection limit. A regular netbus server can handle more than one
connections, but Netbuster can only handle one. So trying to send
commands over multiple connections may be used to detect Netbuster. I
wrote another version script that does this test, but scanning for
connection limit is a bit complex, and I am not sure how reliable it
is in various cases. At some point it might make sense to write a
connection limit detection library, and use that to enhance version
script results. As for now I decided to go with the simpler script
that seems to work correctly.

On Sun, Jan 16, 2011 at 6:56 AM, David Fifield <david () bamsoftware com> wrote:

On Sat, Jan 15, 2011 at 05:37:53PM +0200, Toni Ruottu wrote:

To this mail, I have attached a patch that should fix all the netbus
script problems that have been pointed out. I noticed that sometimes
dns-zone-transfer.nse breaks the session. As we know now NetBus
sessions are very fragile. Running any other scripts that operate on
the same port simultaneously is very likely to break the server. I did
not include a fix for this problem in the patch as I was not sure what
to do. Should we have all scripts that match port 12345 depend on all
netbus scripts? I also did not change any categories, as the question
is still open.

-portrule = shortport.version_port_or_service (12345, "netbus", {"tcp"})
+portrule = shortport.version_port_or_service ({}, "netbus", {"tcp"})


Is this a typo, Toni?

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Some scripts for analyzing NetBus Fyodor (Jan 14)
- Re: Some scripts for analyzing NetBus Toni Ruottu (Jan 14)
  - Re: Some scripts for analyzing NetBus David Fifield (Jan 14)
- Re: Some scripts for analyzing NetBus Toni Ruottu (Jan 15)
  - Re: Some scripts for analyzing NetBus Fyodor (Jan 15)
    - Re: Some scripts for analyzing NetBus Toni Ruottu (Jan 16)
  - Re: Some scripts for analyzing NetBus David Fifield (Jan 15)
    - Re: Some scripts for analyzing NetBus Toni Ruottu (Jan 16)
    - Re: Some scripts for analyzing NetBus David Fifield (Jan 18)
- <Possible follow-ups>
- Re: Some scripts for analyzing NetBus Toni Ruottu (Jan 15)