Nmap Development mailing list archives
Re: Some scripts for analyzing NetBus
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Sun, 16 Jan 2011 10:11:19 +0200
It is not a typo. The netbus-version script checks whether or not the service responds to a netbus authentication message. Thus if the service has already been detected as a netbus service and it does not respond to authentication attempt, we know that it is not the official service, and mark it as a Netbuster service. However we can not reason much about some non-netbus service running on port 12345 that does not respond to netbus authentication. There are other differing characteristics as well, such as the connection limit. A regular netbus server can handle more than one connections, but Netbuster can only handle one. So trying to send commands over multiple connections may be used to detect Netbuster. I wrote another version script that does this test, but scanning for connection limit is a bit complex, and I am not sure how reliable it is in various cases. At some point it might make sense to write a connection limit detection library, and use that to enhance version script results. As for now I decided to go with the simpler script that seems to work correctly. On Sun, Jan 16, 2011 at 6:56 AM, David Fifield <david () bamsoftware com> wrote:
On Sat, Jan 15, 2011 at 05:37:53PM +0200, Toni Ruottu wrote:To this mail, I have attached a patch that should fix all the netbus script problems that have been pointed out. I noticed that sometimes dns-zone-transfer.nse breaks the session. As we know now NetBus sessions are very fragile. Running any other scripts that operate on the same port simultaneously is very likely to break the server. I did not include a fix for this problem in the patch as I was not sure what to do. Should we have all scripts that match port 12345 depend on all netbus scripts? I also did not change any categories, as the question is still open. -portrule = shortport.version_port_or_service (12345, "netbus", {"tcp"}) +portrule = shortport.version_port_or_service ({}, "netbus", {"tcp"})Is this a typo, Toni? David Fifield
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Some scripts for analyzing NetBus Fyodor (Jan 14)
- Re: Some scripts for analyzing NetBus Toni Ruottu (Jan 14)
- Re: Some scripts for analyzing NetBus David Fifield (Jan 14)
- Re: Some scripts for analyzing NetBus Toni Ruottu (Jan 15)
- Re: Some scripts for analyzing NetBus Fyodor (Jan 15)
- Re: Some scripts for analyzing NetBus Toni Ruottu (Jan 16)
- Re: Some scripts for analyzing NetBus David Fifield (Jan 15)
- Re: Some scripts for analyzing NetBus Toni Ruottu (Jan 16)
- Re: Some scripts for analyzing NetBus David Fifield (Jan 18)
- Re: Some scripts for analyzing NetBus Fyodor (Jan 15)
- Re: Some scripts for analyzing NetBus Toni Ruottu (Jan 14)
- <Possible follow-ups>
- Re: Some scripts for analyzing NetBus Toni Ruottu (Jan 15)