On Wed, Sep 24, 2003 at 02:13:20PM -0500, Crow, Owen wrote:
> I assume that's what this patch is for:
> Second, I'm hoping to understand the why's. Before this patch,
> radmin_detect would attempt to find a known backdoor (radmin) on any unknown
> service (from find_service.nes?), right? So we have limited the
> effectiveness of this script unless I can provide legitimate traffic so you
> can identify snmpdm, right? I.e., the script won't be able to detect the
> radmin backdoor if the attacker starts it on another port.
Yes, you are right - enabling safe checks will limit the effectiveness
of the script. However, radmin is not a backdoor but an administration
service.
Even if we can identify snmpdm, I think I'll continue to have this
script castrated when running in safe checks, as I have had at least one
report of another service crashing because of it (binary protocols
negocation tend to break a lot of things).
Once again, we're facing a balance of intrusiveness vs. accuracy of the
scanners, that the way it goes.
-- Renaud
