From eac495e3ad8d72c2c116fc2ca5fe0f1b64b338a9 Mon Sep 17 00:00:00 2001 From: dmiller Date: Thu, 30 Nov 2017 04:20:24 +0000 Subject: [PATCH] New payload, probe, and matchline for Apple Remote Desktop --- nmap-payloads | 3 +++ nmap-service-probes | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/nmap-payloads b/nmap-payloads index b7f01bddf..ae67d76f8 100644 --- a/nmap-payloads +++ b/nmap-payloads @@ -215,6 +215,9 @@ udp 2049 # (relevant files: games.ini, packets.ini, freelancer.php) udp 2302 "\x00\x02\xf1\x26\x01\x26\xf0\x90\xa6\xf0\x26\x57\x4e\xac\xa0\xec\xf8\x68\xe4\x8d\x21" +# Apple Remote Desktop (ARD) +udp 3283 "\0\x14\0\x01\x03" + # Sun Service Tag Discovery protocol (stdiscover) # http://arc.opensolaris.org/caselog/PSARC/2006/638/stdiscover_protocolv2.pdf # Would work better with a varying cookie; the second and later sends of this diff --git a/nmap-service-probes b/nmap-service-probes index 12da15a30..34b3d85be 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -15896,3 +15896,12 @@ Probe TCP LibreOfficeImpressSCPair q|LO_SERVER_CLIENT_PAIR\nNmap\n0000\n\n| rarity 9 ports 1599 match impress-remote m|^LO_SERVER_VALIDATING_PIN\n$| p/LibreOffice Impress remote/ cpe:/a:libreoffice:libreoffice/ + +##############################NEXT PROBE############################## +# Apple Remote Desktop +Probe UDP ARD q|\0\x14\0\x01\x03| +rarity 8 +ports 3283 + +# Need to figure out how this differs from some other versions +match netassistant m/\0\x01\x03\xea\x001\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0[^\0]([^\0]+)\0/s p/Apple Remote Desktop/ i/name: $P(1)/