Don't like ads? PRO users don't see any ads ;-)
Public Pastes
Guest

Finfisher-Nmap

By: a guest on Jul 27th, 2012  |  syntax: None  |  size: 0.73 KB  |  hits: 271  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Considering the network pattern described on http://pastebin.com/emK1Vt5g it is possible to enable nmap to detect Finfisher C&C machines:
  2.  
  3. vim /usr/share/nmap/nmap-service-probes
  4.  
  5. It basically add-up to the ports for HTTP probing:
  6. - 22
  7. - 53
  8. - 4111
  9.  
  10. And add that signature:
  11. match http m|^HTTP/1\.1 200 OK.*Hallo Steffi$|s p/FinFisher Governmental
  12. Monitoring Trojan C&C Server/
  13.  
  14. The result is as follow:
  15. Starting Nmap 5.00 ( http://nmap.org ) at 2012-07-27 11:29 MSK
  16. Interesting ports on static.ip.77.69.140.194.batelco.com.bh (77.69.140.194):
  17. PORT     STATE SERVICE VERSION
  18. 4111/tcp open  http    FinFisher Governmental Monitoring Trojan C&C Server
  19.  
  20. The nmap-service-probes format is at http://nmap.org/book/vscan-fileformat.html
create a new version of this paste RAW Paste Data