Didier Stevens

Thursday 5 July 2012

Nmap McAfee ePO Agent Script

Filed under: My Software,Networking — Didier Stevens @ 19:13

I’ve worked together with Daniel Miller (@bonsaiviking) on an Nmap version script to identify the McAfee ePO Agent. By default, this agent listens on port 8081 and replies to HTTP requests.

You can find the script here on the nmap site.

PORT      STATE SERVICE VERSION
8081/tcp  open  http    McAfee ePolicy Orchestrator Agent 4.5.0.1852 (ePOServerName: EPOSERVER, AgentGuid: D2E157F4-B917-4D31-BEF0-32074BADF081)
Service Info: Host: TESTSERVER

13 Comments »

  1. Is there any particular reason why you would be looking for ePO? We use ePO where I work and I’m worried now that there might some unadressed vulnerability …
    Thanks
    G.

    Comment by gdvissch — Wednesday 12 September 2012 @ 9:24

  2. @gdvissch Actually, I’m using it to find machines without ePO and which should have ePO.

    Comment by Didier Stevens — Wednesday 12 September 2012 @ 12:38

  3. Thanks for the update Didier as well as for the great articles you publish!
    G.

    Comment by gdvissch — Wednesday 12 September 2012 @ 17:13

  4. […] This new release of Nmap includes the McAfee ePO Agent Script I blogged about. […]

    Pingback by Nmap 6.25 With McAfee ePO Agent Script « Didier Stevens — Friday 30 November 2012 @ 13:04

  5. Cool – But how do you call the script? On the NMAP Script site it says you should run nmap with -sV , shouldn’t you call it with the –script? I’m using NMAP 6.01 in Backtrack 3r and it wont work.

    Comment by Torben Nielsen — Thursday 14 March 2013 @ 10:46

  6. @Torben This is a script for service fingerprinting. When you run nmap with option -sV and tcp port 8081 is open, the script will run.
    I wrote an article if you need more classic scripts that you launch wwith -script: http://www.net-security.org/dl/insecure/INSECURE-Mag-35.pdf

    Comment by Didier Stevens — Thursday 14 March 2013 @ 19:05

  7. Need some help!
    I have linux machines with ePO agent and this nse dont catch the version.
    The return with http://IP:8081 is like “

    2015-03-17 06:44:28 [1438]     [Agent]  [I] Agent will connect to Server in : 7200 seconds" and  more stuff.
    Need to catch the version in the line "[agProps] [I] Setting the properties as :/opt/McAfee/cma : 4.8.0.887 : 4.8.0.887 : 60 : 120 : {4A153E7A-F28C-E411-8BD5-000000000000} : 8081 : 1 : "
    I dont have knowledge with lua.

    Comment by Anonymous — Tuesday 17 March 2015 @ 12:33

  8. What command line options do you use, and what output do you get?

    Comment by Didier Stevens — Tuesday 17 March 2015 @ 16:16

  9. Your script gets the XML content from http://IP:8081. In linux machines the same url dosent return a XML but ony strings like:
    2015-03-23 12:29:10 [25951] [events] [I] Event file name is /opt/McAfee/cma/scratch/AgentDB/Event/mc8558225951g6yQD0.xml
    2015-03-23 12:29:10 [25951] [events] [I] deleting event interface object
    2015-03-23 12:29:10 [25951] [muemsg] [I] Updater session finish state value =4
    2015-03-23 12:29:10 [25951] [Uec] [I] Done processing event information
    2015-03-23 12:29:10 [25951] [Uec] [I] Received ipc data from mue
    2015-03-23 12:29:10 [25951] [Uec] [I] Processing progress information
    2015-03-23 12:29:10 [25951] [muemsg] [I] Update process failed.
    2015-03-23 12:29:10 [25951] [Uec] [I] Done processing progress information
    2015-03-23 12:29:10 [1407] [LpcConnMgr] [I] Processing message queue disconnection request

    So i must search for the string, /opt/McAfee/cma, in the output to catch the proper agentID, version, …
    2015-03-23 14:22:59 [1438] [agProps] [I] Setting the properties as :/opt/McAfee/cma : 4.8.0.887 : 4.8.0.887 : 60 : 120 : {4A153E7A-F28C-E411-8BD5-000000000000} : 8081 : 1 :

    I run the command “nmap -sV -v IP” and got:
    8081/tcp open http McAfee virus scanner http admin

    Comment by Vinicius Lopes — Monday 23 March 2015 @ 17:47

  10. @Vinicius On Linux the ePO agent returns HTML without metadata.

    Comment by Didier Stevens — Monday 23 March 2015 @ 22:18

  11. I know, anyway can you update the script to show the informations in Linux ?

    Comment by Vinicius Lopes — Monday 20 April 2015 @ 14:08

  12. @Vinicius This script is part of nmap (service discovery scripts), I need a reliable way to identify the service.

    Comment by Didier Stevens — Monday 20 April 2015 @ 19:10

  13. Hi,

    Has anyone tried the script in agent version 4.8?

    Comment by Gunter — Friday 15 May 2015 @ 21:39


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 312 other followers

%d bloggers like this: