I’ve worked together with Daniel Miller (@bonsaiviking) on an Nmap version script to identify the McAfee ePO Agent. By default, this agent listens on port 8081 and replies to HTTP requests.
You can find the script here on the nmap site.
PORT STATE SERVICE VERSION 8081/tcp open http McAfee ePolicy Orchestrator Agent 4.5.0.1852 (ePOServerName: EPOSERVER, AgentGuid: D2E157F4-B917-4D31-BEF0-32074BADF081) Service Info: Host: TESTSERVER
Is there any particular reason why you would be looking for ePO? We use ePO where I work and I’m worried now that there might some unadressed vulnerability …
Thanks
G.
Comment by gdvissch — Wednesday 12 September 2012 @ 9:24
@gdvissch Actually, I’m using it to find machines without ePO and which should have ePO.
Comment by Didier Stevens — Wednesday 12 September 2012 @ 12:38
Thanks for the update Didier as well as for the great articles you publish!
G.
Comment by gdvissch — Wednesday 12 September 2012 @ 17:13
[...] This new release of Nmap includes the McAfee ePO Agent Script I blogged about. [...]
Pingback by Nmap 6.25 With McAfee ePO Agent Script « Didier Stevens — Friday 30 November 2012 @ 13:04
Cool – But how do you call the script? On the NMAP Script site it says you should run nmap with -sV , shouldn’t you call it with the –script? I’m using NMAP 6.01 in Backtrack 3r and it wont work.
Comment by Torben Nielsen — Thursday 14 March 2013 @ 10:46
@Torben This is a script for service fingerprinting. When you run nmap with option -sV and tcp port 8081 is open, the script will run.
I wrote an article if you need more classic scripts that you launch wwith -script: http://www.net-security.org/dl/insecure/INSECURE-Mag-35.pdf
Comment by Didier Stevens — Thursday 14 March 2013 @ 19:05