Re: More Service Detection Notes (Skype)

["Brandon Enright" <bmenrigh () ucsd edu>]

Fyodor wrote:
> On Wed, Jul 26, 2006 at 12:25:58AM -0700, doug () hcsw org wrote:
> > What do you think about an addition to the nmap-service-probes
> > format that requires multiple match lines having to be triggered
> > in order to report a result? Specifically, do you (or anyone else) see
> > anything wrong with the following:
>
> That does look like a clever mechanism.  But I'm concerned about
> adding too much complexity to the system.  Maybe it would be best to
> let the upcoming scripting system deal with service detection for
> these especially tough cases.

I agree that adding complexity to the service versioning is somewhat
unwanted.  Doug’s proposal though sounds very unobtrusive.  When Nmap
tries to version a Skype port no probe line is going to match.  A match on
Skype is potentially a lot faster and won’t print the junk-filled
fingerprint – a big plus for the service versioning feature.

> > Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n|
> > ...
> > match &skype2 m|^HTTP/1\.0 404 Not Found\r\n\r\n$| p/Skype v2/
>
> Has anyone discovered any URLs which don't give 404 errors?  What sort
> of URLs are seen when you sniff a skype connection?

Actually Skype doesn’t speak HTTP at all.  Normal usage of Skype produces
"incomprehensible" stream of binary data (the entire protocol is
encrypted).  Skype is using a behavioral modification technique so that it
looks like a HTTP server when a Get request is sent to it.  This is
probably done because by default Skype runs on ports 80 and 443 as well as
a high-numbered port to try to avoid port-based blocking.

> Cheers,
> -F

Brandon




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev