Re: Skype v2 in the news

[Brandon Enright <bmenrigh () ucsd edu>]

On Fri, 2006-07-07 at 00:05 -0700, doug () hcsw org wrote:
> Hi nmap-dev!
>
> I just read the following slashdot story on the skype v2 protocol:
>
> http://it.slashdot.org/article.pl?sid=06/07/05/2223221
>
> It talks a little bit about the protocol and the company's reasons
> for its obfuscations.
>
> Just wondering if anybody has any new ideas on detecting this service
> through version detection as I elaborated on here:
>
> http://seclists.org/lists/nmap-dev/2006/Apr-Jun/0092.html
>
> Doug

I've looked at a lot of Skype fingerprint output and poked an a number
of Skype owned ports.  As long as a HTTP GET request isn't sent the data
the comes back looks totally random.  I'm sure the initial data is
meaningful in some way (session key, public key, RC4 stream, etc) but it
certainly isn't obviously patterned.  Considering the service versioning
isn't interactive (can't interact with the data received) I don't think
it is possible to develop a fingerprint that isn't based on voodoo.

Being a human though, it is generally very easy to tell if something is
Skype.  If the service is on port 80 or 443 and responds to random data
with random looking data it's almost certainly Skype.  Also, if a host
has port 80 and 443 open looking like Skype and there is a high numbered
port that also returns random looking data the service is most likely
Skype.

Unfortunately there is no good regex that matches "random" data without
matching just about everything.  One attempt would be to require at
least N non-ascii characters.  Something like "m/(.*[^\s!-~].*){N}/s" in
perl syntax.  This *may* work but it is nowhere close to a sure thing.

Another option would be to run statistics on the data returned.  We
could measure say, the variance or standard deviation of the first few
hundred bytes returned.  Or we could measure the Chi-Square of the data
against English or HTML letter frequencies.  Any of these test would say
with a high degree of confidence if the data received is "random" or
not.  It probably wouldn't be much work to change the fingerprinting
engine to expose the data.

Using the variance could be as easy as:

match skype v|>128| p/Looks like Skype V2/

If it doesn't sound like a good idea to add statistics to the
fingerprinting engine, it would still be possible to write a LUA script
to measure the variance or Chi-Square once Diman Todorov finalizes his
(already looking great) scripting patch for Nmap.

I'd be interested in hearing any other thoughts on the headache that is
Skype.

Brandon

-- 
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh () ucsd edu




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev