Nmap Development mailing list archives
Re: Skype v2 in the news
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 07 Jul 2006 08:02:27 +0000
On Fri, 2006-07-07 at 00:05 -0700, doug () hcsw org wrote:
Hi nmap-dev! I just read the following slashdot story on the skype v2 protocol: http://it.slashdot.org/article.pl?sid=06/07/05/2223221 It talks a little bit about the protocol and the company's reasons for its obfuscations. Just wondering if anybody has any new ideas on detecting this service through version detection as I elaborated on here: http://seclists.org/lists/nmap-dev/2006/Apr-Jun/0092.html Doug
I've looked at a lot of Skype fingerprint output and poked an a number of Skype owned ports. As long as a HTTP GET request isn't sent the data the comes back looks totally random. I'm sure the initial data is meaningful in some way (session key, public key, RC4 stream, etc) but it certainly isn't obviously patterned. Considering the service versioning isn't interactive (can't interact with the data received) I don't think it is possible to develop a fingerprint that isn't based on voodoo. Being a human though, it is generally very easy to tell if something is Skype. If the service is on port 80 or 443 and responds to random data with random looking data it's almost certainly Skype. Also, if a host has port 80 and 443 open looking like Skype and there is a high numbered port that also returns random looking data the service is most likely Skype. Unfortunately there is no good regex that matches "random" data without matching just about everything. One attempt would be to require at least N non-ascii characters. Something like "m/(.*[^\s!-~].*){N}/s" in perl syntax. This *may* work but it is nowhere close to a sure thing. Another option would be to run statistics on the data returned. We could measure say, the variance or standard deviation of the first few hundred bytes returned. Or we could measure the Chi-Square of the data against English or HTML letter frequencies. Any of these test would say with a high degree of confidence if the data received is "random" or not. It probably wouldn't be much work to change the fingerprinting engine to expose the data. Using the variance could be as easy as: match skype v|>128| p/Looks like Skype V2/ If it doesn't sound like a good idea to add statistics to the fingerprinting engine, it would still be possible to write a LUA script to measure the variance or Chi-Square once Diman Todorov finalizes his (already looking great) scripting patch for Nmap. I'd be interested in hearing any other thoughts on the headache that is Skype. Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Skype v2 in the news doug (Jul 07)
- Re: Skype v2 in the news Brandon Enright (Jul 07)
- Re: Skype v2 in the news Adam Vartanian (Jul 07)
- Re: Skype v2 in the news Brandon Enright (Jul 07)
- Re: Skype v2 in the news Adam Vartanian (Jul 07)
- Re: Skype v2 in the news Brandon Enright (Jul 07)