Nmap Development mailing list archives

Re: Skype v2 in the news


From: "Adam Vartanian" <flooey () gmail com>
Date: Fri, 7 Jul 2006 08:30:22 -0700

I've looked at a lot of Skype fingerprint output and poked an a number
of Skype owned ports.  As long as a HTTP GET request isn't sent the data
the comes back looks totally random.  I'm sure the initial data is
meaningful in some way (session key, public key, RC4 stream, etc) but it
certainly isn't obviously patterned.  Considering the service versioning
isn't interactive (can't interact with the data received) I don't think
it is possible to develop a fingerprint that isn't based on voodoo.

That's the same result that I got when I looked at it.  Once the
client sends 14 bytes of data, the service responds with 14 bytes of
random-looking data.  Since 14 bytes is the proper length for a
112-bit 3DES key, my guess is that it's a DH key exchange, but that's
truly a complete guess.

I'd be interested in hearing any other thoughts on the headache that is
Skype.

I pretty much came to the same conclusion, that the scripting module
(or something like it) will be necessary to detect it.

- Adam


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev


Current thread: