Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: quake3 opportunistic portrule

From: Toni Ruottu <toni.ruottu () iki fi>
Date: Thu, 6 Jan 2011 21:47:53 +0200
The master server is not game specific. I am calling it quake3-master
because I got the impression that Quake3 was the first game to use the
protocol. The magic number 68 (in the probe) is the protocol version
of the game we are requesting server addresses for. I am using 68 as
that seems to be most common on the original quake3 master server. I
tried out all protocol numbers up to 100 to measure this. There are
also non-numeric versions, like "Nexuiz 3". These are harder to
analyse.

I am working on some discovery scripts that do further analysis on
both the master servers and actual quake3 servers. I am not aware of
any other master server commands, and the response to getservers only
contains ports and IP addresses for game servers of the requested
version.

On Thu, Jan 6, 2011 at 9:13 PM, David Fifield <david () bamsoftware com> wrote:

On Thu, Jan 06, 2011 at 08:00:32PM +0200, Toni Ruottu wrote:

The version probe for the master server was missing. I have attached a
patch that adds the probe and a match line. After applying the patch
you should be able to identify some master servers by running nmap as
follows:

nmap -p 27950,30710 ghdigital.com dpmaster.deathmask.net
dpmaster.tchr.no dpmaster.deathmask.net master.tremulous.net
master.urbanterror.net -sU -sV -Pn



+# Quake3-master getservers
+Probe UDP Quake3-master_getservers q|\xff\xff\xff\xffgetservers 68 empty full|
+rarity 9
+ports 27950,30710
+
+match quake3-master m|^\xff\xff\xff\xffgetserversResponse.*| p/Quake3 master server/


What does the "68" stand for in the probe. Do you have a reference for
protocol documentation?

It's better if the match line is less generic so that different servers
can be distinguished. (If Tremulous differs from Nexuiz for example.)
This isn't always possible but you can see in the Quake3_getstatus
matches that we can distinguish a lot of different games and in some
cases get the operating system. I tried the probe and got lots of
different responses:

SF-Port27950-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612D8%P=i686-pc-linux-gnu%r
SF:(Quake3-master_getservers,1D,"\xff\xff\xff\xffgetserversResponse\\EOT\0
SF:\0\0");

SF-Port27950-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612D8%P=i686-pc-linux-gnu%r
SF:(Quake3-master_getservers,40,"\xff\xff\xff\xffgetserversResponse\\O\\s\
SF:x7fm;\\U\x0e\xdc\xf4m8\\O\\s\x7fm9\\\xd0a\x8d\x15m\.\\O\\s\x7fm:\\EOT\0
SF:\0\0");

SF-Port27950-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612E9%P=i686-pc-linux-gnu%r
SF:(Quake3-master_getservers,40,"\xff\xff\xff\xffgetserversResponse\\O\\s\
SF:x7fm:\\O\\s\x7fm;\\U\x0e\xdc\xf4m8\\O\\s\x7fm9\\\xd0a\x8d\x15m\.\\EOT\0
SF:\0\0");

SF-Port30710-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612E9%P=i686-pc-linux-gnu%r
SF:(Quake3-master_getservers,17,"\xff\xff\xff\xffgetserversResponse\\");

I'm guessing that the responses contain the addresses of servers encoded
somehow. That may not be enough to distinguish servers. Perhaps there is
a command other than "getservers" that gives more information?

David Fifield


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: