TeamSpeak 2 and 3 service detection

[Marin Maržić <marzic () gmail com>]

Hey,

been working on improving TeamSpeak 2 and 3 server service detection and
here's what I came up with.

TeamSpeak 2 (2 TCP and 1 UDP port):

TCP port service detection (the "TCPQuery" interface):

- replaced match line (for the NULL probe):
match telnet m|^\[TS\]\r\n$| p/Teamspeak VoIP Information telnetd/
- with:
softmatch ts2-TCPQuery m|^\[TS\]\r\n$|

- and added probe:
Probe TCP verLine q|ver\r\n|
rarity 9
ports 51234

match ts2-TCPQuery m|^\[TS\]\r\n(\S+) (\S+) (\S+)\r\nOK\r\n$|
p/TeamSpeak 2 server TCPQuery interface (telnetd)/ v/$1/ i/$3/ o/$2/

- This improves the detection of the specific TS2 telnetd (they call it
the TCPQuery function) with additional information (more precise name,
specific version, some extra info and OS). Rarity 9 works great because
of the softmatch in the NULL probe so it doesn't slow down searches.

---------------

TCP port service detection (the http web admin interface):

- This one seemed to exist already in nmap-service-probes in the form of
2 match lines (for the NULL probe):
match http m|^HTTP/1\.1 \d\d\d .*\r\nConnection:
keep-alive\r\nContent-Type: text/HTML\r\nContent-Length: \d+\r\nServer:
Indy/([\d.]+)\r\nSet-Cookie: .*\r\n\r\n<!-- header\.html
-->.*TeamSpeak|s p/TeamSpeak admin httpd/ v/1.X/ i/Indy httpd $1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nConnection:
keep-alive\r\nContent-Type: text/HTML\r\nContent-Length: \d+\r\nServer:
Indy/([\d.]+)\r\nSet-Cookie: .*<title>TeamSpeak 2 -
Server-Administration</title>|s p/TeamSpeak admin httpd/ v/2.X/ i/Indy
httpd $1/

- Unfortunately they never match because they are overriden by this line:
match http m|^HTTP/1\.1 200 OK\r\n.*Server: Indy/([\w._-]+)\r\n|s
p/Indy/ v/$1/

- not sure how this kind of stuff is usually fixed

---------------

UDP port service detection (the voice/login/session port):

- Attached an NSE script for this one. More info in the .nse.

- payload (nmap-payloads):
# TeamSpeak 2
udp 8767
"\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x32\x78\xba\x85\x09\x54\x65\x61\x6d\x53\x70\x65\x61\x6b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x57\x69\x6e\x64\x6f\x77\x73\x20\x58\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x20\x00\x3c\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x6e\x69\x63\x6b\x6e\x61\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

---------------

TeamSpeak 3 (1 TCP and 1 UDP port):

TCP port service detection (the "ServerQuery" interface):

- replaced match lines (for the NULL probe):
match teamspeak m|^TS3\n\r$| p/TeamSpeak voice communication/ v/3/
match teamspeak m|^TS3\n\rWelcome to the TeamSpeak 3 ServerQuery
interface, type \"help\" for a list of commands and \"help <command>\"
for information on a specific command\.\n\r$| p/TeamSpeak voice
communication/ v/3/

- with:
softmatch ts3-ServerQuery m|^TS3\n\r$|
softmatch ts3-ServerQuery m|^TS3\n\rWelcome to the TeamSpeak 3
ServerQuery interface, type \"help\" for a list of commands and \"help
<command>\" for information on a specific command\.\n\r$|

- and added probe:
Probe TCP versionLine q|version\r\n|
rarity 9
ports 10011

match ts3-ServerQuery m|^TS3\n\r.*?version=(\S+) build=(\S+)
platform=(\S+)\n\rerror id=0 msg=ok\n\r$|s p/TeamSpeak 3 server
ServerQuery interface (telnetd)/ v/$1/ i/build: $2/ o/$3/

- very similar reasoning as with the TeamSpeak 2 TCPQuery service

---------------

UDP port service detection (the voice/login/session port):

Probe UDP TeamSpeak3
q|\x05\xca\x7f\x16\x9c\x11\xf9\x89\x00\x00\x00\x00\x02\x9d\x74\x8b\x45\xaa\x7b\xef\xb9\x9e\xfe\xad\x08\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x3e\x00\x97\x2b\x1c\x71\xb2\x4e\xc0\x61\xf1\xd7\x6f\xc5\x7e\xf6\x48\x52\xbf\x82\x6a\xa2\x3b\x65\xaa\x18\x7a\x17\x38\xc3\x81\x27\xc3\x47\xfc\xa7\x35\xba\xfc\x0f\x9d\x9d\x72\x24\x9d\xfc\x02\x17\x6d\x6b\xb1\x2d\x72\xc6\xe3\x17\x1c\x95\xd9\x69\x99\x57\xce\xdd\xdf\x05\xdc\x03\x94\x56\x04\x3a\x14\xe5\xad\x9a\x2b\x14\x30\x3a\x23\xa3\x25\xad\xe8\xe6\x39\x8a\x85\x2a\xc6\xdf\xe5\x5d\x2d\xa0\x2f\x5d\x9c\xd7\x2b\x24\xfb\xb0\x9c\xc2\xba\x89\xb4\x1b\x17\xa2\xb6|
rarity 9
ports 9987

match ts3
m|^.{8}\x00\x00\x02\x97\x76\x8b\x54\xad\x79\xe3\xaf\x87\xeb\xaa\x1a\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x33\x08\x86\x2d\x40|s
p/TeamSpeak 3 server/

- not sure about the rarity here, won't get picked up on a default scan
with 9

- payload (nmap-payloads):
# TeamSpeak 3
udp 9987
"\x05\xca\x7f\x16\x9c\x11\xf9\x89\x00\x00\x00\x00\x02\x9d\x74\x8b\x45\xaa\x7b\xef\xb9\x9e\xfe\xad\x08\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x3e\x00\x97\x2b\x1c\x71\xb2\x4e\xc0\x61\xf1\xd7\x6f\xc5\x7e\xf6\x48\x52\xbf\x82\x6a\xa2\x3b\x65\xaa\x18\x7a\x17\x38\xc3\x81\x27\xc3\x47\xfc\xa7\x35\xba\xfc\x0f\x9d\x9d\x72\x24\x9d\xfc\x02\x17\x6d\x6b\xb1\x2d\x72\xc6\xe3\x17\x1c\x95\xd9\x69\x99\x57\xce\xdd\xdf\x05\xdc\x03\x94\x56\x04\x3a\x14\xe5\xad\x9a\x2b\x14\x30\x3a\x23\xa3\x25\xad\xe8\xe6\x39\x8a\x85\x2a\xc6\xdf\xe5\x5d\x2d\xa0\x2f\x5d\x9c\xd7\x2b\x24\xfb\xb0\x9c\xc2\xba\x89\xb4\x1b\x17\xa2\xb6"

---------------

Well, that's that. Peace,

Marin

Attachment: teamspeak2-version.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/