Nmap Development mailing list archives
OpenTibia service probes
From: Jacek Wielemborek <wielemborekj1 () gmail com>
Date: Wed, 18 Sep 2013 00:07:59 +0200
Hi, Today I decided to revisit the game I used to play as a teenager and played a bit with OpenTibia service probes. I wrote a probe and a few patterns to match OpenTibia servers. The probe sends an unencrypted login request to the server - servers implementing game protocol later than 7.1 will send an unencrypted message informing of the necessary client version and 7.1 will most likely tell us that the account name 575757, password 77777 is not correct. To test the probes, add this to your nmap-service-probes file: Probe TCP OpenTibia q|\x1d\x00\x01\x02\x00\xc6\x02\x2a\x4b\xff\x3d\xeb\x4a\xff\x3d\x88\x1d\xb0\x3d\x0d\xc9\x08\x00\x06\x00\x37\x37\x37\x37\x37\x37| rarity 9 ports 7171 # The following one catches most post-7.5 versions. match OpenTibia m|This server requires client version (.*)\.$| p/$1/ # Unencrypted, 7.1+. match OpenTibia m|Only clients with protocol (.*) allowed!| p/$1/ match OpenTibia m|^2\0\n/\0Download the client from the game site to play\.$| p/unknown/ match OpenTibia m|Please write correct account name| p/7.1/ Now, use the get_servlist.py to download a list of OpenTibia hosts to scan and launch Nmap on the list: ./get_servlist.py > servlist.txt python -c 'print("\n".join([ i["hostname"] for i in eval(open("servlist.txt").read())]))' > targets.txt nmap -sV -iL targets.txt -p 7171 --version-intensity 0 -oA otserv -vv -Pn To see how many hosts matched against any of the patterns and which replies were not matched, run: grep 'open OpenTibia' otserv.nmap | wc -l for fp in `grep 'SF:r(OpenTibia' otserv.nmap | awk '!_[$0]++'`; do echo -E "`grep -F "$fp" otserv.nmap| wc -l` ${fp}" ; done | sort -r BTW, the previous "Tibia" fingerprint didn't fire in any of the cases. Didn't test the official Cipsoft servers though. Note that OpenTibia is an open-source Tibia server - there are many modified versions and some of the banners either require you to install a modified game client or send the error messages in foreign languages. I mostly did it for fun, but I'm interested in the feedback. I think I'll also try writing an NSE script that prints information about the server, like current number of players, uptime and owner information (see https://github.com/opentibia/server/blob/master/src/status.cpp). I'll need to make sure that it's not encrypted first, though (IIRC, since protocol version 7.6, Tibia is encrypted using RSA+XTEA). Note that last time I worked with OpenTibia servers was quite a few years ago and I could have missed some important server version. Should you find some fingerprints that are not matched and appear in vast quantities, please let me know. Yours, Jacek Wielemborek _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- OpenTibia service probes Jacek Wielemborek (Sep 17)
- Re: OpenTibia service probes Jacek Wielemborek (Sep 17)