Nmap Development mailing list archives
Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 22 Apr 2015 18:12:02 -0500
On Wed, Apr 22, 2015 at 9:29 AM, Kristian Erik Hermansen < kristian.hermansen () gmail com> wrote:
On Tue, Apr 21, 2015 at 11:07 AM, Daniel Miller <bonsaiviking () gmail com> wrote:Thanks for the contribution. It looks like this is a TLS 1.2 service,Correct! And it supports: PSK-AES128-CBC-SHASubversion repository [3] or the Github mirror [4], since we recently did some work to improve TLS detection.The prior nmap release I tested, v6.46, reported 'ssl/unknown'. After recompiling the latest nmap source and upgrading to openssl 1.0.1f, still I see 'ssl/unknown' in the probes. Are you saying that nmap should be reporting something like 'tlsv1.2/unknown' instead?
Ah, no; this is unfortunately something that our current set of probes cannot handle; the "PSK" part of the ciphersuite means "pre-shared key" and refers to RFC 4279, which defines a non-certificate-based flavor of TLS. However, I think we could probably come up with a probe that gets a good response here; we just need to send a TLS 1.2 ClientHello with the TLS_PSK_WITH_AES_128_CBC_SHA ciphersuite supported. Here's a sample probe to test; add it to nmap-service-probes (with no match lines) and report if it shows a service fingerprint: Probe TCP TLS-PSK q|\x16\x03\0\0\x75\x01\0\0\x71\x03\x03\x55\x38\x2a\x62\x45\x54\x58\x53\x4a\x44\x53\x5a\x4e\x48\x4d\x44\x46\x41\x4f\x4e\x44\x4b\x4a\x58\x58\x5a\x59\x5a\x48\x57\x48\x52\0\0\x30\0\x8a\0\x8b\0\x8c\0\x8d\0\x8e\0\x8f\0\x90\0\x91\0\x92\0\x93\0\x94\0\x95\0\xa8\0\xa9\0\xaa\0\xab\0\xac\0\xad\0\xae\0\xaf\0\xb2\0\xb3\0\xb6\0\xb7\x01\0\0\x18\0\x0d\0\x14\0\x12\0\x01\0\x02\0\x03\x01\x01\x01\x02\x01\x03\x02\x01\x02\x02\x02\x03| rarity 9 ports 27036
In addition to your research on the TCP port, we would really beinterestedin a payload [5] or probe for the equivalent UDP port.Sure thing. I submitted a fingerprint to the nmap database, but realize the client responses are dynamic and leak the client hostname or system info (potentially login names too). Here is a quick UDP version probe. nmap-service-probes: """ Probe UDP valve-steam q|\xff\xff\xff\xff\x21\x4c\x5f\xa0\x16\x00\x00\x00\x08\x9a\xe6\xb1\x84\xd0\x81\x83\xc5\x51\x10\x00\x18\xd4\xf8\xa8\xaa\x99\x83\xe5\x80\x74\x02\x00\x00\x00\x08\x01| rarity 2 ports 27036 match valve-steam m|^\xff\xff\xff\xff\x21\x4c\x5f\xa0| """ If you modify the prior NSE file for UDP, you can use it to extract useful information about remote clients. You can easily extract hostname using the probe above and seeking to offset 0x31 in the response and reading until immediate bytes == \x30\x02\x38\x0a\x40\x01\x4a. Have fun! :)
Awesome! This is the kind of script we would be interested in: unauthenticated information disclosure. Looking forward to working with you to get this included in Nmap. Dan
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 21)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Daniel Miller (Apr 21)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 22)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Daniel Miller (Apr 22)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 23)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Daniel Miller (Apr 23)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 23)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 24)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 22)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Daniel Miller (Apr 21)