Nmap Development mailing list archives
Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file
From: Kristian Erik Hermansen <kristian.hermansen () gmail com>
Date: Thu, 23 Apr 2015 01:10:23 -0700
On Wed, Apr 22, 2015 at 4:12 PM, Daniel Miller <bonsaiviking () gmail com> wrote:
Ah, no; this is unfortunately something that our current set of probes cannot handle; the "PSK" part of the ciphersuite means "pre-shared key" and refers to RFC 4279, which defines a non-certificate-based flavor of TLS.
Right!
However, I think we could probably come up with a probe that gets a good response here; we just need to send a TLS 1.2 ClientHello with the TLS_PSK_WITH_AES_128_CBC_SHA ciphersuite supported. Here's a sample probe to test; add it to nmap-service-probes (with no match lines) and report if it shows a service fingerprint:
After modifying nmap-service-probes, nmap DOES NOT produce a proper fingerprint. However, a trace does show that data is coming back for certain probes: """ Service scan sending probe TLS-PSK to 1.2.3.4:27036 (tcp) ... NSOCK INFO [6.7320s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 34 [1.2.3.4:27036] (104 bytes) ... Service scan sending probe SSLSessionReq to 1.2.3.4:27036 (tcp) ... NSOCK INFO [17.0990s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 258 [1.2.3.4:27036] (7 bytes): ......( Service scan match (Probe SSLSessionReq matched with SSLSessionReq line 11420): 1.2.3.4:27036 is ssl. Version: |TLSv1||| ... NSOCK INFO [17.1490s] handle_connect_result(): EID 265 reconnecting with SSL_OP_NO_SSLv2 NSOCK INFO [17.1990s] handle_connect_result(): EID 265 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure NSOCK INFO [17.1990s] nsock_trace_handler_callback(): Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 265 [1.2.3.4:27036] Got nsock CONNECT response with status ERROR - aborting this service ... """ However, a manual probe via netcat elicits a dynamic, but good 104 byte response (per above) that accurately identifies the steam service. """ $ echo -n '\x16\x03\0\0\x75\x01\0\0\x71\x03\x03\x55\x38\x2a\x62\x45\x54\x58\x53\x4a\x44\x53\x5a\x4e\x48\x4d\x44\x46\x41\x4f\x4e\x44\x4b\x4a\x58\x58\x5a\x59\x5a\x48\x57\x48\x52\0\0\x30\0\x8a\0\x8b\0\x8c\0\x8d\0\x8e\0\x8f\0\x90\0\x91\0\x92\0\x93\0\x94\0\x95\0\xa8\0\xa9\0\xaa\0\xab\0\xac\0\xad\0\xae\0\xaf\0\xb2\0\xb3\0\xb6\0\xb7\x01\0\0\x18\0\x0d\0\x14\0\x12\0\x01\0\x02\0\x03\x01\x01\x01\x02\x01\x03\x02\x01\x02\x02\x02\x03' | sed -e 's/\\0/00/g' -e 's/\\x//g' | xxd -r -p | nc -n 1.2.3.4 27036 | xxd -seek 0x5a -l 5 000005a: 7374 6561 6d steam """
Awesome! This is the kind of script we would be interested in: unauthenticated information disclosure. Looking forward to working with you to get this included in Nmap.
Sure. But I'm hoping this thread prompts Valve to start a paid vulnerability rewards program, rather than punishing researchers. Until then, I suppose people will instead sell their private wares on the dark markets for extra cash, which is probably just bad for every end-user ultimately. Imagine millions of Steam user systems / consoles being exploited with a single remote unauthenticated UDP packet that is wormable. Ugg... -- Regards, Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen https://google.com/+KristianHermansen _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 21)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Daniel Miller (Apr 21)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 22)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Daniel Miller (Apr 22)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 23)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Daniel Miller (Apr 23)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 23)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 24)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 22)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Daniel Miller (Apr 21)