Nmap Development mailing list archives
Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 23 Apr 2015 07:46:03 -0500
On Thu, Apr 23, 2015 at 3:10 AM, Kristian Erik Hermansen < kristian.hermansen () gmail com> wrote:
After modifying nmap-service-probes, nmap DOES NOT produce a proper fingerprint. However, a trace does show that data is coming back for certain probes: """ Service scan sending probe TLS-PSK to 1.2.3.4:27036 (tcp) ... NSOCK INFO [6.7320s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 34 [1.2.3.4:27036] (104 bytes) ... Service scan sending probe SSLSessionReq to 1.2.3.4:27036 (tcp) ... NSOCK INFO [17.0990s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 258 [1.2.3.4:27036] (7 bytes): ......( Service scan match (Probe SSLSessionReq matched with SSLSessionReq line 11420): 1.2.3.4:27036 is ssl. Version: |TLSv1||| ... NSOCK INFO [17.1490s] handle_connect_result(): EID 265 reconnecting with SSL_OP_NO_SSLv2 NSOCK INFO [17.1990s] handle_connect_result(): EID 265 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure NSOCK INFO [17.1990s] nsock_trace_handler_callback(): Callback: SSL-CONNECT ERROR [Input/output error (5)] for EID 265 [1.2.3.4:27036] Got nsock CONNECT response with status ERROR - aborting this service ... """
Ah yes, this is because there is no match line, so probing continues. Since the SSLSessionReq probe matches, we know that a service fingerprint will not be displayed. I think you could get around this by adding --version-intensity 0, which would send only the Null probe and any probes that have 27036 in the "ports" line.
However, a manual probe via netcat elicits a dynamic, but good 104 byte response (per above) that accurately identifies the steam service. """ $ echo -n '\x16\x03\0\0\x75\x01\0\0\x71\x03\x03\x55\x38\x2a\x62\x45\x54\x58\x53\x4a\x44\x53\x5a\x4e\x48\x4d\x44\x46\x41\x4f\x4e\x44\x4b\x4a\x58\x58\x5a\x59\x5a\x48\x57\x48\x52\0\0\x30\0\x8a\0\x8b\0\x8c\0\x8d\0\x8e\0\x8f\0\x90\0\x91\0\x92\0\x93\0\x94\0\x95\0\xa8\0\xa9\0\xaa\0\xab\0\xac\0\xad\0\xae\0\xaf\0\xb2\0\xb3\0\xb6\0\xb7\x01\0\0\x18\0\x0d\0\x14\0\x12\0\x01\0\x02\0\x03\x01\x01\x01\x02\x01\x03\x02\x01\x02\x02\x02\x03' | sed -e 's/\\0/00/g' -e 's/\\x//g' | xxd -r -p | nc -n 1.2.3.4 27036 | xxd -seek 0x5a -l 5 000005a: 7374 6561 6d steam """
This is what I expected: the PSK identity hint contains some information to identify the service you're connecting to. This is how the client would retrieve the appropriate pre-shared key for the service, if it were configured to connect to multiple services with different keys. Unfortunately, you haven't given enough of the packet to make a fingerprint. You can either use the --version-intensity 0 option like I suggested above, or you can just give the full packet dump from this command without the -seek 0x5a -l 5 options. Dan
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 21)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Daniel Miller (Apr 21)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 22)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Daniel Miller (Apr 22)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 23)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Daniel Miller (Apr 23)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 23)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 24)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Kristian Erik Hermansen (Apr 22)
- Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file Daniel Miller (Apr 21)