Re: Skype v2 in the news

[Brandon Enright <bmenrigh () ucsd edu>]

On Fri, 2006-07-07 at 08:30 -0700, Adam Vartanian wrote:
> > I've looked at a lot of Skype fingerprint output and poked an a number
> > of Skype owned ports.  As long as a HTTP GET request isn't sent the data
> > the comes back looks totally random.  I'm sure the initial data is
> > meaningful in some way (session key, public key, RC4 stream, etc) but it
> > certainly isn't obviously patterned.  Considering the service versioning
> > isn't interactive (can't interact with the data received) I don't think
> > it is possible to develop a fingerprint that isn't based on voodoo.
>
> That's the same result that I got when I looked at it.  Once the
> client sends 14 bytes of data, the service responds with 14 bytes of
> random-looking data.  Since 14 bytes is the proper length for a
> 112-bit 3DES key, my guess is that it's a DH key exchange, but that's
> truly a complete guess.

Actually Skype V2 isn't limiting itself to just 14 bytes.  The old
fingerprint was something like m/^.{14}$/s and it was working just fine.
That isn't working on the new version.

> > I'd be interested in hearing any other thoughts on the headache that is
> > Skype.
>
> I pretty much came to the same conclusion, that the scripting module
> (or something like it) will be necessary to detect it.
>
> - Adam

Even with the scripting module I'm not so sure were going to be able to
speak enough of the Skype protocol to get anywhere helpful.  A
randomness test might end up being the only (easy) option.

Brandon



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev