Re: Squeezecenter probe

[David Fifield <david () bamsoftware com>]

On Tue, Jan 12, 2010 at 10:00:31PM +0100, Patrik Karlsson wrote:
> On 12 jan 2010, at 21.24, David Fifield wrote:
> > On Mon, Jan 04, 2010 at 10:41:07AM +0100, Patrik Karlsson wrote:
> > > I have added a probe and an appropriate match line that detects the
> > > Logitec Squeezecenter. I'm submitting a patch with the changes and the
> > > signature so that it can be further optimized if needed.
> > >
> > > SF-Port3483-UDP:V=5.10BETA2%I=7%D=1/4%Time=4B41B653%P=i386-apple-darwin10.2.0%r(SqueezeCenter,47,"ENAME\x05bubbaJSON\x049000VERS\x057\.4\.1UUID\$f85f
> > > SF:7fef-887b-41ff-acb1-c334d8ea59a7")%r(RPCCheck,12,"h\0\0\0\0\0\0\0\0\0\0
> > > SF:\0\0\0\0\0\0\0");
> >
> > > ##############################NEXT PROBE##############################
> > > # SqueezeCenter discovery
> > > Probe UDP SqueezeCenter q|eIPAD\0NAME\0JSON\0VERS\0UUID\0JVID\x06\x12\x34\x56\x78\x12\x34|
> > > rarity 5
> > > ports 3483
> > >
> > > match squeezecenter m|^ENAME.{1}(.+)JSON.{1}(\d+)VERS.{1}(.+)UUID.{1}(.+)$| p/SqueezeCenter/ i/Server Name: $1, 
> > > JSON: $2, UUID: $4/ v/$3/
> >
> > I found there's a really nice wiki for this service and the products
> > that use it, which are music players. It's at
> > http://wiki.slimdevices.com/index.php/Main_Page. The server is free
> > software written in Perl.
> >
> > However, now I'm confused because the protocol documentation on the wiki
> > doesn't match the probe.
>
> That makes two of us. The probe is based on a packet I captured on my
> home network. The packet is repeatedly sent to the broadcast address
> from the logitech squeezebox duet remote control. So I'm guessing it
> some way for the remote control to discover the server. 
>
> Google found me a Nessus script that more or less confirms this:
> http://www.nessus.org/plugins/index.php?view=single&id=42932
>
> > http://wiki.slimdevices.com/index.php/SlimProtoTCPProtocol
> >
> > That page talks about listening on port 3483, but it doesn't seem to
> > match up with the probe. It also says there is a listener on 3483/tcp,
> > does your server have that? I would like you to see if you can figure
> > out the discrepancy between the protocols (maybe I just misunderstand
> > something). Maybe we can get even more information by tweaking the
> > probe.
>
> Probing the TCP port may reveal more information, but that would
> probably be a different probe as described by the protocol in your
> link.

Okay, thanks. I added the probe and match lines. We'll have these links
in the mailing list archive if we find out more in the future.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/