Nmap Development mailing list archives

Re: [NSE] murmur-version Murmur server version detection script

From: David Fifield <david () bamsoftware com>
Date: Wed, 12 Dec 2012 15:42:51 -0800

On Wed, Dec 12, 2012 at 08:40:32PM +0100, Marin Maržić wrote:

Hey,

The payload seems to be working:

# Murmur 1.2.X (Mumble server)
udp 64738 "\x00\x00\x00\x00abcdefgh"

The recommended port is the default port that a lot of servers use and
the program default, but it's common to see the server ran on other port
numbers (guess that's the usual situation).


Thanks, I've committed it.

I had made a nmap-service-probes thing prior to going with NSE. Would a
thing like the following match line somehow be possible?

match murmur m|^\0(.)(.)(.)abcdefgh(.{4})(.{4})(.{4})$|s p/Murmur voice
communication (Mumble server)/ v/$1.$2.$3/ i/#users: $4, #max users: $5,
speech bandwidth: $6 bps/

The problem is the regex captured parts are binary 1byte and 4byte big
endian ints, i.e. they aren't ascii. Can that somehow be converted to
ascii with some helper function for output?

Anyway, since I didn't know how to do output with that, I first
hardcoded all supported known version numbers in the match lines (the
last one is generic and doesn't differentiate between versions). In the
end I chose to use the NSE because this was ugly :).

Probe UDP Murmur q|\0\0\0\0abcdefgh|
rarity 1
ports 64738

match murmur m|^\0\x01\x02\0abcdefgh.{12}$|s p/Murmur voice
communication (Mumble server)/ v/1.2.0/
match murmur m|^\0\x01\x02\x01abcdefgh.{12}$|s p/Murmur voice
communication (Mumble server)/ v/1.2.1/
match murmur m|^\0\x01\x02\x02abcdefgh.{12}$|s p/Murmur voice
communication (Mumble server)/ v/1.2.2/
match murmur m|^\0\x01\x02\x03abcdefgh.{12}$|s p/Murmur voice
communication (Mumble server)/ v/1.2.3/
match murmur m|^\0\x01\x02\x04abcdefgh.{12}$|s p/Murmur voice
communication (Mumble server)/ v/1.2.4/
match murmur m|^\0.{3}abcdefgh.{12}$|s p/Murmur voice communication
(Mumble server)/ v/1.2.X/


An NSE script sounds like the right way to go. We have a similar battery
of service matches for bitcoin in the service database, but the script
is better.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] murmur-version Murmur server version detection script Marin Maržić (Dec 09)
- Re: [NSE] murmur-version Murmur server version detection script David Fifield (Dec 10)
  - Re: [NSE] murmur-version Murmur server version detection script Marin Maržić (Dec 12)
    - Re: [NSE] murmur-version Murmur server version detection script David Fifield (Dec 12)
    - Re: [NSE] murmur-version Murmur server version detection script Marin Maržić (Dec 17)
    - Re: [NSE] murmur-version Murmur server version detection script Patrik Karlsson (Dec 17)
    - Re: [NSE] murmur-version Murmur server version detection script David Fifield (Dec 17)
    - Re: [NSE] murmur-version Murmur server version detection script Daniel Miller (Dec 18)
    - Re: [NSE] murmur-version Murmur server version detection script Marin Maržić (Dec 18)