Re: TeamSpeak 2 and 3 service detection

[David Fifield <david () bamsoftware com>]

On Wed, Dec 19, 2012 at 07:59:51PM +0100, Marin Maržić wrote:
> been working on improving TeamSpeak 2 and 3 server service detection and
> here's what I came up with.
>
> TeamSpeak 2 (2 TCP and 1 UDP port):
>
> TCP port service detection (the "TCPQuery" interface):
>
> - replaced match line (for the NULL probe):
> match telnet m|^\[TS\]\r\n$| p/Teamspeak VoIP Information telnetd/
> - with:
> softmatch ts2-TCPQuery m|^\[TS\]\r\n$|
>
> - and added probe:
> Probe TCP verLine q|ver\r\n|
> rarity 9
> ports 51234
>
> match ts2-TCPQuery m|^\[TS\]\r\n(\S+) (\S+) (\S+)\r\nOK\r\n$|
> p/TeamSpeak 2 server TCPQuery interface (telnetd)/ v/$1/ i/$3/ o/$2/
>
> - This improves the detection of the specific TS2 telnetd (they call it
> the TCPQuery function) with additional information (more precise name,
> specific version, some extra info and OS). Rarity 9 works great because
> of the softmatch in the NULL probe so it doesn't slow down searches.

I applied the part to make a more specific match for the TCPQuery port.

Can you send some examples of verbatim responses sent in response to the
"ver" command? I want to see what kind of things are going in the info
field, and how the OS names are formatted. If there are multiple OS
strings, we usually like to break them into multiple match lines in
order to have different CPE.

> TCP port service detection (the "ServerQuery" interface):
>
> - replaced match lines (for the NULL probe):
> match teamspeak m|^TS3\n\r$| p/TeamSpeak voice communication/ v/3/
> match teamspeak m|^TS3\n\rWelcome to the TeamSpeak 3 ServerQuery
> interface, type \"help\" for a list of commands and \"help <command>\"
> for information on a specific command\.\n\r$| p/TeamSpeak voice
> communication/ v/3/
>
> - with:
> softmatch ts3-ServerQuery m|^TS3\n\r$|
> softmatch ts3-ServerQuery m|^TS3\n\rWelcome to the TeamSpeak 3
> ServerQuery interface, type \"help\" for a list of commands and \"help
> <command>\" for information on a specific command\.\n\r$|
>
> - and added probe:
> Probe TCP versionLine q|version\r\n|
> rarity 9
> ports 10011
>
> match ts3-ServerQuery m|^TS3\n\r.*?version=(\S+) build=(\S+)
> platform=(\S+)\n\rerror id=0 msg=ok\n\r$|s p/TeamSpeak 3 server
> ServerQuery interface (telnetd)/ v/$1/ i/build: $2/ o/$3/

Same here, I applied the more specific matches, but please show some
example ooutput of the "version" command.

> TCP port service detection (the http web admin interface):
>
> - This one seemed to exist already in nmap-service-probes in the form of
> 2 match lines (for the NULL probe):
> match http m|^HTTP/1\.1 \d\d\d .*\r\nConnection:
> keep-alive\r\nContent-Type: text/HTML\r\nContent-Length: \d+\r\nServer:
> Indy/([\d.]+)\r\nSet-Cookie: .*\r\n\r\n<!-- header\.html
> -->.*TeamSpeak|s p/TeamSpeak admin httpd/ v/1.X/ i/Indy httpd $1/
> match http m|^HTTP/1\.1 \d\d\d .*\r\nConnection:
> keep-alive\r\nContent-Type: text/HTML\r\nContent-Length: \d+\r\nServer:
> Indy/([\d.]+)\r\nSet-Cookie: .*<title>TeamSpeak 2 -
> Server-Administration</title>|s p/TeamSpeak admin httpd/ v/2.X/ i/Indy
> httpd $1/
>
> - Unfortunately they never match because they are overriden by this line:
> match http m|^HTTP/1\.1 200 OK\r\n.*Server: Indy/([\w._-]+)\r\n|s
> p/Indy/ v/$1/
>
> - not sure how this kind of stuff is usually fixed

This doesn't seem to be the case anymore in the current version of the
file. The Indy/TeamSpeak lines appear (in the GetRequest probe) above
any more generic Indy lines. Is it possible that the server output is
slightly different and now doesn't match the regular expressions?

> - payload (nmap-payloads):
> # TeamSpeak 2
> udp 8767
> "\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x32\x78\xba\x85\x09\x54\x65\x61\x6d\x53\x70\x65\x61\x6b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x57\x69\x6e\x64\x6f\x77\x73\x20\x58\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x20\x00\x3c\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x6e\x69\x63\x6b\x6e\x61\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
>
> UDP port service detection (the voice/login/session port):
>
> Probe UDP TeamSpeak3
> q|\x05\xca\x7f\x16\x9c\x11\xf9\x89\x00\x00\x00\x00\x02\x9d\x74\x8b\x45\xaa\x7b\xef\xb9\x9e\xfe\xad\x08\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x3e\x00\x97\x2b\x1c\x71\xb2\x4e\xc0\x61\xf1\xd7\x6f\xc5\x7e\xf6\x48\x52\xbf\x82\x6a\xa2\x3b\x65\xaa\x18\x7a\x17\x38\xc3\x81\x27\xc3\x47\xfc\xa7\x35\xba\xfc\x0f\x9d\x9d\x72\x24\x9d\xfc\x02\x17\x6d\x6b\xb1\x2d\x72\xc6\xe3\x17\x1c\x95\xd9\x69\x99\x57\xce\xdd\xdf\x05\xdc\x03\x94\x56\x04\x3a\x14\xe5\xad\x9a\x2b\x14\x30\x3a\x23\xa3\x25\xad\xe8\xe6\x39\x8a\x85\x2a\xc6\xdf\xe5\x5d\x2d\xa0\x2f\x5d\x9c\xd7\x2b\x24\xfb\xb0\x9c\xc2\xba\x89\xb4\x1b\x17\xa2\xb6|
> rarity 9
> ports 9987
>
> match ts3
> m|^.{8}\x00\x00\x02\x97\x76\x8b\x54\xad\x79\xe3\xaf\x87\xeb\xaa\x1a\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x33\x08\x86\x2d\x40|s
> p/TeamSpeak 3 server/
>
> - not sure about the rarity here, won't get picked up on a default scan
> with 9
>
> - payload (nmap-payloads):
> # TeamSpeak 3
> udp 9987
> "\x05\xca\x7f\x16\x9c\x11\xf9\x89\x00\x00\x00\x00\x02\x9d\x74\x8b\x45\xaa\x7b\xef\xb9\x9e\xfe\xad\x08\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x3e\x00\x97\x2b\x1c\x71\xb2\x4e\xc0\x61\xf1\xd7\x6f\xc5\x7e\xf6\x48\x52\xbf\x82\x6a\xa2\x3b\x65\xaa\x18\x7a\x17\x38\xc3\x81\x27\xc3\x47\xfc\xa7\x35\xba\xfc\x0f\x9d\x9d\x72\x24\x9d\xfc\x02\x17\x6d\x6b\xb1\x2d\x72\xc6\xe3\x17\x1c\x95\xd9\x69\x99\x57\xce\xdd\xdf\x05\xdc\x03\x94\x56\x04\x3a\x14\xe5\xad\x9a\x2b\x14\x30\x3a\x23\xa3\x25\xad\xe8\xe6\x39\x8a\x85\x2a\xc6\xdf\xe5\x5d\x2d\xa0\x2f\x5d\x9c\xd7\x2b\x24\xfb\xb0\x9c\xc2\xba\x89\xb4\x1b\x17\xa2\xb6"

For all these, we need some more information. We don't like having
undocumented binary blobs in the database. Do you have a link to
protocol documentation? What do these probes do? Where do they come
from? Check the comments above each payload in nmap-payloads; that's the
kind of information we need.

> UDP port service detection (the voice/login/session port):
>
> - Attached an NSE script for this one. More info in the .nse.

It looks like what this script does can be done with a version probe. It
just sends a static payload and then does a pattern match on the
returned value. A blank name, for example, would be handled with two
match lines. My above comments on documentation apply equally here;
please show some example output if possible.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/