Nmap Development mailing list archives
Re: [NSE] ventrilo-info Ventrilo server version detection and info
From: David Fifield <david () bamsoftware com>
Date: Mon, 1 Jul 2013 02:06:04 -0700
On Fri, Jun 07, 2013 at 11:59:38PM +0200, Marin Maržić wrote:
- murmur-version.nse Now only sends and receives 1 packet when scanning the same port number on the same host in both TCP and UDP (used to repeat for each protocol). The "softmatch" probe: Probe UDP Murmur q|\0\0\0\0abcdefgh| rarity 9 ports 64738 match murmur m|^\0.{3}abcdefgh.{12}$|s p/Murmur/ v/1.2.X/
Thanks, applied.
- ventrilo-info.nse Now only sends and receives 1 packet when scanning the same port number on the same host in both TCP and UDP (used to repeat for each protocol). Various code improvements, bug fixes. The "softmatch" probe follows. This one is encrypted and the match can't really be matched on anything except that it should be at least 111 bytes (conservative guess, should catch all). Probe UDP Ventrilo q|\x01\xe7\xe5\x75\x31\xa3\x17\x0b\x21\xcf\xbf\x2b\x99\x4e\xdd\x19\xac\xde\x08\x5f\x8b\x24\x0a\x11\x19\xb6\x73\x6f\xad\x28\x13\xd2\x0a\xb9\x12\x75| rarity 9 ports 3784 match ventrilo m|^.{111}|s p/Ventrilo/ v/2.1.2+/ The UDP payload follows. It is a general status request with a 1 packet reply: # Ventrilo 2.1.2+ # UDP general status request (encrypted). # See http://aluigi.altervista.org/papers.htm#ventrilo udp 3784 "\x01\xe7\xe5\x75\x31\xa3\x17\x0b\x21\xcf\xbf\x2b\x99\x4e\xdd\x19\xac\xde\x08\x5f\x8b\x24\x0a\x11\x19\xb6\x73\x6f\xad\x28\x13\xd2\x0a\xb9\x12\x75"
Also applied.
- teamspeak2-version.nse You mentioned that this could have been done with a version probe and a couple match lines (and you were right!), but I have since found where the precise version numbers are hidden in the binary blob response. There is some information on the protocol at http://wiki.wireshark.org/TeamSpeak2 but they haven't found the version offsets. A normal login request is used.
I added this script.
The "softmatch" probe: Probe UDP TeamSpeak2 q|\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x32\x78\xba\x85\x09\x54\x65\x61\x6d\x53\x70\x65\x61\x6b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x57\x69\x6e\x64\x6f\x77\x73\x20\x58\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x20\x00\x3c\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x6e\x69\x63\x6b\x6e\x61\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00| rarity 9 ports 8767 match ts2 m|^\xf4\xbe\x04\x00\x00\x00\x00\x00.............([^\0]+)[^\w\s]+([^\0]+)\0+[^\0].{355}$|s p/TeamSpeak 2/ o/$2/ i/name: $1; no password/ match ts2 m|^\xf4\xbe\x04\x00\x00\x00\x00\x00............\0{60}.{356}$|s p/TeamSpeak 2/ i|name: n/a; has password or version < 2.0.19.16 (very unlikely)|
Could you share some examples of the raw output of the service? I might write the match lines in a different way. The best way to format the examples is to just run -sV with the probe in place, and copy the service fingerprint blob.
- TeamSpeak 2 nmap-payloads The payload sent is the one used in the above script. It is a normal login request and is not encrypted. Some information fields sent are in ASCII, but it's in hex here because it was convenient to copy it like that off the wire. I guess the description could be something like: # TeamSpeak 2 # UDP login request # See http://wiki.wireshark.org/TeamSpeak2
Applied.
- TeamSpeak 2 TCP port service detection (the "TCPQuery" interface): Here are 2 examples you asked for of what output looks like for the suggested "ver" command: 2.0.23.19 Win32 Freeware OK 2.0.24.1 Linux Freeware OK
I added separate match lines for these two OSes, so that we can canonicalize "Win32" and so that we can have separate CPE for them.
- TeamSpeak 3 UDP probe and nmap-payloads This is an encrypted login request packet copied off the wire. Think there is no documentation on it. There seem to be some fields that echo back what is sent, and some that are static when sent this exact payload, so I match on them. Length varies. I guess the description could be something like: # TeamSpeak 3 # UDP login request (encrypted) - TeamSpeak 3 TCP port service detection (the "ServerQuery" interface): 2 examples of what output looks like for the suggested "version" command: version=3.0.6.1 build=1340956745 platform=Windows error id=0 msg=ok version=3.0.7.2 build=1368605352 platform=Linux error id=0 msg=ok
It looks like you missed pasting in the payload here? David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] ventrilo-info Ventrilo server version detection and info David Fifield (Jul 01)
- Re: [NSE] ventrilo-info Ventrilo server version detection and info Marin Maržić (Jul 16)
- Re: [NSE] ventrilo-info Ventrilo server version detection and info David Fifield (Aug 05)
- Re: [NSE] ventrilo-info Ventrilo server version detection and info Marin Maržić (Jul 16)