Re: [NSE] ventrilo-info Ventrilo server version detection and info

[David Fifield <david () bamsoftware com>]

On Fri, Jun 07, 2013 at 11:59:38PM +0200, Marin Maržić wrote:
> - murmur-version.nse
> Now only sends and receives 1 packet when scanning the same port number
> on the same host in both TCP and UDP (used to repeat for each protocol).
>
> The "softmatch" probe:
>
> Probe UDP Murmur q|\0\0\0\0abcdefgh|
> rarity 9
> ports 64738
>
> match murmur m|^\0.{3}abcdefgh.{12}$|s p/Murmur/ v/1.2.X/

Thanks, applied.

> - ventrilo-info.nse
> Now only sends and receives 1 packet when scanning the same port number
> on the same host in both TCP and UDP (used to repeat for each protocol).
> Various code improvements, bug fixes.
>
> The "softmatch" probe follows. This one is encrypted and the
> match can't really be matched on anything except that it should be at
> least 111 bytes (conservative guess, should catch all).
>
> Probe UDP Ventrilo
> q|\x01\xe7\xe5\x75\x31\xa3\x17\x0b\x21\xcf\xbf\x2b\x99\x4e\xdd\x19\xac\xde\x08\x5f\x8b\x24\x0a\x11\x19\xb6\x73\x6f\xad\x28\x13\xd2\x0a\xb9\x12\x75|
> rarity 9
> ports 3784
>
> match ventrilo m|^.{111}|s p/Ventrilo/ v/2.1.2+/
>
> The UDP payload follows. It is a general status request with a 1 packet
> reply:
>
> # Ventrilo 2.1.2+
> # UDP general status request (encrypted).
> # See http://aluigi.altervista.org/papers.htm#ventrilo
> udp 3784
> "\x01\xe7\xe5\x75\x31\xa3\x17\x0b\x21\xcf\xbf\x2b\x99\x4e\xdd\x19\xac\xde\x08\x5f\x8b\x24\x0a\x11\x19\xb6\x73\x6f\xad\x28\x13\xd2\x0a\xb9\x12\x75"

Also applied.

> - teamspeak2-version.nse
> You mentioned that this could have been done with a version probe and a
> couple match lines (and you were right!), but I have since found where
> the precise version numbers are hidden in the binary blob response.
> There is some information on the protocol at
> http://wiki.wireshark.org/TeamSpeak2 but they haven't found the version
> offsets. A normal login request is used.

I added this script.

> The "softmatch" probe:
> Probe UDP TeamSpeak2
> q|\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x32\x78\xba\x85\x09\x54\x65\x61\x6d\x53\x70\x65\x61\x6b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x57\x69\x6e\x64\x6f\x77\x73\x20\x58\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x20\x00\x3c\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x6e\x69\x63\x6b\x6e\x61\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00|
> rarity 9
> ports 8767
>
> match ts2
> m|^\xf4\xbe\x04\x00\x00\x00\x00\x00.............([^\0]+)[^\w\s]+([^\0]+)\0+[^\0].{355}$|s p/TeamSpeak 2/ o/$2/ 
> i/name: $1; no password/
> match ts2 m|^\xf4\xbe\x04\x00\x00\x00\x00\x00............\0{60}.{356}$|s p/TeamSpeak 2/ i|name: n/a; has password or 
> version < 2.0.19.16 (very unlikely)|

Could you share some examples of the raw output of the service? I might
write the match lines in a different way. The best way to format the
examples is to just run -sV with the probe in place, and copy the
service fingerprint blob.

> - TeamSpeak 2 nmap-payloads
> The payload sent is the one used in the above script. It is a normal
> login request and is not encrypted. Some information fields sent are in
> ASCII, but it's in hex here because it was convenient to copy it like
> that off the wire. I guess the description could be something like:
>
> # TeamSpeak 2
> # UDP login request
> # See http://wiki.wireshark.org/TeamSpeak2

Applied.

> - TeamSpeak 2 TCP port service detection (the "TCPQuery" interface):
> Here are 2 examples you asked for of what output looks like for the
> suggested "ver" command:
> 2.0.23.19 Win32 Freeware
> OK
> 2.0.24.1 Linux Freeware
> OK

I added separate match lines for these two OSes, so that we can
canonicalize "Win32" and so that we can have separate CPE for them.

> - TeamSpeak 3 UDP probe and nmap-payloads
> This is an encrypted login request packet copied off the wire. Think
> there is no documentation on it. There seem to be some fields that echo
> back what is sent, and some that are static when sent this exact
> payload, so I match on them. Length varies. I guess the description
> could be something like:
>
> # TeamSpeak 3
> # UDP login request (encrypted)
>
> - TeamSpeak 3 TCP port service detection (the "ServerQuery" interface):
> 2 examples of what output looks like for the suggested "version" command:
>
> version=3.0.6.1 build=1340956745 platform=Windows
> error id=0 msg=ok
>
> version=3.0.7.2 build=1368605352 platform=Linux
> error id=0 msg=ok

It looks like you missed pasting in the payload here?

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/