Nmap Development mailing list archives

Re: [NSE] ventrilo-info Ventrilo server version detection and info

From: David Fifield <david () bamsoftware com>
Date: Mon, 5 Aug 2013 16:51:46 -0700

On Tue, Jul 16, 2013 at 10:01:56PM +0200, Marin Maržić wrote:

Offset  Type   Value                  Comment
0-1     uint16 0xBEF4                 Class: connection
2-3     uint16 0x0004                 Type: login reply
4-7     uint32 0                      Session key; zero on first reply
8-11    uint32 client id
12-15   uint32 2                      Sequence number; 2 on first reply
16-19   uint32 some crc32 checksum
20      uint8  server name length
21-49   string server name
50      uint8  platform length
51-79   string platform
80-81   uint16 1. version             E.g. the "2" in "2.0.23.19"
82-83   uint16 2. version             E.g. the "0" in "2.0.23.19"
84-85   uint16 3. version             E.g. the "23" in "2.0.23.19"
86-87   uint16 4. version             E.g. the "19" in "2.0.23.19"
88-179  bytes  unknown
180     uint8  welcome message length
181-435 string welcome message


Thanks for doing this research. I've modified the match lines a bit
using this new information.

I decided to make individual match lines for different versions. That
means that version detection will show the specific version e.g.
"2.0.23.19", but it also requires a separate match line for every
version. I have left in the match lines for 2.0.23.19. If you can find a
list of possible versions, we can add match lines for each of them.

- TeamSpeak 3 UDP probe and nmap-payloads

This is an encrypted login request packet copied off the wire. Think
there is no documentation on it. There seem to be some fields that echo
back what is sent, and some that are static when sent this exact
payload, so I match on them. Length varies. I guess the description
could be something like:

# TeamSpeak 3
# UDP login request (encrypted)

- TeamSpeak 3 TCP port service detection (the "ServerQuery" interface):
2 examples of what output looks like for the suggested "version" command:

version=3.0.6.1 build=1340956745 platform=Windows
error id=0 msg=ok

version=3.0.7.2 build=1368605352 platform=Linux
error id=0 msg=ok

It looks like you missed pasting in the payload here?


Didn't want to confuse stuff since it was in the previous mail but just
required some clarification. Here it is anyway:


Ah, thanks. I have added these. I was confused because the payloads were
from a different thread: http://seclists.org/nmap-dev/2012/q4/490.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] ventrilo-info Ventrilo server version detection and info David Fifield (Jul 01)
- Re: [NSE] ventrilo-info Ventrilo server version detection and info Marin Maržić (Jul 16)
  - Re: [NSE] ventrilo-info Ventrilo server version detection and info David Fifield (Aug 05)