Nmap Development mailing list archives
Re: [NSE] ventrilo-info Ventrilo server version detection and info
From: David Fifield <david () bamsoftware com>
Date: Mon, 5 Aug 2013 16:51:46 -0700
On Tue, Jul 16, 2013 at 10:01:56PM +0200, Marin Maržić wrote:
Offset Type Value Comment 0-1 uint16 0xBEF4 Class: connection 2-3 uint16 0x0004 Type: login reply 4-7 uint32 0 Session key; zero on first reply 8-11 uint32 client id 12-15 uint32 2 Sequence number; 2 on first reply 16-19 uint32 some crc32 checksum 20 uint8 server name length 21-49 string server name 50 uint8 platform length 51-79 string platform 80-81 uint16 1. version E.g. the "2" in "2.0.23.19" 82-83 uint16 2. version E.g. the "0" in "2.0.23.19" 84-85 uint16 3. version E.g. the "23" in "2.0.23.19" 86-87 uint16 4. version E.g. the "19" in "2.0.23.19" 88-179 bytes unknown 180 uint8 welcome message length 181-435 string welcome message
Thanks for doing this research. I've modified the match lines a bit using this new information. I decided to make individual match lines for different versions. That means that version detection will show the specific version e.g. "2.0.23.19", but it also requires a separate match line for every version. I have left in the match lines for 2.0.23.19. If you can find a list of possible versions, we can add match lines for each of them.
- TeamSpeak 3 UDP probe and nmap-payloadsThis is an encrypted login request packet copied off the wire. Think there is no documentation on it. There seem to be some fields that echo back what is sent, and some that are static when sent this exact payload, so I match on them. Length varies. I guess the description could be something like: # TeamSpeak 3 # UDP login request (encrypted) - TeamSpeak 3 TCP port service detection (the "ServerQuery" interface): 2 examples of what output looks like for the suggested "version" command: version=3.0.6.1 build=1340956745 platform=Windows error id=0 msg=ok version=3.0.7.2 build=1368605352 platform=Linux error id=0 msg=okIt looks like you missed pasting in the payload here?Didn't want to confuse stuff since it was in the previous mail but just required some clarification. Here it is anyway:
Ah, thanks. I have added these. I was confused because the payloads were from a different thread: http://seclists.org/nmap-dev/2012/q4/490. David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] ventrilo-info Ventrilo server version detection and info David Fifield (Jul 01)
- Re: [NSE] ventrilo-info Ventrilo server version detection and info Marin Maržić (Jul 16)
- Re: [NSE] ventrilo-info Ventrilo server version detection and info David Fifield (Aug 05)
- Re: [NSE] ventrilo-info Ventrilo server version detection and info Marin Maržić (Jul 16)