OpenTibia service probes

[Jacek Wielemborek <wielemborekj1 () gmail com>]

Hi,

Today I decided to revisit the game I used to play as a teenager and
played a bit with OpenTibia service probes. I wrote a probe and a few
patterns to match OpenTibia servers. The probe sends an unencrypted
login request to the server - servers implementing game protocol later
than 7.1 will send an unencrypted message informing of the necessary
client version and 7.1 will most likely tell us that the account name
575757, password 77777 is not correct. To test the probes, add this to
your nmap-service-probes file:

Probe TCP OpenTibia
q|\x1d\x00\x01\x02\x00\xc6\x02\x2a\x4b\xff\x3d\xeb\x4a\xff\x3d\x88\x1d\xb0\x3d\x0d\xc9\x08\x00\x06\x00\x37\x37\x37\x37\x37\x37|
rarity 9
ports 7171

# The following one catches most post-7.5 versions.
match OpenTibia m|This server requires client version (.*)\.$| p/$1/

# Unencrypted, 7.1+.
match OpenTibia m|Only clients with protocol (.*) allowed!| p/$1/

match OpenTibia m|^2\0\n/\0Download the client from the game site to
play\.$| p/unknown/
match OpenTibia m|Please write correct account name| p/7.1/

Now, use the get_servlist.py to download a list of OpenTibia hosts to
scan and launch Nmap on the list:

./get_servlist.py > servlist.txt
python -c 'print("\n".join([ i["hostname"] for i in
eval(open("servlist.txt").read())]))' > targets.txt
nmap -sV -iL targets.txt -p 7171 --version-intensity 0 -oA otserv  -vv -Pn

To see how many hosts matched against any of the patterns and which
replies were not matched, run:

grep 'open  OpenTibia' otserv.nmap | wc -l
for fp in `grep 'SF:r(OpenTibia' otserv.nmap | awk '!_[$0]++'`; do
echo -E "`grep -F "$fp" otserv.nmap| wc -l`  ${fp}" ; done | sort -r

BTW, the previous "Tibia" fingerprint didn't fire in any of the cases.
Didn't test the official Cipsoft servers though. Note that OpenTibia
is an open-source Tibia server - there are many modified versions and
some of the banners either require you to install a modified game
client or send the error messages in foreign languages.

I mostly did it for fun, but I'm interested in the feedback. I think
I'll also try writing an NSE script that prints information about the
server, like current number of players, uptime and owner information
(see https://github.com/opentibia/server/blob/master/src/status.cpp).
I'll need to make sure that it's not encrypted first, though (IIRC,
since protocol version 7.6, Tibia is encrypted using RSA+XTEA).

Note that last time I worked with OpenTibia servers was quite a few
years ago and I could have missed some important server version.
Should you find some fingerprints that are not matched and appear in
vast quantities, please let me know.

Yours,
Jacek Wielemborek
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/