Nmap Development mailing list archives
Re: [NSE] ventrilo-info Ventrilo server version detection and info
From: Marin Maržić <marzic () gmail com>
Date: Tue, 16 Jul 2013 22:01:56 +0200
On 1.7.2013. 11:06, David Fifield wrote:
The "softmatch" probe: Probe UDP TeamSpeak2 q|\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x32\x78\xba\x85\x09\x54\x65\x61\x6d\x53\x70\x65\x61\x6b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x57\x69\x6e\x64\x6f\x77\x73\x20\x58\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x20\x00\x3c\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x6e\x69\x63\x6b\x6e\x61\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00| rarity 9 ports 8767 match ts2 m|^\xf4\xbe\x04\x00\x00\x00\x00\x00.............([^\0]+)[^\w\s]+([^\0]+)\0+[^\0].{355}$|s p/TeamSpeak 2/ o/$2/ i/name: $1; no password/ match ts2 m|^\xf4\xbe\x04\x00\x00\x00\x00\x00............\0{60}.{356}$|s p/TeamSpeak 2/ i|name: n/a; has password or version < 2.0.19.16 (very unlikely)|Could you share some examples of the raw output of the service? I might write the match lines in a different way. The best way to format the examples is to just run -sV with the probe in place, and copy the service fingerprint blob.
Sure. Actually, first off here are the match lines written in a more concise way and improved to work with non printable characters in the server name which a lot of servers use: # TeamSpeak 2 # UDP login request # See http://wiki.wireshark.org/TeamSpeak2 Probe UDP TeamSpeak2 q|\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x32\x78\xba\x85\x09\x54\x65\x61\x6d\x53\x70\x65\x61\x6b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x57\x69\x6e\x64\x6f\x77\x73\x20\x58\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x20\x00\x3c\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x6e\x69\x63\x6b\x6e\x61\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00| rarity 9 ports 8767 match ts2 m|^\xf4\xbe\x04\0{5}.{4}\x02\0{3}.{5}(.{29}).([^\0]+)\0+[^\0]|s p/TeamSpeak 2/ o/$2/ i/name: $1; no password/ match ts2 m|^\xf4\xbe\x04\0{5}.{4}\x02\0{3}.{4}\0{60}|s p/TeamSpeak 2/ i|name: n/a; has password or version < 2.0.19.16 (very unlikely)| I would recommend not changing the match lines much because they seem to cover all cases and have been tested. Here is what I've gathered on the protocol (little endian): Offset Type Value Comment 0-1 uint16 0xBEF4 Class: connection 2-3 uint16 0x0004 Type: login reply 4-7 uint32 0 Session key; zero on first reply 8-11 uint32 client id 12-15 uint32 2 Sequence number; 2 on first reply 16-19 uint32 some crc32 checksum 20 uint8 server name length 21-49 string server name 50 uint8 platform length 51-79 string platform 80-81 uint16 1. version E.g. the "2" in "2.0.23.19" 82-83 uint16 2. version E.g. the "0" in "2.0.23.19" 84-85 uint16 3. version E.g. the "23" in "2.0.23.19" 86-87 uint16 4. version E.g. the "19" in "2.0.23.19" 88-179 bytes unknown 180 uint8 welcome message length 181-435 string welcome message Here are some -sV fingerprint blobs anyway. Pretty sure OS (platform) can be only "Win32" or "Linux". - no password version 2.0.23.19 (Win32): SF-Port8767-UDP:V=6.26SVN%I=1%D=7/16%Time=51E593FF%P=i686-pc-linux-gnu%r(T SF:eamSpeak2,1B4,"\xf4\xbe\x04\0\0\0\0\0\x02\0\0\0\x02\0\0\0\+\xd1;\xae\x1 SF:0TeamSpeak\x20Server\0\0\0\0\0\0\0\0\0\0\0\0\0\x05Win32\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x02\0\0\0\x17\0\x13\0\xfc\xff\xff\xff\ SF:xff\x1f\0\0\0\0\0\0\x05\0\x07\xff\xff\x0f\xfe\xff\xfe\xff\x03\xfe\0\0\0 SF:\0\0\xe0\x7f\|>\0\xd4\0\0\0\0\0\0lP\(\0\xd4\0\0\0\0\0\0\0\0\0\0\x94\0\x SF:04\0\0\0N\0\0\0\0\x90\0\x04\0\0\0J\0\0\0\0\x90\0\x10\0\0\0\x06\xd8\x13\ SF:0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\0"); - with password: SF-Port8767-UDP:V=6.26SVN%I=1%D=7/16%Time=51E59D00%P=i686-pc-linux-gnu%r(T SF:eamSpeak2,1B4,"\xf4\xbe\x04\0\0\0\0\0\x02\0\0\0\x02\0\0\0DZ\xb1\xfa\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\x SF:ff\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\n\x81w\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\ SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
- TeamSpeak 3 UDP probe and nmap-payloadsThis is an encrypted login request packet copied off the wire. Think there is no documentation on it. There seem to be some fields that echo back what is sent, and some that are static when sent this exact payload, so I match on them. Length varies. I guess the description could be something like: # TeamSpeak 3 # UDP login request (encrypted) - TeamSpeak 3 TCP port service detection (the "ServerQuery" interface): 2 examples of what output looks like for the suggested "version" command: version=3.0.6.1 build=1340956745 platform=Windows error id=0 msg=ok version=3.0.7.2 build=1368605352 platform=Linux error id=0 msg=okIt looks like you missed pasting in the payload here?
Didn't want to confuse stuff since it was in the previous mail but just
required some clarification. Here it is anyway:
- the probe
# TeamSpeak 3
# UDP login request (encrypted)
Probe UDP TeamSpeak3
q|\x05\xca\x7f\x16\x9c\x11\xf9\x89\x00\x00\x00\x00\x02\x9d\x74\x8b\x45\xaa\x7b\xef\xb9\x9e\xfe\xad\x08\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x3e\x00\x97\x2b\x1c\x71\xb2\x4e\xc0\x61\xf1\xd7\x6f\xc5\x7e\xf6\x48\x52\xbf\x82\x6a\xa2\x3b\x65\xaa\x18\x7a\x17\x38\xc3\x81\x27\xc3\x47\xfc\xa7\x35\xba\xfc\x0f\x9d\x9d\x72\x24\x9d\xfc\x02\x17\x6d\x6b\xb1\x2d\x72\xc6\xe3\x17\x1c\x95\xd9\x69\x99\x57\xce\xdd\xdf\x05\xdc\x03\x94\x56\x04\x3a\x14\xe5\xad\x9a\x2b\x14\x30\x3a\x23\xa3\x25\xad\xe8\xe6\x39\x8a\x85\x2a\xc6\xdf\xe5\x5d\x2d\xa0\x2f\x5d\x9c\xd7\x2b\x24\xfb\xb0\x9c\xc2\xba\x89\xb4\x1b\x17\xa2\xb6|
rarity 9
ports 9987
match ts3
m|^.{8}\x00\x00\x02\x97\x76\x8b\x54\xad\x79\xe3\xaf\x87\xeb\xaa\x1a\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x33\x08\x86\x2d\x40|s
p/TeamSpeak 3 server/
- the payload (same as the one in the probe)
# TeamSpeak 3
# UDP login request (encrypted)
udp 9987
"\x05\xca\x7f\x16\x9c\x11\xf9\x89\x00\x00\x00\x00\x02\x9d\x74\x8b\x45\xaa\x7b\xef\xb9\x9e\xfe\xad\x08\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x3e\x00\x97\x2b\x1c\x71\xb2\x4e\xc0\x61\xf1\xd7\x6f\xc5\x7e\xf6\x48\x52\xbf\x82\x6a\xa2\x3b\x65\xaa\x18\x7a\x17\x38\xc3\x81\x27\xc3\x47\xfc\xa7\x35\xba\xfc\x0f\x9d\x9d\x72\x24\x9d\xfc\x02\x17\x6d\x6b\xb1\x2d\x72\xc6\xe3\x17\x1c\x95\xd9\x69\x99\x57\xce\xdd\xdf\x05\xdc\x03\x94\x56\x04\x3a\x14\xe5\xad\x9a\x2b\x14\x30\x3a\x23\xa3\x25\xad\xe8\xe6\x39\x8a\x85\x2a\xc6\xdf\xe5\x5d\x2d\xa0\x2f\x5d\x9c\xd7\x2b\x24\xfb\xb0\x9c\xc2\xba\x89\xb4\x1b\x17\xa2\xb6"
Any thoughts on the "port.service"/"port.version" part of the mail (the
bottom part)?
- Marin
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] ventrilo-info Ventrilo server version detection and info David Fifield (Jul 01)
- Re: [NSE] ventrilo-info Ventrilo server version detection and info Marin Maržić (Jul 16)
- Re: [NSE] ventrilo-info Ventrilo server version detection and info David Fifield (Aug 05)
- Re: [NSE] ventrilo-info Ventrilo server version detection and info Marin Maržić (Jul 16)