obfs2-version.nse (detection for obfs2 obfuscation transport)

[David Fifield <david () bamsoftware com>]

Here is a script that detects servers of the obfs2 obfuscation
transport. obfs2 is used as an additional encryption layer to disguise
other transports. It's considered busted and deprecated these days, but
here's a script anyway.

How the detection works is you read 16 bytes from the server, use them
to derive a key, and then decrypt the next 4 bytes. If they match a
magic value, then the protocol is obfs2.

https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/doc/obfs2/obfs2-protocol-spec.txt

Theoretically the server could require the client to first send some
data (with the same magic requirement as above) before sending a
response. But I don't think any implementations do that. Therefore the
script simply reads from the socket and does not send anything.

If someone wants to try obfs3, it's a bit harder. Both client and server
need to send data in order to derive a shared key, and then you have to
read from the socket looking for a MAC of the secret to be sure.

https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/doc/obfs3/obfs3-protocol-spec.txt

David Fifield

Attachment: obfs2-version.nse
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/