Nmap Development mailing list archives
obfs2-version.nse (detection for obfs2 obfuscation transport)
From: David Fifield <david () bamsoftware com>
Date: Thu, 22 Jan 2015 14:03:10 -0800
Here is a script that detects servers of the obfs2 obfuscation transport. obfs2 is used as an additional encryption layer to disguise other transports. It's considered busted and deprecated these days, but here's a script anyway. How the detection works is you read 16 bytes from the server, use them to derive a key, and then decrypt the next 4 bytes. If they match a magic value, then the protocol is obfs2. https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/doc/obfs2/obfs2-protocol-spec.txt Theoretically the server could require the client to first send some data (with the same magic requirement as above) before sending a response. But I don't think any implementations do that. Therefore the script simply reads from the socket and does not send anything. If someone wants to try obfs3, it's a bit harder. Both client and server need to send data in order to derive a shared key, and then you have to read from the socket looking for a MAC of the secret to be sure. https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/doc/obfs3/obfs3-protocol-spec.txt David Fifield
Attachment:
obfs2-version.nse
Description:
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- obfs2-version.nse (detection for obfs2 obfuscation transport) David Fifield (Jan 22)