Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file

[Daniel Miller <bonsaiviking () gmail com>]

On Tue, Apr 21, 2015 at 8:14 AM, Kristian Erik Hermansen <
kristian.hermansen () gmail com> wrote:

> Hello nmap devs,
>
> I was recently fuzzing around with the Valve Steam In-Home Streaming
> gaming protocol and thought it may be useful to contribute back some
> helpful base probes / nse bits. See below.
>
>
> nmap-service-probes
> """
> Probe TCP valve-steam q|\x03\x03\x03\xff\x03|
> rarity 2
> ports 27036
> match valve-steam m|\x15\x03\x03\x00\x02\x02\x16|
> """

Kristian,

Thanks for the contribution. It looks like this is a TLS 1.2 service,
though. You send:

0x03 - Unassigned content-type
0x0303 - TLS 1.2
0xff03 - Record length greater than 2^14 forbidden by RFC 5246

And the server responds with:

0x15 - Alert
0x0303 - TLS 1.2
0x0002 - Record length 2
0x02 - Fatal
0x16 - (22) record_overflow

This is an expected behavior for at least GnuTLS, according to tls_prober
[1]. You should make sure that the version of OpenSSL that your Nmap is
using is capable of TLS 1.2 (i.e. OpenSSL 1.0.1 or newer), then perform a
new service detection following the directions in our online documentation
[2]. If possible, please use the latest development version from our
Subversion repository [3] or the Github mirror [4], since we recently did
some work to improve TLS detection.

In addition to your research on the TCP port, we would really be interested
in a payload [5] or probe for the equivalent UDP port.

Dan

[1] https://github.com/WestpointLtd/tls_prober
[2] https://nmap.org/book/vscan-community.html
[3] https://nmap.org/book/install.html#inst-svn
[4] https://github.com/nmap/nmap
[5] https://nmap.org/book/nmap-payloads.html

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/