Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file

[Daniel Miller <bonsaiviking () gmail com>]

On Wed, Apr 22, 2015 at 9:29 AM, Kristian Erik Hermansen <
kristian.hermansen () gmail com> wrote:

> On Tue, Apr 21, 2015 at 11:07 AM, Daniel Miller <bonsaiviking () gmail com>
> wrote:
> > Thanks for the contribution. It looks like this is a TLS 1.2 service,
>
> Correct! And it supports:
>
> PSK-AES128-CBC-SHA
>
> > Subversion repository [3] or the Github mirror [4], since we recently did
> > some work to improve TLS detection.
>
> The prior nmap release I tested, v6.46, reported 'ssl/unknown'. After
> recompiling the latest nmap source and upgrading to openssl 1.0.1f,
> still I see 'ssl/unknown' in the probes. Are you saying that nmap
> should be reporting something like 'tlsv1.2/unknown' instead?

Ah, no; this is unfortunately something that our current set of probes
cannot handle; the "PSK" part of the ciphersuite means "pre-shared key" and
refers to RFC 4279, which defines a non-certificate-based flavor of TLS.
However, I think we could probably come up with a probe that gets a good
response here; we just need to send a TLS 1.2 ClientHello with the
TLS_PSK_WITH_AES_128_CBC_SHA ciphersuite supported. Here's a sample probe
to test; add it to nmap-service-probes (with no match lines) and report if
it shows a service fingerprint:

Probe TCP TLS-PSK
q|\x16\x03\0\0\x75\x01\0\0\x71\x03\x03\x55\x38\x2a\x62\x45\x54\x58\x53\x4a\x44\x53\x5a\x4e\x48\x4d\x44\x46\x41\x4f\x4e\x44\x4b\x4a\x58\x58\x5a\x59\x5a\x48\x57\x48\x52\0\0\x30\0\x8a\0\x8b\0\x8c\0\x8d\0\x8e\0\x8f\0\x90\0\x91\0\x92\0\x93\0\x94\0\x95\0\xa8\0\xa9\0\xaa\0\xab\0\xac\0\xad\0\xae\0\xaf\0\xb2\0\xb3\0\xb6\0\xb7\x01\0\0\x18\0\x0d\0\x14\0\x12\0\x01\0\x02\0\x03\x01\x01\x01\x02\x01\x03\x02\x01\x02\x02\x02\x03|
rarity 9
ports 27036


> > In addition to your research on the TCP port, we would really be
> interested
> > in a payload [5] or probe for the equivalent UDP port.
>
> Sure thing. I submitted a fingerprint to the nmap database, but
> realize the client responses are dynamic and leak the client hostname
> or system info (potentially login names too). Here is a quick UDP
> version probe.
>
> nmap-service-probes:
> """
> Probe UDP valve-steam
>
> q|\xff\xff\xff\xff\x21\x4c\x5f\xa0\x16\x00\x00\x00\x08\x9a\xe6\xb1\x84\xd0\x81\x83\xc5\x51\x10\x00\x18\xd4\xf8\xa8\xaa\x99\x83\xe5\x80\x74\x02\x00\x00\x00\x08\x01|
> rarity 2
> ports 27036
> match valve-steam m|^\xff\xff\xff\xff\x21\x4c\x5f\xa0|
> """
>
> If you modify the prior NSE file for UDP, you can use it to extract
> useful information about remote clients. You can easily extract
> hostname using the probe above and seeking to offset 0x31 in the
> response and reading until immediate bytes ==
> \x30\x02\x38\x0a\x40\x01\x4a. Have fun! :)
Awesome! This is the kind of script we would be interested in:
unauthenticated information disclosure. Looking forward to working with you
to get this included in Nmap.

Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/