Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file

[Daniel Miller <bonsaiviking () gmail com>]

On Thu, Apr 23, 2015 at 3:10 AM, Kristian Erik Hermansen <
kristian.hermansen () gmail com> wrote:

> After modifying nmap-service-probes, nmap DOES NOT produce a proper
> fingerprint. However, a trace does show that data is coming back for
> certain probes:
>
> """
> Service scan sending probe TLS-PSK to 1.2.3.4:27036 (tcp)
> ...
> NSOCK INFO [6.7320s] nsock_trace_handler_callback(): Callback: READ
> SUCCESS for EID 34 [1.2.3.4:27036] (104 bytes)
> ...
> Service scan sending probe SSLSessionReq to 1.2.3.4:27036 (tcp)
> ...
> NSOCK INFO [17.0990s] nsock_trace_handler_callback(): Callback: READ
> SUCCESS for EID 258 [1.2.3.4:27036] (7 bytes): ......(
> Service scan match (Probe SSLSessionReq matched with SSLSessionReq
> line 11420): 1.2.3.4:27036 is ssl.  Version: |TLSv1|||
> ...
> NSOCK INFO [17.1490s] handle_connect_result(): EID 265 reconnecting
> with SSL_OP_NO_SSLv2
> NSOCK INFO [17.1990s] handle_connect_result(): EID 265
> error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake failure
> NSOCK INFO [17.1990s] nsock_trace_handler_callback(): Callback:
> SSL-CONNECT ERROR [Input/output error (5)] for EID 265 [1.2.3.4:27036]
> Got nsock CONNECT response with status ERROR - aborting this service
> ...
> """

Ah yes, this is because there is no match line, so probing continues. Since
the SSLSessionReq probe matches, we know that a service fingerprint will
not be displayed. I think you could get around this by adding
--version-intensity 0, which would send only the Null probe and any probes
that have 27036 in the "ports" line.


> However, a manual probe via netcat elicits a dynamic, but good 104
> byte response (per above) that accurately identifies the steam
> service.
>
> """
> $ echo -n
> '\x16\x03\0\0\x75\x01\0\0\x71\x03\x03\x55\x38\x2a\x62\x45\x54\x58\x53\x4a\x44\x53\x5a\x4e\x48\x4d\x44\x46\x41\x4f\x4e\x44\x4b\x4a\x58\x58\x5a\x59\x5a\x48\x57\x48\x52\0\0\x30\0\x8a\0\x8b\0\x8c\0\x8d\0\x8e\0\x8f\0\x90\0\x91\0\x92\0\x93\0\x94\0\x95\0\xa8\0\xa9\0\xaa\0\xab\0\xac\0\xad\0\xae\0\xaf\0\xb2\0\xb3\0\xb6\0\xb7\x01\0\0\x18\0\x0d\0\x14\0\x12\0\x01\0\x02\0\x03\x01\x01\x01\x02\x01\x03\x02\x01\x02\x02\x02\x03'
> | sed -e 's/\\0/00/g' -e 's/\\x//g' | xxd -r -p | nc -n 1.2.3.4 27036
> | xxd -seek 0x5a -l 5
> 000005a: 7374 6561 6d                             steam
> """

This is what I expected: the PSK identity hint contains some information to
identify the service you're connecting to. This is how the client would
retrieve the appropriate pre-shared key for the service, if it were
configured to connect to multiple services with different keys.
Unfortunately, you haven't given enough of the packet to make a
fingerprint. You can either use the --version-intensity 0 option like I
suggested above, or you can just give the full packet dump from this
command without the -seek 0x5a -l 5 options.

Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/