Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: quake3 opportunistic portrule
From: David Fifield <david () bamsoftware com>
Date: Thu, 6 Jan 2011 11:13:38 -0800

On Thu, Jan 06, 2011 at 08:00:32PM +0200, Toni Ruottu wrote:
The version probe for the master server was missing. I have attached a
patch that adds the probe and a match line. After applying the patch
you should be able to identify some master servers by running nmap as
follows:

nmap -p 27950,30710 ghdigital.com dpmaster.deathmask.net
dpmaster.tchr.no dpmaster.deathmask.net master.tremulous.net
master.urbanterror.net -sU -sV -Pn

+# Quake3-master getservers
+Probe UDP Quake3-master_getservers q|\xff\xff\xff\xffgetservers 68 empty full|
+rarity 9
+ports 27950,30710
+
+match quake3-master m|^\xff\xff\xff\xffgetserversResponse.*| p/Quake3 master server/

What does the "68" stand for in the probe. Do you have a reference for
protocol documentation?

It's better if the match line is less generic so that different servers
can be distinguished. (If Tremulous differs from Nexuiz for example.)
This isn't always possible but you can see in the Quake3_getstatus
matches that we can distinguish a lot of different games and in some
cases get the operating system. I tried the probe and got lots of
different responses:

SF-Port27950-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612D8%P=i686-pc-linux-gnu%r
SF:(Quake3-master_getservers,1D,"\xff\xff\xff\xffgetserversResponse\\EOT\0
SF:\0\0");

SF-Port27950-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612D8%P=i686-pc-linux-gnu%r
SF:(Quake3-master_getservers,40,"\xff\xff\xff\xffgetserversResponse\\O\\s\
SF:x7fm;\\U\x0e\xdc\xf4m8\\O\\s\x7fm9\\\xd0a\x8d\x15m\.\\O\\s\x7fm:\\EOT\0
SF:\0\0");

SF-Port27950-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612E9%P=i686-pc-linux-gnu%r
SF:(Quake3-master_getservers,40,"\xff\xff\xff\xffgetserversResponse\\O\\s\
SF:x7fm:\\O\\s\x7fm;\\U\x0e\xdc\xf4m8\\O\\s\x7fm9\\\xd0a\x8d\x15m\.\\EOT\0
SF:\0\0");

SF-Port30710-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612E9%P=i686-pc-linux-gnu%r
SF:(Quake3-master_getservers,17,"\xff\xff\xff\xffgetserversResponse\\");

I'm guessing that the responses contain the addresses of servers encoded
somehow. That may not be enough to distinguish servers. Perhaps there is
a command other than "getservers" that gives more information?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]