Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: quake3 opportunistic portrule
From: David Fifield <david () bamsoftware com>
Date: Sat, 1 Jan 2011 17:35:13 -0800

On Sat, Jan 01, 2011 at 01:41:43PM +0200, Toni Ruottu wrote:
One more time. This takes into account servers advertised at
dpmaster.deathmask.net. I commented that out while debugging the new
code, and only remembered it afterwards. The previous results used
only master.quake3arena.com, while the first flawed scan included
servers from both meta servers.

14445: 275
14701: 49
14957: 33
15213: 16
15725: 14
17005: 13
15469: 12
19565: 8
17517: 8

I read your later message that the ports are byte-swapped. Unswapping
them results in

27960: 275
27961: 49
27962: 33
27963: 16
27965: 14
27970: 13
27964: 12
27980: 8
27972: 8
27966: 8
27015: 7
27971: 7
27969: 6
27967: 6
26000: 4
28000: 4
27973: 4
27968: 4
27100: 3
27300: 3
...

It looks like the portrule should contain ports 27960-27965 at least. I
would probably expand that to 27960-27970. The Quake3_getstatus probe in
nmap-service-probes currently uses 27960-27964, as does the UDP payload
in nmap-payloads.

But the portrule doesn't have to be expansive in port numbers. People
should run your script in conjunction with version detection. We have
lots of match lines for quake3 servers. Just have the portrule return
true if it's one of a few known ports or the service is "quake3".

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]