Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] ventrilo-info Ventrilo server version detection and info
From: David Fifield <david () bamsoftware com>
Date: Mon, 1 Jul 2013 02:06:04 -0700

On Fri, Jun 07, 2013 at 11:59:38PM +0200, Marin Maržić wrote:
- murmur-version.nse
Now only sends and receives 1 packet when scanning the same port number
on the same host in both TCP and UDP (used to repeat for each protocol).

The "softmatch" probe:

Probe UDP Murmur q|\0\0\0\0abcdefgh|
rarity 9
ports 64738

match murmur m|^\0.{3}abcdefgh.{12}$|s p/Murmur/ v/1.2.X/

Thanks, applied.

- ventrilo-info.nse
Now only sends and receives 1 packet when scanning the same port number
on the same host in both TCP and UDP (used to repeat for each protocol).
Various code improvements, bug fixes.

The "softmatch" probe follows. This one is encrypted and the
match can't really be matched on anything except that it should be at
least 111 bytes (conservative guess, should catch all).

Probe UDP Ventrilo
q|\x01\xe7\xe5\x75\x31\xa3\x17\x0b\x21\xcf\xbf\x2b\x99\x4e\xdd\x19\xac\xde\x08\x5f\x8b\x24\x0a\x11\x19\xb6\x73\x6f\xad\x28\x13\xd2\x0a\xb9\x12\x75|
rarity 9
ports 3784

match ventrilo m|^.{111}|s p/Ventrilo/ v/2.1.2+/

The UDP payload follows. It is a general status request with a 1 packet
reply:

# Ventrilo 2.1.2+
# UDP general status request (encrypted).
# See http://aluigi.altervista.org/papers.htm#ventrilo
udp 3784
"\x01\xe7\xe5\x75\x31\xa3\x17\x0b\x21\xcf\xbf\x2b\x99\x4e\xdd\x19\xac\xde\x08\x5f\x8b\x24\x0a\x11\x19\xb6\x73\x6f\xad\x28\x13\xd2\x0a\xb9\x12\x75"

Also applied.

- teamspeak2-version.nse
You mentioned that this could have been done with a version probe and a
couple match lines (and you were right!), but I have since found where
the precise version numbers are hidden in the binary blob response.
There is some information on the protocol at
http://wiki.wireshark.org/TeamSpeak2 but they haven't found the version
offsets. A normal login request is used.

I added this script.

The "softmatch" probe:
Probe UDP TeamSpeak2
q|\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x32\x78\xba\x85\x09\x54\x65\x61\x6d\x53\x70\x65\x61\x6b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x57\x69\x6e\x64\x6f\x77\x73\x20\x58\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x20\x00\x3c\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x6e\x69\x63\x6b\x6e\x61\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00|
rarity 9
ports 8767

match ts2
m|^\xf4\xbe\x04\x00\x00\x00\x00\x00.............([^\0]+)[^\w\s]+([^\0]+)\0+[^\0].{355}$|s p/TeamSpeak 2/ o/$2/ 
i/name: $1; no password/
match ts2 m|^\xf4\xbe\x04\x00\x00\x00\x00\x00............\0{60}.{356}$|s p/TeamSpeak 2/ i|name: n/a; has password or 
version < 2.0.19.16 (very unlikely)|

Could you share some examples of the raw output of the service? I might
write the match lines in a different way. The best way to format the
examples is to just run -sV with the probe in place, and copy the
service fingerprint blob.

- TeamSpeak 2 nmap-payloads
The payload sent is the one used in the above script. It is a normal
login request and is not encrypted. Some information fields sent are in
ASCII, but it's in hex here because it was convenient to copy it like
that off the wire. I guess the description could be something like:

# TeamSpeak 2
# UDP login request
# See http://wiki.wireshark.org/TeamSpeak2

Applied.

- TeamSpeak 2 TCP port service detection (the "TCPQuery" interface):
Here are 2 examples you asked for of what output looks like for the
suggested "ver" command:
2.0.23.19 Win32 Freeware
OK
2.0.24.1 Linux Freeware
OK

I added separate match lines for these two OSes, so that we can
canonicalize "Win32" and so that we can have separate CPE for them.

- TeamSpeak 3 UDP probe and nmap-payloads
This is an encrypted login request packet copied off the wire. Think
there is no documentation on it. There seem to be some fields that echo
back what is sent, and some that are static when sent this exact
payload, so I match on them. Length varies. I guess the description
could be something like:

# TeamSpeak 3
# UDP login request (encrypted)

- TeamSpeak 3 TCP port service detection (the "ServerQuery" interface):
2 examples of what output looks like for the suggested "version" command:

version=3.0.6.1 build=1340956745 platform=Windows
error id=0 msg=ok

version=3.0.7.2 build=1368605352 platform=Linux
error id=0 msg=ok

It looks like you missed pasting in the payload here?

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]