mailing list archives
Re: [NSE] ventrilo-info Ventrilo server version detection and info
From: David Fifield <david () bamsoftware com>
Date: Mon, 5 Aug 2013 16:51:46 -0700
On Tue, Jul 16, 2013 at 10:01:56PM +0200, Marin Maržić wrote:
Offset Type Value Comment
0-1 uint16 0xBEF4 Class: connection
2-3 uint16 0x0004 Type: login reply
4-7 uint32 0 Session key; zero on first reply
8-11 uint32 client id
12-15 uint32 2 Sequence number; 2 on first reply
16-19 uint32 some crc32 checksum
20 uint8 server name length
21-49 string server name
50 uint8 platform length
51-79 string platform
80-81 uint16 1. version E.g. the "2" in "184.108.40.206"
82-83 uint16 2. version E.g. the "0" in "220.127.116.11"
84-85 uint16 3. version E.g. the "23" in "18.104.22.168"
86-87 uint16 4. version E.g. the "19" in "22.214.171.124"
88-179 bytes unknown
180 uint8 welcome message length
181-435 string welcome message
Thanks for doing this research. I've modified the match lines a bit
using this new information.
I decided to make individual match lines for different versions. That
means that version detection will show the specific version e.g.
"126.96.36.199", but it also requires a separate match line for every
version. I have left in the match lines for 188.8.131.52. If you can find a
list of possible versions, we can add match lines for each of them.
- TeamSpeak 3 UDP probe and nmap-payloads
This is an encrypted login request packet copied off the wire. Think
there is no documentation on it. There seem to be some fields that echo
back what is sent, and some that are static when sent this exact
payload, so I match on them. Length varies. I guess the description
could be something like:
# TeamSpeak 3
# UDP login request (encrypted)
- TeamSpeak 3 TCP port service detection (the "ServerQuery" interface):
2 examples of what output looks like for the suggested "version" command:
version=184.108.40.206 build=1340956745 platform=Windows
error id=0 msg=ok
version=220.127.116.11 build=1368605352 platform=Linux
error id=0 msg=ok
It looks like you missed pasting in the payload here?
Didn't want to confuse stuff since it was in the previous mail but just
required some clarification. Here it is anyway:
Ah, thanks. I have added these. I was confused because the payloads were
from a different thread: http://seclists.org/nmap-dev/2012/q4/490.
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/