Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: quake-server-info.nse
From: Ulrik Haugen <qha () lysator liu se>
Date: Fri, 07 Mar 2014 00:45:48 +0100

Daniel Miller <bonsaiviking () gmail com> wrote:
On 03/05/2014 02:50 PM, Ulrik Haugen wrote:
I have played around a bit with the script, and it's very nice. Your
use of error() and pcall() is different than anything I've seen in NSE
before, but I can see how it works well. I do have a couple questions,
though:

I would like to add a nmap-service-probes fingerprint for quake1
servers, like so:

# Quake1 server info
Probe UDP Quake1_server_info
q|\x80\x00\x00\x0c\x02\x51\x55\x41\x4b\x45\x00\x03|
rarity 9
ports 26000-26019
match quake m|^\x80\x00..\x83([^\x00]*)\x00([^\x00]*)\x00| p/Quake 1
server/ i/address: $1, name: $2/

So my first question is, how confident are you in the upper bound of
26019 for Quake servers? Is this really used that often? Or should
this be limited to 26000-26004 like the Quake 3 probe?

26000 through 26004 is probably fine, looking at
http://quakeone.com/servers/ and
http://www.quakeservers.net/quake/servers/ it seems the vast majority of
servers is on 26000 and then it drops of rather quickly...

I've changed the portrule too. On this subject though, is there a way to
run a script on another set of ports except changing its portrule?


Second, when you set the version information with
nmap.set_port_version, could you be a little more concise? The
port.version.name field should be one word all lowercase, "quake". The
port.version.product field should be something more like "Quake 1
server". The port.version.version field could probably be reduced by
not reporting the exact byte value ("0x03: ") and shortening the
description to something like "released".

Regarding the output, I don't have a problem with how you've done it,
though I would have done it differently myself. My only suggestion
would be to remove the unnecessary "Target is running a Quake game
server" heading, but keep the initial 2-space indent. The fact that
the script gave output is proof that it is a Quake server, in addition
to the mention in the SERVICE and VERSION fields.

Sure, i've pruned these strings.

Updated version attached.


Best regards
/Ulrik Haugen

Attachment: quake-server-info.nse
Description: Updated script

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]