Re: Squeezecenter probe

[Patrik Karlsson <patrik () labb1 com>]

On 12 jan 2010, at 21.24, David Fifield wrote:

> On Mon, Jan 04, 2010 at 10:41:07AM +0100, Patrik Karlsson wrote:
> > I have added a probe and an appropriate match line that detects the
> > Logitec Squeezecenter. I'm submitting a patch with the changes and the
> > signature so that it can be further optimized if needed.
> >
> > SF-Port3483-UDP:V=5.10BETA2%I=7%D=1/4%Time=4B41B653%P=i386-apple-darwin10.2.0%r(SqueezeCenter,47,"ENAME\x05bubbaJSON\x049000VERS\x057\.4\.1UUID\$f85f
> > SF:7fef-887b-41ff-acb1-c334d8ea59a7")%r(RPCCheck,12,"h\0\0\0\0\0\0\0\0\0\0
> > SF:\0\0\0\0\0\0\0");
>
> > ##############################NEXT PROBE##############################
> > # SqueezeCenter discovery
> > Probe UDP SqueezeCenter q|eIPAD\0NAME\0JSON\0VERS\0UUID\0JVID\x06\x12\x34\x56\x78\x12\x34|
> > rarity 5
> > ports 3483
> >
> > match squeezecenter m|^ENAME.{1}(.+)JSON.{1}(\d+)VERS.{1}(.+)UUID.{1}(.+)$| p/SqueezeCenter/ i/Server Name: $1, 
> > JSON: $2, UUID: $4/ v/$3/
>
> Thanks, Patrik. Next time please include some information on the service
> and some links to save people some searching.

Sorry about that.

> I found there's a really nice wiki for this service and the products
> that use it, which are music players. It's at
> http://wiki.slimdevices.com/index.php/Main_Page. The server is free
> software written in Perl.
>
> However, now I'm confused because the protocol documentation on the wiki
> doesn't match the probe.

That makes two of us. The probe is based on a packet I captured on my home network. The packet is repeatedly sent to 
the broadcast address from the logitech squeezebox duet remote control. So I'm guessing it some way for the remote 
control to discover the server. 

Google found me a Nessus script that more or less confirms this:
http://www.nessus.org/plugins/index.php?view=single&id=42932


> http://wiki.slimdevices.com/index.php/SlimProtoTCPProtocol
>
> That page talks about listening on port 3483, but it doesn't seem to
> match up with the probe. It also says there is a listener on 3483/tcp,
> does your server have that? I would like you to see if you can figure
> out the discrepancy between the protocols (maybe I just misunderstand
> something). Maybe we can get even more information by tweaking the
> probe.

Probing the TCP port may reveal more information, but that would probably be a different probe as described by the 
protocol in your link.

> Let's increase the rarity to 8 so this doesn't run by default for all
> unindentified UDP ports.

That sounds suitable. I should have read up on how the rarity directive works before. Better late than never I suppose.

> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


// Patrik

--
Patrik Karlsson
http://www.cqure.net




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/