Nmap Development mailing list archives

Re: Better TeamViewer Detection

From: Michael Toecker <toecker () context-is com>
Date: Tue, 7 Jun 2016 13:27:01 -0400

Correction for Clarity:  The probes entry is correct on TCP 5938, while my
description of 5398 is dead wrong.

"We hacked together a better version that uses the TV Ping Command to get a
positive response from a TV server listening on TCP 5938.

Mike

On Tue, Jun 7, 2016 at 1:18 PM, Michael Toecker <toecker () context-is com>
wrote:

Hello all,

Please take a look at the proposed modification to the NMAP service-probes
file.

Steve Hilt (@sjhilt) and I(@mtoecker) were going over the TeamViewer
breach, and we noticed that the detections for teamviewer in the probes
file weren't returning results against known good servers.  We hacked
together a better version that uses the TV Ping Command to get a positive
response from a TV server listening on TCP 5398.

##############################NEXT PROBE##############################
Probe TCP TeamViewer q|\x17\x24\x10\x04\x00\x00\x00\x00\x00|
ports 5938
match teamviewer m|^\x17\x24\x11| p/TeamViewer - by V1 CMD_PINGOK Response
-/
match teamviewer m|^\x17\x24[\x12-\x71]| p/TeamViewer - Unknown Response/

This sends a TV CMD_PING to the server, whereupon the server should send
back a TV CMD_PINGOK.  The match is the magic byte header (0x1724), and the
Ping response command (0x11).  Also, added another match for an Unknown
Response if the server decides to respond with another valid TV command in
the range of 0x12 through 0x71, which are valid, though this case is not
likely.

Please remember that TeamViewer generally works on OUTGOING connections,
so YMMV on TeamViewer clients.

Thanks to Braden Thomas, wherever he is, for his great discussion of the
authentication protocol and his basic Wireshark dissector explained here:
https://www.optiv.com/blog/teamviewer-authentication-protocol-part-1-of-3

--
*Michael Toecker, PE**  |  Consulting Engineer

Twitter: @mtoecker

*Missouri



-- 
*Michael Toecker, PE**  |  Consulting Engineer

Email: Toecker () context-is com
Twitter: @mtoecker

*Missouri

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Better TeamViewer Detection Michael Toecker (Jun 07)
- Re: Better TeamViewer Detection Michael Toecker (Jun 07)