Nmap Development mailing list archives
Re: quake3 opportunistic portrule
From: David Fifield <david () bamsoftware com>
Date: Thu, 6 Jan 2011 11:13:38 -0800
On Thu, Jan 06, 2011 at 08:00:32PM +0200, Toni Ruottu wrote:
The version probe for the master server was missing. I have attached a patch that adds the probe and a match line. After applying the patch you should be able to identify some master servers by running nmap as follows: nmap -p 27950,30710 ghdigital.com dpmaster.deathmask.net dpmaster.tchr.no dpmaster.deathmask.net master.tremulous.net master.urbanterror.net -sU -sV -Pn
+# Quake3-master getservers +Probe UDP Quake3-master_getservers q|\xff\xff\xff\xffgetservers 68 empty full| +rarity 9 +ports 27950,30710 + +match quake3-master m|^\xff\xff\xff\xffgetserversResponse.*| p/Quake3 master server/
What does the "68" stand for in the probe. Do you have a reference for protocol documentation? It's better if the match line is less generic so that different servers can be distinguished. (If Tremulous differs from Nexuiz for example.) This isn't always possible but you can see in the Quake3_getstatus matches that we can distinguish a lot of different games and in some cases get the operating system. I tried the probe and got lots of different responses: SF-Port27950-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612D8%P=i686-pc-linux-gnu%r SF:(Quake3-master_getservers,1D,"\xff\xff\xff\xffgetserversResponse\\EOT\0 SF:\0\0"); SF-Port27950-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612D8%P=i686-pc-linux-gnu%r SF:(Quake3-master_getservers,40,"\xff\xff\xff\xffgetserversResponse\\O\\s\ SF:x7fm;\\U\x0e\xdc\xf4m8\\O\\s\x7fm9\\\xd0a\x8d\x15m\.\\O\\s\x7fm:\\EOT\0 SF:\0\0"); SF-Port27950-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612E9%P=i686-pc-linux-gnu%r SF:(Quake3-master_getservers,40,"\xff\xff\xff\xffgetserversResponse\\O\\s\ SF:x7fm:\\O\\s\x7fm;\\U\x0e\xdc\xf4m8\\O\\s\x7fm9\\\xd0a\x8d\x15m\.\\EOT\0 SF:\0\0"); SF-Port30710-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612E9%P=i686-pc-linux-gnu%r SF:(Quake3-master_getservers,17,"\xff\xff\xff\xffgetserversResponse\\"); I'm guessing that the responses contain the addresses of servers encoded somehow. That may not be enough to distinguish servers. Perhaps there is a command other than "getservers" that gives more information? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 01)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 01)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 01)
- Re: quake3 opportunistic portrule David Fifield (Jan 01)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 02)
- Re: quake3 opportunistic portrule David Fifield (Jan 02)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 06)
- Re: quake3 opportunistic portrule David Fifield (Jan 06)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 06)
- Re: quake3 opportunistic portrule David Fifield (Jan 06)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 06)
- Re: quake3 opportunistic portrule David Fifield (Jan 07)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 10)
- Re: quake3 opportunistic portrule David Fifield (Jan 10)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 01)