Nmap Development mailing list archives
Re: quake3 opportunistic portrule
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Thu, 6 Jan 2011 21:47:53 +0200
The master server is not game specific. I am calling it quake3-master because I got the impression that Quake3 was the first game to use the protocol. The magic number 68 (in the probe) is the protocol version of the game we are requesting server addresses for. I am using 68 as that seems to be most common on the original quake3 master server. I tried out all protocol numbers up to 100 to measure this. There are also non-numeric versions, like "Nexuiz 3". These are harder to analyse. I am working on some discovery scripts that do further analysis on both the master servers and actual quake3 servers. I am not aware of any other master server commands, and the response to getservers only contains ports and IP addresses for game servers of the requested version. On Thu, Jan 6, 2011 at 9:13 PM, David Fifield <david () bamsoftware com> wrote:
On Thu, Jan 06, 2011 at 08:00:32PM +0200, Toni Ruottu wrote:The version probe for the master server was missing. I have attached a patch that adds the probe and a match line. After applying the patch you should be able to identify some master servers by running nmap as follows: nmap -p 27950,30710 ghdigital.com dpmaster.deathmask.net dpmaster.tchr.no dpmaster.deathmask.net master.tremulous.net master.urbanterror.net -sU -sV -Pn+# Quake3-master getservers +Probe UDP Quake3-master_getservers q|\xff\xff\xff\xffgetservers 68 empty full| +rarity 9 +ports 27950,30710 + +match quake3-master m|^\xff\xff\xff\xffgetserversResponse.*| p/Quake3 master server/What does the "68" stand for in the probe. Do you have a reference for protocol documentation? It's better if the match line is less generic so that different servers can be distinguished. (If Tremulous differs from Nexuiz for example.) This isn't always possible but you can see in the Quake3_getstatus matches that we can distinguish a lot of different games and in some cases get the operating system. I tried the probe and got lots of different responses: SF-Port27950-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612D8%P=i686-pc-linux-gnu%r SF:(Quake3-master_getservers,1D,"\xff\xff\xff\xffgetserversResponse\\EOT\0 SF:\0\0"); SF-Port27950-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612D8%P=i686-pc-linux-gnu%r SF:(Quake3-master_getservers,40,"\xff\xff\xff\xffgetserversResponse\\O\\s\ SF:x7fm;\\U\x0e\xdc\xf4m8\\O\\s\x7fm9\\\xd0a\x8d\x15m\.\\O\\s\x7fm:\\EOT\0 SF:\0\0"); SF-Port27950-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612E9%P=i686-pc-linux-gnu%r SF:(Quake3-master_getservers,40,"\xff\xff\xff\xffgetserversResponse\\O\\s\ SF:x7fm:\\O\\s\x7fm;\\U\x0e\xdc\xf4m8\\O\\s\x7fm9\\\xd0a\x8d\x15m\.\\EOT\0 SF:\0\0"); SF-Port30710-UDP:V=5.36TEST1%I=2%D=1/6%Time=4D2612E9%P=i686-pc-linux-gnu%r SF:(Quake3-master_getservers,17,"\xff\xff\xff\xffgetserversResponse\\"); I'm guessing that the responses contain the addresses of servers encoded somehow. That may not be enough to distinguish servers. Perhaps there is a command other than "getservers" that gives more information? David Fifield
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 01)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 01)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 01)
- Re: quake3 opportunistic portrule David Fifield (Jan 01)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 02)
- Re: quake3 opportunistic portrule David Fifield (Jan 02)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 06)
- Re: quake3 opportunistic portrule David Fifield (Jan 06)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 06)
- Re: quake3 opportunistic portrule David Fifield (Jan 06)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 06)
- Re: quake3 opportunistic portrule David Fifield (Jan 07)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 10)
- Re: quake3 opportunistic portrule David Fifield (Jan 10)
- Re: quake3 opportunistic portrule Toni Ruottu (Jan 01)