Nmap Development mailing list archives
Re: TeamSpeak 2 and 3 service detection
From: David Fifield <david () bamsoftware com>
Date: Sat, 22 Dec 2012 17:14:46 -0800
On Wed, Dec 19, 2012 at 07:59:51PM +0100, Marin Maržić wrote:
been working on improving TeamSpeak 2 and 3 server service detection and here's what I came up with. TeamSpeak 2 (2 TCP and 1 UDP port): TCP port service detection (the "TCPQuery" interface): - replaced match line (for the NULL probe): match telnet m|^\[TS\]\r\n$| p/Teamspeak VoIP Information telnetd/ - with: softmatch ts2-TCPQuery m|^\[TS\]\r\n$| - and added probe: Probe TCP verLine q|ver\r\n| rarity 9 ports 51234 match ts2-TCPQuery m|^\[TS\]\r\n(\S+) (\S+) (\S+)\r\nOK\r\n$| p/TeamSpeak 2 server TCPQuery interface (telnetd)/ v/$1/ i/$3/ o/$2/ - This improves the detection of the specific TS2 telnetd (they call it the TCPQuery function) with additional information (more precise name, specific version, some extra info and OS). Rarity 9 works great because of the softmatch in the NULL probe so it doesn't slow down searches.
I applied the part to make a more specific match for the TCPQuery port. Can you send some examples of verbatim responses sent in response to the "ver" command? I want to see what kind of things are going in the info field, and how the OS names are formatted. If there are multiple OS strings, we usually like to break them into multiple match lines in order to have different CPE.
TCP port service detection (the "ServerQuery" interface): - replaced match lines (for the NULL probe): match teamspeak m|^TS3\n\r$| p/TeamSpeak voice communication/ v/3/ match teamspeak m|^TS3\n\rWelcome to the TeamSpeak 3 ServerQuery interface, type \"help\" for a list of commands and \"help <command>\" for information on a specific command\.\n\r$| p/TeamSpeak voice communication/ v/3/ - with: softmatch ts3-ServerQuery m|^TS3\n\r$| softmatch ts3-ServerQuery m|^TS3\n\rWelcome to the TeamSpeak 3 ServerQuery interface, type \"help\" for a list of commands and \"help <command>\" for information on a specific command\.\n\r$| - and added probe: Probe TCP versionLine q|version\r\n| rarity 9 ports 10011 match ts3-ServerQuery m|^TS3\n\r.*?version=(\S+) build=(\S+) platform=(\S+)\n\rerror id=0 msg=ok\n\r$|s p/TeamSpeak 3 server ServerQuery interface (telnetd)/ v/$1/ i/build: $2/ o/$3/
Same here, I applied the more specific matches, but please show some example ooutput of the "version" command.
TCP port service detection (the http web admin interface): - This one seemed to exist already in nmap-service-probes in the form of 2 match lines (for the NULL probe): match http m|^HTTP/1\.1 \d\d\d .*\r\nConnection: keep-alive\r\nContent-Type: text/HTML\r\nContent-Length: \d+\r\nServer: Indy/([\d.]+)\r\nSet-Cookie: .*\r\n\r\n<!-- header\.html -->.*TeamSpeak|s p/TeamSpeak admin httpd/ v/1.X/ i/Indy httpd $1/ match http m|^HTTP/1\.1 \d\d\d .*\r\nConnection: keep-alive\r\nContent-Type: text/HTML\r\nContent-Length: \d+\r\nServer: Indy/([\d.]+)\r\nSet-Cookie: .*<title>TeamSpeak 2 - Server-Administration</title>|s p/TeamSpeak admin httpd/ v/2.X/ i/Indy httpd $1/ - Unfortunately they never match because they are overriden by this line: match http m|^HTTP/1\.1 200 OK\r\n.*Server: Indy/([\w._-]+)\r\n|s p/Indy/ v/$1/ - not sure how this kind of stuff is usually fixed
This doesn't seem to be the case anymore in the current version of the file. The Indy/TeamSpeak lines appear (in the GetRequest probe) above any more generic Indy lines. Is it possible that the server output is slightly different and now doesn't match the regular expressions?
- payload (nmap-payloads): # TeamSpeak 2 udp 8767 "\xf4\xbe\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x32\x78\xba\x85\x09\x54\x65\x61\x6d\x53\x70\x65\x61\x6b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x57\x69\x6e\x64\x6f\x77\x73\x20\x58\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x20\x00\x3c\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x6e\x69\x63\x6b\x6e\x61\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" UDP port service detection (the voice/login/session port): Probe UDP TeamSpeak3 q|\x05\xca\x7f\x16\x9c\x11\xf9\x89\x00\x00\x00\x00\x02\x9d\x74\x8b\x45\xaa\x7b\xef\xb9\x9e\xfe\xad\x08\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x3e\x00\x97\x2b\x1c\x71\xb2\x4e\xc0\x61\xf1\xd7\x6f\xc5\x7e\xf6\x48\x52\xbf\x82\x6a\xa2\x3b\x65\xaa\x18\x7a\x17\x38\xc3\x81\x27\xc3\x47\xfc\xa7\x35\xba\xfc\x0f\x9d\x9d\x72\x24\x9d\xfc\x02\x17\x6d\x6b\xb1\x2d\x72\xc6\xe3\x17\x1c\x95\xd9\x69\x99\x57\xce\xdd\xdf\x05\xdc\x03\x94\x56\x04\x3a\x14\xe5\xad\x9a\x2b\x14\x30\x3a\x23\xa3\x25\xad\xe8\xe6\x39\x8a\x85\x2a\xc6\xdf\xe5\x5d\x2d\xa0\x2f\x5d\x9c\xd7\x2b\x24\xfb\xb0\x9c\xc2\xba\x89\xb4\x1b\x17\xa2\xb6| rarity 9 ports 9987 match ts3 m|^.{8}\x00\x00\x02\x97\x76\x8b\x54\xad\x79\xe3\xaf\x87\xeb\xaa\x1a\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x33\x08\x86\x2d\x40|s p/TeamSpeak 3 server/ - not sure about the rarity here, won't get picked up on a default scan with 9 - payload (nmap-payloads): # TeamSpeak 3 udp 9987 "\x05\xca\x7f\x16\x9c\x11\xf9\x89\x00\x00\x00\x00\x02\x9d\x74\x8b\x45\xaa\x7b\xef\xb9\x9e\xfe\xad\x08\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x3e\x00\x97\x2b\x1c\x71\xb2\x4e\xc0\x61\xf1\xd7\x6f\xc5\x7e\xf6\x48\x52\xbf\x82\x6a\xa2\x3b\x65\xaa\x18\x7a\x17\x38\xc3\x81\x27\xc3\x47\xfc\xa7\x35\xba\xfc\x0f\x9d\x9d\x72\x24\x9d\xfc\x02\x17\x6d\x6b\xb1\x2d\x72\xc6\xe3\x17\x1c\x95\xd9\x69\x99\x57\xce\xdd\xdf\x05\xdc\x03\x94\x56\x04\x3a\x14\xe5\xad\x9a\x2b\x14\x30\x3a\x23\xa3\x25\xad\xe8\xe6\x39\x8a\x85\x2a\xc6\xdf\xe5\x5d\x2d\xa0\x2f\x5d\x9c\xd7\x2b\x24\xfb\xb0\x9c\xc2\xba\x89\xb4\x1b\x17\xa2\xb6"
For all these, we need some more information. We don't like having undocumented binary blobs in the database. Do you have a link to protocol documentation? What do these probes do? Where do they come from? Check the comments above each payload in nmap-payloads; that's the kind of information we need.
UDP port service detection (the voice/login/session port): - Attached an NSE script for this one. More info in the .nse.
It looks like what this script does can be done with a version probe. It just sends a static payload and then does a pattern match on the returned value. A blank name, for example, would be handled with two match lines. My above comments on documentation apply equally here; please show some example output if possible. David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- TeamSpeak 2 and 3 service detection Marin Maržić (Dec 19)
- Re: TeamSpeak 2 and 3 service detection David Fifield (Dec 22)