Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file

[Kristian Erik Hermansen <kristian.hermansen () gmail com>]

On Tue, Apr 21, 2015 at 11:07 AM, Daniel Miller <bonsaiviking () gmail com> wrote:
> Thanks for the contribution. It looks like this is a TLS 1.2 service,

Correct! And it supports:

PSK-AES128-CBC-SHA

> Subversion repository [3] or the Github mirror [4], since we recently did
> some work to improve TLS detection.

The prior nmap release I tested, v6.46, reported 'ssl/unknown'. After
recompiling the latest nmap source and upgrading to openssl 1.0.1f,
still I see 'ssl/unknown' in the probes. Are you saying that nmap
should be reporting something like 'tlsv1.2/unknown' instead?

> In addition to your research on the TCP port, we would really be interested
> in a payload [5] or probe for the equivalent UDP port.

Sure thing. I submitted a fingerprint to the nmap database, but
realize the client responses are dynamic and leak the client hostname
or system info (potentially login names too). Here is a quick UDP
version probe.

nmap-service-probes:
"""
Probe UDP valve-steam
q|\xff\xff\xff\xff\x21\x4c\x5f\xa0\x16\x00\x00\x00\x08\x9a\xe6\xb1\x84\xd0\x81\x83\xc5\x51\x10\x00\x18\xd4\xf8\xa8\xaa\x99\x83\xe5\x80\x74\x02\x00\x00\x00\x08\x01|
rarity 2
ports 27036
match valve-steam m|^\xff\xff\xff\xff\x21\x4c\x5f\xa0|
"""

If you modify the prior NSE file for UDP, you can use it to extract
useful information about remote clients. You can easily extract
hostname using the probe above and seeking to offset 0x31 in the
response and reading until immediate bytes ==
\x30\x02\x38\x0a\x40\x01\x4a. Have fun! :)
-- 
Regards,

Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://google.com/+KristianHermansen
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/