Nmap Development mailing list archives
Better TeamViewer Detection
From: Michael Toecker <toecker () context-is com>
Date: Tue, 7 Jun 2016 13:18:41 -0400
Hello all, Please take a look at the proposed modification to the NMAP service-probes file. Steve Hilt (@sjhilt) and I(@mtoecker) were going over the TeamViewer breach, and we noticed that the detections for teamviewer in the probes file weren't returning results against known good servers. We hacked together a better version that uses the TV Ping Command to get a positive response from a TV server listening on TCP 5398. ##############################NEXT PROBE############################## Probe TCP TeamViewer q|\x17\x24\x10\x04\x00\x00\x00\x00\x00| ports 5938 match teamviewer m|^\x17\x24\x11| p/TeamViewer - by V1 CMD_PINGOK Response -/ match teamviewer m|^\x17\x24[\x12-\x71]| p/TeamViewer - Unknown Response/ This sends a TV CMD_PING to the server, whereupon the server should send back a TV CMD_PINGOK. The match is the magic byte header (0x1724), and the Ping response command (0x11). Also, added another match for an Unknown Response if the server decides to respond with another valid TV command in the range of 0x12 through 0x71, which are valid, though this case is not likely. Please remember that TeamViewer generally works on OUTGOING connections, so YMMV on TeamViewer clients. Thanks to Braden Thomas, wherever he is, for his great discussion of the authentication protocol and his basic Wireshark dissector explained here: https://www.optiv.com/blog/teamviewer-authentication-protocol-part-1-of-3 -- *Michael Toecker, PE** | Consulting Engineer Twitter: @mtoecker *Missouri
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Better TeamViewer Detection Michael Toecker (Jun 07)
- Re: Better TeamViewer Detection Michael Toecker (Jun 07)