Better TeamViewer Detection

[Michael Toecker <toecker () context-is com>]

Hello all,

Please take a look at the proposed modification to the NMAP service-probes
file.

Steve Hilt (@sjhilt) and I(@mtoecker) were going over the TeamViewer
breach, and we noticed that the detections for teamviewer in the probes
file weren't returning results against known good servers.  We hacked
together a better version that uses the TV Ping Command to get a positive
response from a TV server listening on TCP 5398.

##############################NEXT PROBE##############################
Probe TCP TeamViewer q|\x17\x24\x10\x04\x00\x00\x00\x00\x00|
ports 5938
match teamviewer m|^\x17\x24\x11| p/TeamViewer - by V1 CMD_PINGOK Response
-/
match teamviewer m|^\x17\x24[\x12-\x71]| p/TeamViewer - Unknown Response/

This sends a TV CMD_PING to the server, whereupon the server should send
back a TV CMD_PINGOK.  The match is the magic byte header (0x1724), and the
Ping response command (0x11).  Also, added another match for an Unknown
Response if the server decides to respond with another valid TV command in
the range of 0x12 through 0x71, which are valid, though this case is not
likely.

Please remember that TeamViewer generally works on OUTGOING connections, so
YMMV on TeamViewer clients.

Thanks to Braden Thomas, wherever he is, for his great discussion of the
authentication protocol and his basic Wireshark dissector explained here:
https://www.optiv.com/blog/teamviewer-authentication-protocol-part-1-of-3

-- 
*Michael Toecker, PE**  |  Consulting Engineer

Twitter: @mtoecker

*Missouri

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/