Lucene search

K
nmapToni RuottuNMAP:QUAKE3-MASTER-GETSERVERS.NSE
HistoryFeb 22, 2011 - 9:55 p.m.

quake3-master-getservers NSE Script

2011-02-2221:55:23
Toni Ruottu
nmap.org
154

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol).

Script Arguments

quake3-master-getservers.outputlimit

If set, limits the amount of hosts returned by the script. All discovered hosts are still stored in the registry for other scripts to use. If set to 0 or less, all files are shown. The default value is 10.

Example Usage

nmap -sU -p 27950 --script=quake3-master-getservers <target>

Script Output

PORT      STATE SERVICE REASON
27950/udp open  quake3-master
| quake3-master-getservers:
|     192.0.2.22:26002 Xonotic (Xonotic 3)
|     203.0.113.37:26000 Nexuiz (Nexuiz 3)
|_    Only 2 shown. Use --script-args quake3-master-getservers.outputlimit=-1 to see all.

Requires


local ipOps = require "ipOps"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local stringaux = require "stringaux"
local tab = require "tab"
local table = require "table"

description = [[
Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol).
]]

---
-- @usage
-- nmap -sU -p 27950 --script=quake3-master-getservers <target>
-- @output
-- PORT      STATE SERVICE REASON
-- 27950/udp open  quake3-master
-- | quake3-master-getservers:
-- |     192.0.2.22:26002 Xonotic (Xonotic 3)
-- |     203.0.113.37:26000 Nexuiz (Nexuiz 3)
-- |_    Only 2 shown. Use --script-args quake3-master-getservers.outputlimit=-1 to see all.
--
-- @args quake3-master-getservers.outputlimit If set, limits the amount of
--       hosts returned by the script. All discovered hosts are still
--       stored in the registry for other scripts to use. If set to 0 or
--       less, all files are shown. The default value is 10.

author = "Toni Ruottu"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}

portrule = shortport.port_or_service ({20110, 20510, 27950, 30710}, "quake3-master", {"udp"})
postrule = function()
  return (nmap.registry.q3m_servers ~= nil)
end

-- There are various sources for this information. These include:
-- - http://svn.icculus.org/twilight/trunk/dpmaster/readme.txt?view=markup
-- - http://openarena.wikia.com/wiki/Changes
-- - http://dpmaster.deathmask.net/
-- - qstat-2.11, qstat.cfg
-- - scanning master servers
-- - looking at game traffic with Wireshark
local KNOWN_PROTOCOLS = {
  ["5"] = "Call of Duty",
  ["10"] = "unknown",
  ["43"] = "unknown",
  ["48"] = "unknown",
  ["50"] = "Return to Castle Wolfenstein",
  ["57"] = "unknown",
  ["59"] = "Return to Castle Wolfenstein",
  ["60"] = "Return to Castle Wolfenstein",
  ["66"] = "Quake III Arena",
  ["67"] = "Quake III Arena",
  ["68"] = "Quake III Arena, or Urban Terror",
  ["69"] = "OpenArena, or Tremulous",
  ["70"] = "unknown",
  ["71"] = "OpenArena",
  ["72"] = "Wolfenstein: Enemy Territory",
  ["80"] = "Wolfenstein: Enemy Territory",
  ["83"] = "Wolfenstein: Enemy Territory",
  ["84"] = "Wolfenstein: Enemy Territory",
  ["2003"] = "Soldier of Fortune II: Double Helix",
  ["2004"] = "Soldier of Fortune II: Double Helix",
  ["DarkPlaces-Quake 3"] = "DarkPlaces Quake",
  ["Nexuiz 3"] = "Nexuiz",
  ["Transfusion 3"] = "Transfusion",
  ["Warsow 8"] = "Warsow",
  ["Xonotic 3"] = "Xonotic",
}

local function getservers(host, port, q3protocol)
  local socket = nmap.new_socket()
  socket:set_timeout(10000)
  local status, err = socket:connect(host, port)
  if not status then
    return {}
  end
  local probe = string.format("\xff\xff\xff\xffgetservers %s empty full\n", q3protocol)
  socket:send(probe)

  local data
  status, data = socket:receive() -- get some data
  if not status then
    return {}
  end
  nmap.set_port_state(host, port, "open")

  local magic = "\xff\xff\xff\xffgetserversResponse"
  local tmp
  while #data < #magic do -- get header
    status, tmp = socket:receive()
    if status then
      data = data .. tmp
    end
  end
  if string.sub(data, 1, #magic) ~= magic then -- no match
    return {}
  end

  port.version.name = "quake3-master"
  nmap.set_port_version(host, port)

  local EOT = "EOT\0\0\0"
  local pieces = stringaux.strsplit("\\", data)
  while pieces[#pieces] ~= EOT do -- get all data
    status, tmp = socket:receive()
    if status then
      data = data .. tmp
      pieces = stringaux.strsplit("\\", data)
    end
  end

  table.remove(pieces, 1)       --remove magic
  table.remove(pieces, #pieces) --remove EOT

  local servers = {}
  for _, value in ipairs(pieces) do
    local ip, port = string.unpack("c4 >I2", value)
    table.insert(servers, {ipOps.str_to_ip(ip), port})
  end
  socket:close()
  return servers
end

local function formatresult(servers, outputlimit, protocols)
  local t = tab.new()

  if not outputlimit then
    outputlimit = #servers
  end
  for i = 1, outputlimit do
    if not servers[i] then
      break
    end
    local node = servers[i]
    local protocol = node.protocol
    local ip = node.ip
    local portnum = node.port
    tab.addrow(t, string.format('%s:%d', ip, portnum), string.format('%s (%s)', protocols[protocol], protocol))
  end

  return tab.dump(t)
end

local function dropdupes(tables, stringify)
  local unique = {}
  local dupe = {}
  local s
  for _, v in ipairs(tables) do
    s = stringify(v)
    if not dupe[s] then
      table.insert(unique, v)
      dupe[s] = true
    end
  end
  return unique
end

local function scan(host, port, protocols)
  local discovered = {}
  for protocol, _ in pairs(protocols) do
    for _, node in ipairs(getservers(host, port, protocol)) do
      local entry = {
        protocol = protocol,
        ip = node[1],
        port = node[2],
        masterip = host.ip,
        masterport = port.number
      }
      table.insert(discovered, entry)
    end
  end
  return discovered
end

local function store(servers)
  if not nmap.registry.q3m_servers then
    nmap.registry.q3m_servers = {}
  end
  for _, server in ipairs(servers) do
    table.insert(nmap.registry.q3m_servers, server)
  end
end

local function protocols()
  local filter = {}
  local count = {}
  for _, advert in ipairs(nmap.registry.q3m_servers) do
    local key = table.concat({advert.ip, advert.port, advert.protocol}, ":")
    if filter[key] == nil then
      if count[advert.protocol] == nil then
        count[advert.protocol] = 0
      end
      count[advert.protocol] = count[advert.protocol] + 1
      filter[key] = true
    end
    local mkey = table.concat({advert.masterip, advert.masterport}, ":")
  end
  local sortable = {}
  for k, v in pairs(count) do
    table.insert(sortable, {k, v})
  end
  table.sort(sortable, function(a, b) return a[2] > b[2] or (a[2] == b[2] and a[1] > b[1]) end)
  local t = tab.new()
  tab.addrow(t, '#', 'PROTOCOL', 'GAME', 'SERVERS')
  for i, p in ipairs(sortable) do
    local pos = i .. '.'
    local protocol = p[1]
    count = p[2]
    local game = KNOWN_PROTOCOLS[protocol]
    if game == "unknown" then
      game = ""
    end
    tab.addrow(t, pos, protocol, game, count)
  end
  return '\n' .. tab.dump(t)
end

action = function(host, port)
  if SCRIPT_TYPE == "postrule" then
    return protocols()
  end
  local outputlimit = nmap.registry.args[SCRIPT_NAME .. ".outputlimit"]
  if not outputlimit then
    outputlimit = 10
  else
    outputlimit = tonumber(outputlimit)
  end
  if outputlimit < 1 then
    outputlimit = nil
  end
  local servers = scan(host, port, KNOWN_PROTOCOLS)
  store(servers)
  local unique = dropdupes(servers, function(t) return string.format("%s: %s:%d", t.protocol, t.ip, t.port) end)
  local formatted = formatresult(unique, outputlimit, KNOWN_PROTOCOLS)
  if #formatted < 1 then
    return
  end
  local response = {}
  table.insert(response, formatted)
  if outputlimit and outputlimit < #servers then
    table.insert(response, string.format('Only %d/%d shown. Use --script-args %s.outputlimit=-1 to see all.', outputlimit, #servers, SCRIPT_NAME))
  end
  return stdnse.format_output(true, response)
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

Related for NMAP:QUAKE3-MASTER-GETSERVERS.NSE