diff options
Diffstat (limited to '')
-rw-r--r-- | scripts/quake3-master-getservers.nse | 249 |
1 files changed, 249 insertions, 0 deletions
diff --git a/scripts/quake3-master-getservers.nse b/scripts/quake3-master-getservers.nse new file mode 100644 index 0000000..aeade67 --- /dev/null +++ b/scripts/quake3-master-getservers.nse @@ -0,0 +1,249 @@ +local ipOps = require "ipOps" +local nmap = require "nmap" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local stringaux = require "stringaux" +local tab = require "tab" +local table = require "table" + +description = [[ +Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol). +]] + +--- +-- @usage +-- nmap -sU -p 27950 --script=quake3-master-getservers <target> +-- @output +-- PORT STATE SERVICE REASON +-- 27950/udp open quake3-master +-- | quake3-master-getservers: +-- | 192.0.2.22:26002 Xonotic (Xonotic 3) +-- | 203.0.113.37:26000 Nexuiz (Nexuiz 3) +-- |_ Only 2 shown. Use --script-args quake3-master-getservers.outputlimit=-1 to see all. +-- +-- @args quake3-master-getservers.outputlimit If set, limits the amount of +-- hosts returned by the script. All discovered hosts are still +-- stored in the registry for other scripts to use. If set to 0 or +-- less, all files are shown. The default value is 10. + +author = "Toni Ruottu" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"default", "discovery", "safe"} + +portrule = shortport.port_or_service ({20110, 20510, 27950, 30710}, "quake3-master", {"udp"}) +postrule = function() + return (nmap.registry.q3m_servers ~= nil) +end + +-- There are various sources for this information. These include: +-- - http://svn.icculus.org/twilight/trunk/dpmaster/readme.txt?view=markup +-- - http://openarena.wikia.com/wiki/Changes +-- - http://dpmaster.deathmask.net/ +-- - qstat-2.11, qstat.cfg +-- - scanning master servers +-- - looking at game traffic with Wireshark +local KNOWN_PROTOCOLS = { + ["5"] = "Call of Duty", + ["10"] = "unknown", + ["43"] = "unknown", + ["48"] = "unknown", + ["50"] = "Return to Castle Wolfenstein", + ["57"] = "unknown", + ["59"] = "Return to Castle Wolfenstein", + ["60"] = "Return to Castle Wolfenstein", + ["66"] = "Quake III Arena", + ["67"] = "Quake III Arena", + ["68"] = "Quake III Arena, or Urban Terror", + ["69"] = "OpenArena, or Tremulous", + ["70"] = "unknown", + ["71"] = "OpenArena", + ["72"] = "Wolfenstein: Enemy Territory", + ["80"] = "Wolfenstein: Enemy Territory", + ["83"] = "Wolfenstein: Enemy Territory", + ["84"] = "Wolfenstein: Enemy Territory", + ["2003"] = "Soldier of Fortune II: Double Helix", + ["2004"] = "Soldier of Fortune II: Double Helix", + ["DarkPlaces-Quake 3"] = "DarkPlaces Quake", + ["Nexuiz 3"] = "Nexuiz", + ["Transfusion 3"] = "Transfusion", + ["Warsow 8"] = "Warsow", + ["Xonotic 3"] = "Xonotic", +} + +local function getservers(host, port, q3protocol) + local socket = nmap.new_socket() + socket:set_timeout(10000) + local status, err = socket:connect(host, port) + if not status then + return {} + end + local probe = string.format("\xff\xff\xff\xffgetservers %s empty full\n", q3protocol) + socket:send(probe) + + local data + status, data = socket:receive() -- get some data + if not status then + return {} + end + nmap.set_port_state(host, port, "open") + + local magic = "\xff\xff\xff\xffgetserversResponse" + local tmp + while #data < #magic do -- get header + status, tmp = socket:receive() + if status then + data = data .. tmp + end + end + if string.sub(data, 1, #magic) ~= magic then -- no match + return {} + end + + port.version.name = "quake3-master" + nmap.set_port_version(host, port) + + local EOT = "EOT\0\0\0" + local pieces = stringaux.strsplit("\\", data) + while pieces[#pieces] ~= EOT do -- get all data + status, tmp = socket:receive() + if status then + data = data .. tmp + pieces = stringaux.strsplit("\\", data) + end + end + + table.remove(pieces, 1) --remove magic + table.remove(pieces, #pieces) --remove EOT + + local servers = {} + for _, value in ipairs(pieces) do + local ip, port = string.unpack("c4 >I2", value) + table.insert(servers, {ipOps.str_to_ip(ip), port}) + end + socket:close() + return servers +end + +local function formatresult(servers, outputlimit, protocols) + local t = tab.new() + + if not outputlimit then + outputlimit = #servers + end + for i = 1, outputlimit do + if not servers[i] then + break + end + local node = servers[i] + local protocol = node.protocol + local ip = node.ip + local portnum = node.port + tab.addrow(t, string.format('%s:%d', ip, portnum), string.format('%s (%s)', protocols[protocol], protocol)) + end + + return tab.dump(t) +end + +local function dropdupes(tables, stringify) + local unique = {} + local dupe = {} + local s + for _, v in ipairs(tables) do + s = stringify(v) + if not dupe[s] then + table.insert(unique, v) + dupe[s] = true + end + end + return unique +end + +local function scan(host, port, protocols) + local discovered = {} + for protocol, _ in pairs(protocols) do + for _, node in ipairs(getservers(host, port, protocol)) do + local entry = { + protocol = protocol, + ip = node[1], + port = node[2], + masterip = host.ip, + masterport = port.number + } + table.insert(discovered, entry) + end + end + return discovered +end + +local function store(servers) + if not nmap.registry.q3m_servers then + nmap.registry.q3m_servers = {} + end + for _, server in ipairs(servers) do + table.insert(nmap.registry.q3m_servers, server) + end +end + +local function protocols() + local filter = {} + local count = {} + for _, advert in ipairs(nmap.registry.q3m_servers) do + local key = table.concat({advert.ip, advert.port, advert.protocol}, ":") + if filter[key] == nil then + if count[advert.protocol] == nil then + count[advert.protocol] = 0 + end + count[advert.protocol] = count[advert.protocol] + 1 + filter[key] = true + end + local mkey = table.concat({advert.masterip, advert.masterport}, ":") + end + local sortable = {} + for k, v in pairs(count) do + table.insert(sortable, {k, v}) + end + table.sort(sortable, function(a, b) return a[2] > b[2] or (a[2] == b[2] and a[1] > b[1]) end) + local t = tab.new() + tab.addrow(t, '#', 'PROTOCOL', 'GAME', 'SERVERS') + for i, p in ipairs(sortable) do + local pos = i .. '.' + local protocol = p[1] + count = p[2] + local game = KNOWN_PROTOCOLS[protocol] + if game == "unknown" then + game = "" + end + tab.addrow(t, pos, protocol, game, count) + end + return '\n' .. tab.dump(t) +end + +action = function(host, port) + if SCRIPT_TYPE == "postrule" then + return protocols() + end + local outputlimit = nmap.registry.args[SCRIPT_NAME .. ".outputlimit"] + if not outputlimit then + outputlimit = 10 + else + outputlimit = tonumber(outputlimit) + end + if outputlimit < 1 then + outputlimit = nil + end + local servers = scan(host, port, KNOWN_PROTOCOLS) + store(servers) + local unique = dropdupes(servers, function(t) return string.format("%s: %s:%d", t.protocol, t.ip, t.port) end) + local formatted = formatresult(unique, outputlimit, KNOWN_PROTOCOLS) + if #formatted < 1 then + return + end + local response = {} + table.insert(response, formatted) + if outputlimit and outputlimit < #servers then + table.insert(response, string.format('Only %d/%d shown. Use --script-args %s.outputlimit=-1 to see all.', outputlimit, #servers, SCRIPT_NAME)) + end + return stdnse.format_output(true, response) +end + |