Differences between revisions 18 and 19
Revision 18 as of 2008-03-14 08:30:48
Size: 2041
Editor: GuyHarris
Comment:
Revision 19 as of 2008-04-12 17:51:48
Size: 2053
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:
 * ["TCP"]: Typically, VP uses ["TCP"] as its transport protocol. The TCP port for VP traffic is 3784 (Depending on server).  * [[TCP]]: Typically, VP uses [[TCP]] as its transport protocol. The TCP port for VP traffic is 3784 (Depending on server).
Line 8: Line 8:
v2.3.0 [http://pastebin.ca/71370 HERE] (Long text pasted on pastebin.ca) v2.3.0 [[http://pastebin.ca/71370|HERE]] (Long text pasted on pastebin.ca)
Line 21: Line 21:
[http://wiki.wireshark.org/Ventrilo?action=AttachFile&do=get&target=ExampleVP.pcap ExampleVP.pcap]: This file contains a capture of the Ventrilo protocol, however the packets are encrypted. [[http://wiki.wireshark.org/Ventrilo?action=AttachFile&do=get&target=ExampleVP.pcap|ExampleVP.pcap]]: This file contains a capture of the Ventrilo protocol, however the packets are encrypted.
Line 23: Line 23:
See [http://aluigi.altervista.org/papers.htm#ventrilo Luigi's page] for decryption algorithm and [http://pastebin.ca/71370 this] for a decrypted capture. See [[http://aluigi.altervista.org/papers.htm#ventrilo|Luigi's page]] for decryption algorithm and [[http://pastebin.ca/71370|this]] for a decrypted capture.
Line 26: Line 26:
 * [http://aluigi.altervista.org/papers.htm#ventrilo Luigi's page] - The one and only recource on the VP protocol.
 * [http://www.darkstarllc.com/services/ventrilo-servers/setup-guides.php Ventrilo server setup guides] - Great resource for ventrilo setup guides.
 * [[http://aluigi.altervista.org/papers.htm#ventrilo|Luigi's page]] - The one and only recource on the VP protocol.
 * [[http://www.darkstarllc.com/services/ventrilo-servers/setup-guides.php|Ventrilo server setup guides]] - Great resource for ventrilo setup guides.

Ventrilo Protocol

VP - The ventrilo protocol is the one used by Ventrilo to encrypt and decrypt VoIP chatting.

Protocol dependencies

  • TCP: Typically, VP uses TCP as its transport protocol. The TCP port for VP traffic is 3784 (Depending on server).

Example traffic

v2.3.0 HERE (Long text pasted on pastebin.ca)

v3.0.0

The preshared encryption key is the same as the one for 2.3.0 and the key exchange and encryption method seem to be the same. However, a type 0x34 packet now siganls a change in encryption sometime shortly after connecting and displaying the server status.

The login packet has also changed to type 0x48 and has an additional 16 bytes of data immediately before the client version string.

The client has a quirk of its own that makes running it through the decryption proxy somewhat of a pain. It first connects and gets the server status via UDP before it will even attempt to connect. If you proxy it through a port that does not match what the remote server claims to be it will also not connect. Either the packet must be modified with the redirected UDP port or they must be changed to match the remote end. This means you may no longer block the UDP port to prevent people from checking to see who's on.

Wireshark

The VP dissector is non-existing.

Example capture file

ExampleVP.pcap: This file contains a capture of the Ventrilo protocol, however the packets are encrypted.

See Luigi's page for decryption algorithm and this for a decrypted capture.

Ventrilo (last edited 2008-05-20 02:53:18 by GuyHarris)