With the recent news about ScreenConnect used in data breaches, I had the opportunity to examine some of the network traffic. This was traffic that was originally in OTHER, but as you know, that just means it's an opportunity to learn about some new aspect of our networks.
Initially, this traffic was over TCP dest port 443, however it was not SSL traffic. A custom parser was written to identify this traffic and register the service type as 7310. I did not find a document that explained how the application used this custom protocol, so I built this parser with some educated guesswork.
We start with an 18 byte long token and match on it within the first 10 bytes of the payload. If we see that, we are in the right traffic. Next, I moved forward 1 byte and then extracted the next 64 bytes of payload. I checked the first byte using the "payload:uint8(1,1)" method looking for either a "4" or a "6". In researching this traffic, it appeared that different versions of ScreenConnect would have one of those values. That value was important as it led me to determine where the hostname (or IP address) started and it's terminator.
If the value was "4", then my hostname started 7 bytes away. If the value was "6", the hostname started 9 bytes away. It also helped me identify the terminator. If the initial value was "4" my terminator appeared to be "0x01". If the initial value was "6" then the terminator appeared to be "0x02".
Now that I was able to identify the start and end positions, I could extract the hostname. However, it could be either an IP address or a fully qualified domain name. This is where I referenced an outside function in the 'nwll' file called "determineHostType". This way, if the extracted value was an IP address, it would be placed in 'alias.ip' and if it was a hostname, it would go in 'alias.host'.
Attached is the parser and PCAP. This parser was submitted to LIVE, however I wanted you to have it while that process is underway.
Good luck and happy hunting.