Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: UDP payloads
From: David Fifield <david () bamsoftware com>
Date: Sat, 4 Jul 2009 07:30:39 -0600

On Sat, Jul 04, 2009 at 11:35:07AM +0200, Luis M. wrote:
David Fifield wrote:
During the ping probe effectiveness research, we found that UDP probes
that have a payload work better than those without, and probes with a
payload specific to the protocol work better still. As well as being
more effective for host discovery, meaningful payloads sometimes allow a
port to be classified as open rather than open|filtered.

I have in a branch code that sends protocol payloads for ports 53, 123,
137, 161, and 1434.
    svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-payloads
The payloads are taken from nmap-service-probes. They are:

53: DNSStatusRequest "\0\0\x10\0\0\0\0\0\0\0\0\0"
123: NTPRequest 
137: NBTStat "\x80\xf0\0\x10\0\x01\0\0\0\0\0\0\x20\x43\x4bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0\x21\0\x01"
161: SNMPv3GetRequest 
1434: Sqlping "\x02"

This could also be useful for Nping in UDP mode. I'll add it to the TODO
list. I could add a flag, something like --proto-payload, that adds
those payloads based on target port numbers. What do you think?

It sounds like a good idea, because without a payload I don't think
these services will send back a response.

David Fifield

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]