Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: UDP payloads
From: David Fifield <david () bamsoftware com>
Date: Mon, 6 Jul 2009 12:11:43 -0600

On Fri, Jul 03, 2009 at 05:45:34PM -0600, David Fifield wrote:
During the ping probe effectiveness research, we found that UDP probes
that have a payload work better than those without, and probes with a
payload specific to the protocol work better still. As well as being
more effective for host discovery, meaningful payloads sometimes allow a
port to be classified as open rather than open|filtered.

I have in a branch code that sends protocol payloads for ports 53, 123,
137, 161, and 1434.
      svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-payloads
The payloads are taken from nmap-service-probes. They are:

53: DNSStatusRequest "\0\0\x10\0\0\0\0\0\0\0\0\0"
123: NTPRequest 
137: NBTStat "\x80\xf0\0\x10\0\x01\0\0\0\0\0\0\x20\x43\x4bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0\x21\0\x01"
161: SNMPv3GetRequest 
1434: Sqlping "\x02"

I committed this in r14071. I commented out the Sqlping probe because
there is a Snort rule to detect it, and for now I think we should play
it safe and not disturb IDSs any more than a port scan does already.


I'm going to look at the sources that kx referred to in
http://seclists.org/nmap-dev/2009/q3/0026.html and see if there are more
payloads that can be added. Anyone is welcome to suggest more; they are
defined in the file payload.cc. If the collection gets big enough we'll
think about storing them in an external data file.

David Fifield

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]