Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Wireshark dissections of proposed UDP payloads
From: David Fifield <david () bamsoftware com>
Date: Wed, 19 Aug 2009 11:52:36 -0600

On Mon, Aug 10, 2009 at 02:53:40PM -0600, David Fifield wrote:
On Wed, Jul 22, 2009 at 11:55:42AM -0600, David Fifield wrote:
On Sat, Jul 04, 2009 at 11:59:23AM +0200, kx wrote:
This sounds like a really good idea! Out of curiosity, have you
played with any of Unicornscan's UDP payloads?


This is one of the reasons Unicornscan started as udpscan in 2004.

In their faq they recognize another udp scanner:

This perl script also has a lot of nice UDP payloads, including some from nmap:

Inside the tgz: udp-proto-scanner.conf

Here's a summary of payloads we might want to incorporate. Of this list,
I think the most likely candidates are 111/rpcbind, 177/xdmcp,
500/isakmp, 520/route, 1645/radius, 1812/radius, 2049/nfs,
5353/zeroconf, 5632/pcanywherestat. Those are the ones in the top 100
UDP ports, anyway. I would appreciate if some experts could examine
those payloads and comment on their safety.

I have added payloads for all of these protocols, except pcanywherestat,
after researching them for safety. They were all taken from either
nmap-service-probes or from one of the scanners kx listed, though in
some cases I modified the payloads to make them shorter or less
arbitrary. For example, the RADIUS probe in scanudp.c arbitrarily used a
username and password of "a"; our probe contains no authentication at
all and is used only to get back an error response. In addition to the
probes above, I added one for amanda/10080, adapted from Unicornscan.

Of the potential payloads I listed in
http://seclists.org/nmap-dev/2009/q3/0290.html, there are two more that
are in the top 1,000 UDP ports: 5555/rplay and 5632/pcanywherestat.

rplay is a sound protocol. Here is Unicornscan's payload:

        /* rplay ping, needs work */
        udp 5555 -1 1 {

The two Unicornscan payloads for pcanywherestat are

        udp 5632 -1 1 {
        udp 5632 -1 1 {

I'm not averse to adding these, but I don't know what they do and I
don't have a way of testing them. If someone can find out what they do,
let me know.

UDP payloads are cool; they turn this output

All 1000 scanned ports are open|filtered because of 1000 no-responses

into this:

Not shown: 998 open|filtered ports
Reason: 998 no-responses
123/udp  open  ntp      udp-response
5353/udp open  zeroconf udp-response

If you have a new payload to offer, please send it in, preferably along
with documentation on what it does, what kind of response is expected,
and the command that generated it.

David Fifield

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]