Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

Re: Wireshark dissections of proposed UDP payloads
From: David Fifield <david () bamsoftware com>
Date: Wed, 19 Aug 2009 11:52:36 -0600
On Mon, Aug 10, 2009 at 02:53:40PM -0600, David Fifield wrote:

On Wed, Jul 22, 2009 at 11:55:42AM -0600, David Fifield wrote:

On Sat, Jul 04, 2009 at 11:59:23AM +0200, kx wrote:

This sounds like a really good idea! Out of curiosity, have you
played with any of Unicornscan's UDP payloads?

http://osace.svn.sourceforge.net/viewvc/osace/trunk/etc/payloads.conf?view=markup

This is one of the reasons Unicornscan started as udpscan in 2004.

In their faq they recognize another udp scanner:
http://www.geocities.com/fryxar/scanudp.c

This perl script also has a lot of nice UDP payloads, including some from nmap:

https://labs.portcullis.co.uk/application/udp-proto-scanner/
Inside the tgz: udp-proto-scanner.conf


Here's a summary of payloads we might want to incorporate. Of this list,
I think the most likely candidates are 111/rpcbind, 177/xdmcp,
500/isakmp, 520/route, 1645/radius, 1812/radius, 2049/nfs,
5353/zeroconf, 5632/pcanywherestat. Those are the ones in the top 100
UDP ports, anyway. I would appreciate if some experts could examine
those payloads and comment on their safety.


I have added payloads for all of these protocols, except pcanywherestat,
after researching them for safety. They were all taken from either
nmap-service-probes or from one of the scanners kx listed, though in
some cases I modified the payloads to make them shorter or less
arbitrary. For example, the RADIUS probe in scanudp.c arbitrarily used a
username and password of "a"; our probe contains no authentication at
all and is used only to get back an error response. In addition to the
probes above, I added one for amanda/10080, adapted from Unicornscan.

Of the potential payloads I listed in
http://seclists.org/nmap-dev/2009/q3/0290.html, there are two more that
are in the top 1,000 UDP ports: 5555/rplay and 5632/pcanywherestat.

rplay is a sound protocol. Here is Unicornscan's payload:

        /* rplay ping, needs work */
        udp 5555 -1 1 {
                "\x1e\x11\x00\x00"
        };

The two Unicornscan payloads for pcanywherestat are

        udp 5632 -1 1 {
                "NQ"
        };
        udp 5632 -1 1 {
                "ST"
        };

I'm not averse to adding these, but I don't know what they do and I
don't have a way of testing them. If someone can find out what they do,
let me know.

UDP payloads are cool; they turn this output

All 1000 scanned ports are open|filtered because of 1000 no-responses

into this:

Not shown: 998 open|filtered ports
Reason: 998 no-responses
PORT     STATE SERVICE  REASON
123/udp  open  ntp      udp-response
5353/udp open  zeroconf udp-response

If you have a new payload to offer, please send it in, preferably along
with documentation on what it does, what kind of response is expected,
and the command that generated it.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]