Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Wireshark dissections of proposed UDP payloads
From: David Fifield <david () bamsoftware com>
Date: Wed, 19 Aug 2009 11:52:36 -0600

On Mon, Aug 10, 2009 at 02:53:40PM -0600, David Fifield wrote:
On Wed, Jul 22, 2009 at 11:55:42AM -0600, David Fifield wrote:
On Sat, Jul 04, 2009 at 11:59:23AM +0200, kx wrote:
This sounds like a really good idea! Out of curiosity, have you
played with any of Unicornscan's UDP payloads?

http://osace.svn.sourceforge.net/viewvc/osace/trunk/etc/payloads.conf?view=markup

This is one of the reasons Unicornscan started as udpscan in 2004.

In their faq they recognize another udp scanner:
http://www.geocities.com/fryxar/scanudp.c

This perl script also has a lot of nice UDP payloads, including some from nmap:

https://labs.portcullis.co.uk/application/udp-proto-scanner/
Inside the tgz: udp-proto-scanner.conf

Here's a summary of payloads we might want to incorporate. Of this list,
I think the most likely candidates are 111/rpcbind, 177/xdmcp,
500/isakmp, 520/route, 1645/radius, 1812/radius, 2049/nfs,
5353/zeroconf, 5632/pcanywherestat. Those are the ones in the top 100
UDP ports, anyway. I would appreciate if some experts could examine
those payloads and comment on their safety.

I have added payloads for all of these protocols, except pcanywherestat,
after researching them for safety. They were all taken from either
nmap-service-probes or from one of the scanners kx listed, though in
some cases I modified the payloads to make them shorter or less
arbitrary. For example, the RADIUS probe in scanudp.c arbitrarily used a
username and password of "a"; our probe contains no authentication at
all and is used only to get back an error response. In addition to the
probes above, I added one for amanda/10080, adapted from Unicornscan.

Of the potential payloads I listed in
http://seclists.org/nmap-dev/2009/q3/0290.html, there are two more that
are in the top 1,000 UDP ports: 5555/rplay and 5632/pcanywherestat.

rplay is a sound protocol. Here is Unicornscan's payload:

        /* rplay ping, needs work */
        udp 5555 -1 1 {
                "\x1e\x11\x00\x00"
        };

The two Unicornscan payloads for pcanywherestat are

        udp 5632 -1 1 {
                "NQ"
        };
        udp 5632 -1 1 {
                "ST"
        };

I'm not averse to adding these, but I don't know what they do and I
don't have a way of testing them. If someone can find out what they do,
let me know.

UDP payloads are cool; they turn this output

All 1000 scanned ports are open|filtered because of 1000 no-responses

into this:

Not shown: 998 open|filtered ports
Reason: 998 no-responses
PORT     STATE SERVICE  REASON
123/udp  open  ntp      udp-response
5353/udp open  zeroconf udp-response

If you have a new payload to offer, please send it in, preferably along
with documentation on what it does, what kind of response is expected,
and the command that generated it.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault