Re: UDP payloads

[David Fifield <david () bamsoftware com>]

On Fri, Jul 03, 2009 at 09:24:51PM -0500, Tom Sellers wrote:
> David Fifield wrote:
> > ....
> > I have in a branch code that sends protocol payloads for ports 53, 123,
> > 137, 161, and 1434.
> >      svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-payloads
> > The payloads are taken from nmap-service-probes. They are:
>
> > ...
> >
> > I'm not an expert at any of the protocols above. So my question is, are
> > any of these probes too intrusive to be sent by default with every ping
> > or port scan probe? I'd like a yes/no for each of them before merging
> > the branch. For a couple of these we have options: port 53 also has
> > DNSVersionBindReq and port 161 also has SNMPv1public.
>
> The SNMPv3GetRequest is safe, but I would expect that the SNMPv1public
> probe would be much more likely to elicit some result given the broad
> deployment of SNMPv1 vs SNMPv3.

Thanks Tom. I chose the SNMPv3GetRequest because it was better in the
ping probe tests, finding 24.2% of up hosts versus 19.8% for
SNMPv1public. In
http://www.bamsoftware.com/wiki/Nmap/EffectivenessOfPingProbes#a-20090525
-PU161-payload1 is SNMPv1public and -PU161-payload2 is SNMPv3GetRequest.
Maybe it's because SNMPv1public only works with a community string of
"public"? I don't see a community string in SNMPv3GetRequest.

I forgot to mention, for those who want to check out the probes, you can
do so with this command:
        ./nmap -sU -p 53,123,137,161,1434
If you capture the packets with Wireshark, then the protocols will be
dissected and you can see what each payload means.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org