Nmap Development mailing list archives
Re: UDP payloads
From: kx <kxmail () gmail com>
Date: Sat, 4 Jul 2009 11:59:23 +0200
David, This sounds like a really good idea! Out of curiosity, have you played with any of Unicornscan's UDP payloads? http://osace.svn.sourceforge.net/viewvc/osace/trunk/etc/payloads.conf?view=markup This is one of the reasons Unicornscan started as udpscan in 2004. In their faq they recognize another udp scanner: http://www.geocities.com/fryxar/scanudp.c This perl script also has a lot of nice UDP payloads, including some from nmap: https://labs.portcullis.co.uk/application/udp-proto-scanner/ Inside the tgz: udp-proto-scanner.conf Cheers, kx On Sat, Jul 4, 2009 at 1:45 AM, David Fifield<david () bamsoftware com> wrote:
During the ping probe effectiveness research, we found that UDP probes that have a payload work better than those without, and probes with a payload specific to the protocol work better still. As well as being more effective for host discovery, meaningful payloads sometimes allow a port to be classified as open rather than open|filtered. I have in a branch code that sends protocol payloads for ports 53, 123, 137, 161, and 1434. svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-payloads The payloads are taken from nmap-service-probes. They are: 53: DNSStatusRequest "\0\0\x10\0\0\0\0\0\0\0\0\0" 123: NTPRequest "\xe3\x00\x04\xfa\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x4f\x23\x4b\x71\xb1\x52\xf3" 137: NBTStat "\x80\xf0\0\x10\0\x01\0\0\0\0\0\0\x20\x43\x4bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0\x21\0\x01" 161: SNMPv3GetRequest "\x30\x3a\x02\x01\x03\x30\x0f\x02\x02\x4a\x69\x02\x03\0\xff\xe3\x04\x01\x04\x02\x01\x03\x04\x10\x30\x0e\x04\0\x02\x01\0\x02\x01\0\x04\0\x04\0\x04\0\x30\x12\x04\0\x04\0\xa0\x0c\x02\x02\x37\xf0\x02\x01\0\x02\x01\0\x30\0" 1434: Sqlping "\x02" A requirement for these payloads is that they should be as harmless as possible. Because they will be sent by default, they should not be anything that will crash a device, annoy an administrator, or change state on a server. I'm not an expert at any of the protocols above. So my question is, are any of these probes too intrusive to be sent by default with every ping or port scan probe? I'd like a yes/no for each of them before merging the branch. For a couple of these we have options: port 53 also has DNSVersionBindReq and port 161 also has SNMPv1public. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- UDP payloads David Fifield (Jul 03)
- Re: UDP payloads Tom Sellers (Jul 03)
- Re: UDP payloads David Fifield (Jul 03)
- Re: UDP payloads Luis M. (Jul 04)
- Re: UDP payloads David Fifield (Jul 04)
- Re: UDP payloads kx (Jul 04)
- Re: UDP payloads David Fifield (Jul 04)
- Re: UDP payloads David Fifield (Jul 22)
- Wireshark dissections of proposed UDP payloads David Fifield (Aug 10)
- Re: Wireshark dissections of proposed UDP payloads David Fifield (Aug 19)
- Re: Wireshark dissections of proposed UDP payloads Henri Salo (Aug 19)
- Re: UDP payloads Tom Sellers (Jul 03)