UDP payloads

[David Fifield <david () bamsoftware com>]

During the ping probe effectiveness research, we found that UDP probes
that have a payload work better than those without, and probes with a
payload specific to the protocol work better still. As well as being
more effective for host discovery, meaningful payloads sometimes allow a
port to be classified as open rather than open|filtered.

I have in a branch code that sends protocol payloads for ports 53, 123,
137, 161, and 1434.
        svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-payloads
The payloads are taken from nmap-service-probes. They are:

53: DNSStatusRequest "\0\0\x10\0\0\0\0\0\0\0\0\0"
123: NTPRequest 
"\xe3\x00\x04\xfa\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x4f\x23\x4b\x71\xb1\x52\xf3"
137: NBTStat "\x80\xf0\0\x10\0\x01\0\0\0\0\0\0\x20\x43\x4bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0\x21\0\x01"
161: SNMPv3GetRequest 
"\x30\x3a\x02\x01\x03\x30\x0f\x02\x02\x4a\x69\x02\x03\0\xff\xe3\x04\x01\x04\x02\x01\x03\x04\x10\x30\x0e\x04\0\x02\x01\0\x02\x01\0\x04\0\x04\0\x04\0\x30\x12\x04\0\x04\0\xa0\x0c\x02\x02\x37\xf0\x02\x01\0\x02\x01\0\x30\0"
1434: Sqlping "\x02"

A requirement for these payloads is that they should be as harmless as
possible. Because they will be sent by default, they should not be
anything that will crash a device, annoy an administrator, or change
state on a server.

I'm not an expert at any of the protocols above. So my question is, are
any of these probes too intrusive to be sent by default with every ping
or port scan probe? I'd like a yes/no for each of them before merging
the branch. For a couple of these we have options: port 53 also has
DNSVersionBindReq and port 161 also has SNMPv1public.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org