Nmap Development mailing list archives
Re: UDP payloads
From: David Fifield <david () bamsoftware com>
Date: Mon, 6 Jul 2009 12:11:43 -0600
On Fri, Jul 03, 2009 at 05:45:34PM -0600, David Fifield wrote:
During the ping probe effectiveness research, we found that UDP probes that have a payload work better than those without, and probes with a payload specific to the protocol work better still. As well as being more effective for host discovery, meaningful payloads sometimes allow a port to be classified as open rather than open|filtered. I have in a branch code that sends protocol payloads for ports 53, 123, 137, 161, and 1434. svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-payloads The payloads are taken from nmap-service-probes. They are: 53: DNSStatusRequest "\0\0\x10\0\0\0\0\0\0\0\0\0" 123: NTPRequest "\xe3\x00\x04\xfa\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x4f\x23\x4b\x71\xb1\x52\xf3" 137: NBTStat "\x80\xf0\0\x10\0\x01\0\0\0\0\0\0\x20\x43\x4bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0\x21\0\x01" 161: SNMPv3GetRequest "\x30\x3a\x02\x01\x03\x30\x0f\x02\x02\x4a\x69\x02\x03\0\xff\xe3\x04\x01\x04\x02\x01\x03\x04\x10\x30\x0e\x04\0\x02\x01\0\x02\x01\0\x04\0\x04\0\x04\0\x30\x12\x04\0\x04\0\xa0\x0c\x02\x02\x37\xf0\x02\x01\0\x02\x01\0\x30\0" 1434: Sqlping "\x02"
I committed this in r14071. I commented out the Sqlping probe because there is a Snort rule to detect it, and for now I think we should play it safe and not disturb IDSs any more than a port scan does already. http://cvs.snort.org/viewcvs.cgi/snort/rules/sql.rules?rev=HEAD http://rootedyour.com/snortsid?sid=2049 I'm going to look at the sources that kx referred to in http://seclists.org/nmap-dev/2009/q3/0026.html and see if there are more payloads that can be added. Anyone is welcome to suggest more; they are defined in the file payload.cc. If the collection gets big enough we'll think about storing them in an external data file. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: UDP payloads, (continued)
- Re: UDP payloads Tom Sellers (Jul 03)
- Re: UDP payloads David Fifield (Jul 03)
- Re: UDP payloads Luis M. (Jul 04)
- Re: UDP payloads David Fifield (Jul 04)
- Re: UDP payloads kx (Jul 04)
- Re: UDP payloads David Fifield (Jul 04)
- Re: UDP payloads David Fifield (Jul 22)
- Wireshark dissections of proposed UDP payloads David Fifield (Aug 10)
- Re: Wireshark dissections of proposed UDP payloads David Fifield (Aug 19)
- Re: Wireshark dissections of proposed UDP payloads Henri Salo (Aug 19)
- Re: UDP payloads Tom Sellers (Jul 03)