Nmap Development mailing list archives

Re: POC Payloader dat

From: Jay Fink <jay.fink () gmail com>
Date: Fri, 4 Dec 2009 14:13:31 -0500

How about this format? This only addresses the must haves - not the like toos :)

/* LABEL PROTOCOL  USABLE_DESTINATION_PORTS_LIST  SOURCE_PORT PAYLOAD */

/* radius */
RADIUS udp 1604,1645,1812 -1 {
  "\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
};

/* DNS Service Discovery (DNS-SD) service query, as used in Zeroconf.
   Transaction ID 0x0000, flags 0x0000, 1 question: PTR query for
   _services._dns-sd._udp.local. If the remote host supports DNS-SD it will send
   back a list of all its services. This is the same as a packet capture of
     dns-sd -B _services._dns-sd._udp .
   See section 9 of
   http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt. */
DNS_SD udp 53 53 {
  "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00"
  "\x09_services\x07_dns-sd\x04_udp\x05local\x00\x00\x0C\x00\x01";
};

/* Internet Key Exchange version 1, phase 1 Main Mode. We offer every
   combination of (DES, 3DES) and (MD5, SHA) in the hope that one of them will
   be acceptable. Because we use a fixed cookie, we set the association lifetime
   to 1 second to reduce the chance that repeated probes will look like
   retransmissions (and therefore not get a response). This payload comes from
     ike-scan --lifetime 1 --cookie 0011223344556677 --trans=5,2,1,2
--trans=5,1,1,2 --trans=1,2,1,2 --trans=1,1,1,2
   We expect another phase 1 message in response. This payload works better with
   a source port of 500 or a randomized initiator cookie. */
IKE udp 500 500 {
static const char payload_ike[] =
  /* Initiator cookie 0x0011223344556677, responder cookie
0x0000000000000000. */
  "\x00\x11\x22\x33\x44\x55\x66\x77\x00\x00\x00\x00\x00\x00\x00\x00"
  /* Version 1, Main Mode, flags 0x00, message ID 0x00000000, length 192. */
  "\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00\x00\xC0"
  /* Security Association payload, length 164, IPSEC, IDENTITY. */
  "\x00\x00\x00\xA4\x00\x00\x00\x01\x00\x00\x00\x01"
  /* Proposal 1, length 152, ISAKMP, 4 transforms. */
  "\x00\x00\x00\x98\x01\x01\x00\x04"
  /* Transform 1, 3DES-CBC, SHA, PSK, group 2. */
  "\x03\x00\x00\x24\x01\x01\x00\x00\x80\x01\x00\x05\x80\x02\x00\x02"
  "\x80\x03\x00\x01\x80\x04\x00\x02"
  "\x80\x0B\x00\x01\x00\x0C\x00\x04\x00\x00\x00\x01"
  /* Transform 2, 3DES-CBC, MD5, PSK, group 2. */
  "\x03\x00\x00\x24\x02\x01\x00\x00\x80\x01\x00\x05\x80\x02\x00\x01"
  "\x80\x03\x00\x01\x80\x04\x00\x02"
  "\x80\x0B\x00\x01\x00\x0C\x00\x04\x00\x00\x00\x01"
  /* Transform 3, DES-CBC, SHA, PSK, group 2. */
  "\x03\x00\x00\x24\x03\x01\x00\x00\x80\x01\x00\x01\x80\x02\x00\x02"
  "\x80\x03\x00\x01\x80\x04\x00\x02"
  "\x80\x0B\x00\x01\x00\x0C\x00\x04\x00\x00\x00\x01"
  /* Transform 4, DES-CBC, MD5, PSK, group 2. */
  "\x00\x00\x00\x24\x04\x01\x00\x00\x80\x01\x00\x01\x80\x02\x00\x01"
  "\x80\x03\x00\x01\x80\x04\x00\x02"
  "\x80\x0B\x00\x01\x00\x0C\x00\x04\x00\x00\x00\x01";
};
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

POC Payloader dat Jay Fink (Nov 23)
- Re: POC Payloader dat Jay Fink (Nov 24)
- Re: POC Payloader dat David Fifield (Nov 25)
  - Re: POC Payloader dat Jay Fink (Nov 25)
  - Re: POC Payloader dat Jay Fink (Nov 30)
  - Re: POC Payloader dat Jay Fink (Dec 04)
    - Re: POC Payloader dat Jay Fink (Dec 09)
    - Re: POC Payloader dat David Fifield (Dec 13)
    - Re: POC Payloader dat Jay Fink (Dec 14)
    - Re: POC Payloader dat Jay Fink (Dec 19)
    - Re: POC Payloader dat David Fifield (Dec 21)
    - Re: POC Payloader dat Jay Fink (Dec 22)
    - Re: POC Payloader dat Jay Fink (Dec 26)
    - Re: POC Payloader dat David Fifield (Dec 27)
    - Re: POC Payloader dat Jay Fink (Dec 28)
    - Re: POC Payloader dat Jay Fink (Dec 30)

(Thread continues...)