Nmap Development mailing list archives

Re: POC Payloader dat

From: David Fifield <david () bamsoftware com>
Date: Sun, 27 Dec 2009 21:56:25 -0700

On Sat, Dec 26, 2009 at 11:16:00AM -0500, Jay Fink wrote:

On Tue, Dec 22, 2009 at 7:38 PM, Jay Fink <jay.fink () gmail com> wrote:

I'm happy with this format if you want to get started.


Excellent. I'll probably start fiddling with it this weekend.


Ive been working on a prototype for this and so far so good, this
morning however it occured to me that using this format we can have
multiple ports per payload entry but we cannot have multple payloads
per port entry. This will cause a parsing problem as I am matching on
'proto port'; then (for now) printing everything quoted except lines
with \# and stopping when I hit the next 'proto' line. I noticed when
I am looking for radius or citrix I print out 2 sets; I think we still
need a keyword field to differentiate them. So for example:


# Citrix Service Payload
citrix udp  1604,1645,1812
  "\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

# Radius Service Payload
radius udp 1645,1812 "\x01\x00\x00\x14"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

I'm also thinking in the long run the ID field could be used for
different versions of a service as well like bind8 vs. bind9 etc.


I can see your point about the value of having an identifer for payloads
that you otherwise have the same port/protocol combination. However, in
this case, it's not needed, because the citrix payload doesn't go with
ports 1645 or 1812. We may have used that as an example but that's not
the way it is in payload.cc now.

If we're having multiple payloads per port then there are other
questions that need to be answered. Like, how does a port scan work?
Does it send each payload with transmissions until it gets a response?
Does it send the first payload, then send the second if the first one
gets no response? In that case you have to weigh the likelihood that the
packet was dropped versus the likelihood that another payload would work
better; presumably we'd always send the best payloads first.

I'm a bit lost in thinking about how all this should work. How do
Unicornscan's payload groups work?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: POC Payloader dat, (continued)
- - Re: POC Payloader dat Jay Fink (Nov 25)
  - Re: POC Payloader dat Jay Fink (Nov 30)
  - Re: POC Payloader dat Jay Fink (Dec 04)
    - Re: POC Payloader dat Jay Fink (Dec 09)
    - Re: POC Payloader dat David Fifield (Dec 13)
    - Re: POC Payloader dat Jay Fink (Dec 14)
    - Re: POC Payloader dat Jay Fink (Dec 19)
    - Re: POC Payloader dat David Fifield (Dec 21)
    - Re: POC Payloader dat Jay Fink (Dec 22)
    - Re: POC Payloader dat Jay Fink (Dec 26)
    - Re: POC Payloader dat David Fifield (Dec 27)
    - Re: POC Payloader dat Jay Fink (Dec 28)
    - Re: POC Payloader dat Jay Fink (Dec 30)
    - Re: POC Payloader dat David Fifield (Dec 30)
    - Re: POC Payloader dat Jay Fink (Dec 30)