Nmap Development mailing list archives
Re: UDP payload for STUN
From: Gordon Fyodor Lyon <fyodor () nmap org>
Date: Fri, 6 Dec 2019 12:52:42 -0800
Thanks David! Please check it in. -Fyodor On Fri, Dec 6, 2019 at 12:51 PM David Fifield <david () bamsoftware com> wrote:
Here is a UDP payload for STUN, which normally runs on port 3478/udp. The payload is a Binding request, which asks the STUN server to return the client's external IP address. It's the same payload sent by the stun-info script, except that it has an all-zero transaction ID instead of a random one. Before: # nmap -n -Pn -sU -p 3478 --reason stun.ekiga.net Starting Nmap 7.80SVN ( https://nmap.org ) Nmap scan report for stun.ekiga.net (216.93.246.18) Host is up, received user-set. PORT STATE SERVICE REASON 3478/udp open|filtered stun no-response Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds After: # nmap -n -Pn -sU -p 3478 --reason stun.ekiga.net Starting Nmap 7.80SVN ( https://nmap.org ) Nmap scan report for stun.ekiga.net (216.93.246.18) Host is up, received user-set (0.080s latency). PORT STATE SERVICE REASON 3478/udp open stun udp-response ttl 48 Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds From 8513abc4eb3fb34ba159a74899432a019a2ad206 Mon Sep 17 00:00:00 2001 From: David Fifield <david () bamsoftware com> Date: Fri, 6 Dec 2019 13:48:02 -0700 Subject: [PATCH] Add UDP payload for STUN. --- CHANGELOG | 3 +++ nmap-payloads | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 45b8b680e..9244d4c5e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -57,6 +57,9 @@ o [NSE][GH#1665] The HTTP library no longer crashes when code requests digest o [NSE] Fixed a bug in http-wordpress-users.nse that could cause extraneous output to be captured as part of a username. [Duarte Silva] +o [NSE] Added a UDP payload for STUN (Session Traversal Utilities for NAT). + [David Fifield] + Nmap 7.80 [2019-08-10] o [Windows] The Npcap Windows packet capturing library ( https://npcap.org/) diff --git a/nmap-payloads b/nmap-payloads index e13971302..9138fcc7f 100644 --- a/nmap-payloads +++ b/nmap-payloads @@ -218,6 +218,13 @@ udp 2302 "\x00\x02\xf1\x26\x01\x26\xf0\x90\xa6\xf0\x26\x57\x4e\xac\xa0\xec\xf8\x # Apple Remote Desktop (ARD) udp 3283 "\0\x14\0\x01\x03" +# STUN Binding request, see RFC 5389 Section 6 +# message type = 0x001, Binding (see Section 18.1) +# message length = 0 +# magic cookie = 0x2112a442 +# transaction ID = "\x00"*12 +udp 3478 "\x00\x01\x00\x00\x21\x12\xa4\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + # Sun Service Tag Discovery protocol (stdiscover) # http://arc.opensolaris.org/caselog/PSARC/2006/638/stdiscover_protocolv2.pdf # Would work better with a varying cookie; the second and later sends of this -- 2.20.1 _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- UDP payload for STUN David Fifield (Dec 06)
- Re: UDP payload for STUN Gordon Fyodor Lyon (Dec 06)
- Re: UDP payload for STUN David Fifield (Dec 06)
- Re: UDP payload for STUN Gordon Fyodor Lyon (Dec 06)