Nmap Development mailing list archives
Re: UDP payloads
From: David Fifield <david () bamsoftware com>
Date: Wed, 22 Jul 2009 11:55:42 -0600
On Sat, Jul 04, 2009 at 11:59:23AM +0200, kx wrote:
This sounds like a really good idea! Out of curiosity, have you played with any of Unicornscan's UDP payloads? http://osace.svn.sourceforge.net/viewvc/osace/trunk/etc/payloads.conf?view=markup This is one of the reasons Unicornscan started as udpscan in 2004. In their faq they recognize another udp scanner: http://www.geocities.com/fryxar/scanudp.c This perl script also has a lot of nice UDP payloads, including some from nmap: https://labs.portcullis.co.uk/application/udp-proto-scanner/ Inside the tgz: udp-proto-scanner.conf
Here's a summary of payloads we might want to incorporate. Of this list, I think the most likely candidates are 111/rpcbind, 177/xdmcp, 500/isakmp, 520/route, 1645/radius, 1812/radius, 2049/nfs, 5353/zeroconf, 5632/pcanywherestat. Those are the ones in the top 100 UDP ports, anyway. I would appreciate if some experts could examine those payloads and comment on their safety. I couldn't find what protocols unicornscan's payloads for ports 36 ("aaaaa"), 921 ("\x00\x00\x00\x29\x00\x00\x00\x00..."), 7983 ("ping"), and 31337 ("\xce\x63\xd1\xd2...") are for. These programs all have non-empty payloads for ports like chargen, daytime, netstat, systat, time, and qotd that respond to empty packets. The only reason I can think of for this is that maybe firewalls will drop packets with empty payloads before the services can respond. In that case you could just use --data-length, but then you would lose the port-specific payloads in the current implementation. David Fifield http://en.wikipedia.org/wiki/File_Service_Protocol 21 fsp "\x10\x44\xf0\x33\x04\x00\x00\x00\x00\x00\x00\x00" # portmapper V2 GETPORT call 111 rpcbind "\x1f\xac\x4a\x1e\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x11\x00\x00\x00\x00" http://en.wikipedia.org/wiki/X_display_manager 177 xdmcp "\x00\x01\x00\x02\x00\x01\x00\x00" 500 isakmp "\x6e\x32\x4e\x49\x24\xf2\xbc\xbe\x00\x00\x00\x00\x00\x00\x00\x00"... 520 route "\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10" 523 ibm-db2 "\x44\x42\x32\x47\x45\x54\x41\x44\x44\x52\x00\x53\x51\x4c\x30\x38\x30\x32\x30" http://support.citrix.com/article/CTX425548 1604 citrix "\x20\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 1645 radius "\x01\x86\x00\x35\x60\x05\x90\x90\x77\x74\x08\x14\xe8\xfa\xb9\x68\x96\x3d\xd1\xba\x01\x03\x61\x02\x12\xd1\x96\xe0\x60\x49\x22\xb5\x68\xca\xc0\xd3\xfc\xd5\x55\x43\x2f\x04\x06\xff\xff\xff\xff\x05\x06\x00\x00\x00\x01" 1812 radius "\x01\x86\x00\x35\x60\x05\x90\x90\x77\x74\x08\x14\xe8\xfa\xb9\x68\x96\x3d\xd1\xba\x01\x03\x61\x02\x12\xd1\x96\xe0\x60\x49\x22\xb5\x68\xca\xc0\xd3\xfc\xd5\x55\x43\x2f\x04\x06\xff\xff\xff\xff\x05\x06\x00\x00\x00\x01" # Some online gaming thing? 2032 binderysupport "\\status\\" 2049 nfs "\x12\x34\x56\x78\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa3\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" Older STUN, http://tools.ietf.org/html/rfc3489, CHANGE-REQUEST 3478 stun "\x00\x01\x00\x08\x12\x23\x34\x45\x56\x67\x78\x89\x90\x01\x12\x23\x34\x45\x56\x67\x00\x03\x00\x04\x00\x00\x00\x00" Zeroconf DNS-based service discovery 5353 zeroconf "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x09\x5f\x73\x65\x72\x76\x69\x63\x65\x73\x07\x5f\x64\x6e\x73\x2d\x73\x64\x04\x5f\x75\x64\x70\x05\x6c\x6f\x63\x61\x6c\x00\x00\x0c\x00\x01" http://www.rootr.net/man/info/rplayd 5555 rplay "\x1e\x11\x00\x00" /* unicornscan says "needs work." */ 5632 pcanywherestat "NQ" 5602 netop-rc "\xd6\x81\x81\x52\x00\x00\x00\xf3\x87\x4e\x01\x02\x32\x00\xa8\xc0\x00\x00\x01\x13\xc1\xd9\x04\xdd\x03\x7d\x00\x00\x0d\x00\x54\x48\x43\x54\x48\x43\x54\x48\x43\x54\x48\x43\x54\x48\x43\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x02\x32\x00\xa8\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" http://www-01.ibm.com/support/docview.wss?rs=0&q=%2BAFS&uid=swg21044407 7001 afs3-callback "\x00\x00\x03\xe7\x00\x00\x00\x00\x00\x00\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x0d\x05\x00\x00\x00\x00\x00\x00" http://dslinux.gits.kiev.ua/tags/uclinux/uclinux_20051014/user/nessus/nessus-plugins/scripts/amanda_detect.nasl 10080 amanda "Amanda 2.3 REQ HANDLE 000-65637373 SEQ 954568800\nSERVICE amanda\n" http://www.tilion.org.uk/Games/Quake_3/Network_Protocol 27960 quake3 "\xff\xff\xff\xffgetchallenge\x00\x00" _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- UDP payloads David Fifield (Jul 03)
- Re: UDP payloads Tom Sellers (Jul 03)
- Re: UDP payloads David Fifield (Jul 03)
- Re: UDP payloads Luis M. (Jul 04)
- Re: UDP payloads David Fifield (Jul 04)
- Re: UDP payloads kx (Jul 04)
- Re: UDP payloads David Fifield (Jul 04)
- Re: UDP payloads David Fifield (Jul 22)
- Wireshark dissections of proposed UDP payloads David Fifield (Aug 10)
- Re: Wireshark dissections of proposed UDP payloads David Fifield (Aug 19)
- Re: Wireshark dissections of proposed UDP payloads Henri Salo (Aug 19)
- Re: UDP payloads Tom Sellers (Jul 03)