Nmap Development mailing list archives

Re: UDP payloads

From: David Fifield <david () bamsoftware com>
Date: Mon, 6 Jul 2009 12:11:43 -0600

On Fri, Jul 03, 2009 at 05:45:34PM -0600, David Fifield wrote:

During the ping probe effectiveness research, we found that UDP probes
that have a payload work better than those without, and probes with a
payload specific to the protocol work better still. As well as being
more effective for host discovery, meaningful payloads sometimes allow a
port to be classified as open rather than open|filtered.

I have in a branch code that sends protocol payloads for ports 53, 123,
137, 161, and 1434.
      svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-payloads
The payloads are taken from nmap-service-probes. They are:

53: DNSStatusRequest "\0\0\x10\0\0\0\0\0\0\0\0\0"
123: NTPRequest 
"\xe3\x00\x04\xfa\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x4f\x23\x4b\x71\xb1\x52\xf3"
137: NBTStat "\x80\xf0\0\x10\0\x01\0\0\0\0\0\0\x20\x43\x4bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0\x21\0\x01"
161: SNMPv3GetRequest 
"\x30\x3a\x02\x01\x03\x30\x0f\x02\x02\x4a\x69\x02\x03\0\xff\xe3\x04\x01\x04\x02\x01\x03\x04\x10\x30\x0e\x04\0\x02\x01\0\x02\x01\0\x04\0\x04\0\x04\0\x30\x12\x04\0\x04\0\xa0\x0c\x02\x02\x37\xf0\x02\x01\0\x02\x01\0\x30\0"
1434: Sqlping "\x02"


I committed this in r14071. I commented out the Sqlping probe because
there is a Snort rule to detect it, and for now I think we should play
it safe and not disturb IDSs any more than a port scan does already.

http://cvs.snort.org/viewcvs.cgi/snort/rules/sql.rules?rev=HEAD
http://rootedyour.com/snortsid?sid=2049

I'm going to look at the sources that kx referred to in
http://seclists.org/nmap-dev/2009/q3/0026.html and see if there are more
payloads that can be added. Anyone is welcome to suggest more; they are
defined in the file payload.cc. If the collection gets big enough we'll
think about storing them in an external data file.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Re: UDP payloads, (continued)
- Re: UDP payloads Tom Sellers (Jul 03)
  - Re: UDP payloads David Fifield (Jul 03)
- Re: UDP payloads Luis M. (Jul 04)
  - Re: UDP payloads David Fifield (Jul 04)
- Re: UDP payloads kx (Jul 04)
  - Re: UDP payloads David Fifield (Jul 04)
  - Re: UDP payloads David Fifield (Jul 22)
    - Wireshark dissections of proposed UDP payloads David Fifield (Aug 10)
    - Re: Wireshark dissections of proposed UDP payloads David Fifield (Aug 19)
    - Re: Wireshark dissections of proposed UDP payloads Henri Salo (Aug 19)
- Re: UDP payloads David Fifield (Jul 06)