Nmap Development mailing list archives
Wireshark dissections of proposed UDP payloads
From: David Fifield <david () bamsoftware com>
Date: Mon, 10 Aug 2009 14:53:40 -0600
On Wed, Jul 22, 2009 at 11:55:42AM -0600, David Fifield wrote:
On Sat, Jul 04, 2009 at 11:59:23AM +0200, kx wrote:This sounds like a really good idea! Out of curiosity, have you played with any of Unicornscan's UDP payloads? http://osace.svn.sourceforge.net/viewvc/osace/trunk/etc/payloads.conf?view=markup This is one of the reasons Unicornscan started as udpscan in 2004. In their faq they recognize another udp scanner: http://www.geocities.com/fryxar/scanudp.c This perl script also has a lot of nice UDP payloads, including some from nmap: https://labs.portcullis.co.uk/application/udp-proto-scanner/ Inside the tgz: udp-proto-scanner.confHere's a summary of payloads we might want to incorporate. Of this list, I think the most likely candidates are 111/rpcbind, 177/xdmcp, 500/isakmp, 520/route, 1645/radius, 1812/radius, 2049/nfs, 5353/zeroconf, 5632/pcanywherestat. Those are the ones in the top 100 UDP ports, anyway. I would appreciate if some experts could examine those payloads and comment on their safety.
Here are Wireshark dissections of payloads for these protocols. At a
first glance, they all look safe except for {1645,1812}/radius, which
uses a default username and password. Can anyone confirm that these
payloads are safe, that they won't change state on a server, annoy an
admin, or be flagged as an intrusion attempt?
The nmap that sent these payloads can be got with
svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/david/nmap-payloads
David Fifield
User Datagram Protocol, Src Port: 61715 (61715), Dst Port: sunrpc (111)
Remote Procedure Call, Type:Call XID:0x72fe1d13
XID: 0x72fe1d13 (1929256211)
Message Type: Call (0)
RPC Version: 2
Program: Portmap (100000)
Program Version: 104316
Procedure: proc-0 (0)
Credentials
Flavor: AUTH_NULL (0)
Length: 0
Verifier
Flavor: AUTH_NULL (0)
Length: 0
Portmap
[Program Version: 104316]
[Procedure: proc-0 (0)]
0000 00 15 05 a2 c7 00 00 50 bf 16 11 61 08 00 45 00 .......P...a..E.
0010 00 44 cc a1 00 00 34 11 f5 44 c0 a8 00 15 01 02 .D....4..D......
0020 03 04 f1 13 00 6f 00 30 9b 15 72 fe 1d 13 00 00 .....o.0..r.....
0030 00 00 00 00 00 02 00 01 86 a0 00 01 97 7c 00 00 .............|..
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 ..
User Datagram Protocol, Src Port: 61715 (61715), Dst Port: xdmcp (177)
X Display Manager Control Protocol
Version: 1
Opcode: Query (0x0002)
Message length: 1
Authorization names (0)
0000 00 15 05 a2 c7 00 00 50 bf 16 11 61 08 00 45 00 .......P...a..E.
0010 00 24 71 2f 00 00 25 11 5f d7 c0 a8 00 15 01 02 .$q/..%._.......
0020 03 04 f1 13 00 b1 00 10 49 42 00 01 00 02 00 01 ........IB......
0030 00 00 ..
User Datagram Protocol, Src Port: 61715 (61715), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
Initiator cookie: 4D13F384E6A3EDAF
Responder cookie: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Not encrypted
.... ..0. = No commit
.... .0.. = No authentication
Message ID: 0x00000000
Length: 336
Security Association payload
Next payload: NONE (0)
Payload length: 308
Domain of interpretation: IPSEC (1)
Situation: IDENTITY (1)
Proposal payload # 1
Next payload: NONE (0)
Payload length: 296
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 8
Transform payload # 1
Next payload: Transform (3)
Payload length: 36
Transform number: 1
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Authentication-Method (3): PSK (1)
Group-Description (4): Alternate 1024-bit MODP group (2)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 2
Next payload: Transform (3)
Payload length: 36
Transform number: 2
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Authentication-Method (3): PSK (1)
Group-Description (4): Alternate 1024-bit MODP group (2)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 3
Next payload: Transform (3)
Payload length: 36
Transform number: 3
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Authentication-Method (3): PSK (1)
Group-Description (4): Alternate 1024-bit MODP group (2)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 4
Next payload: Transform (3)
Payload length: 36
Transform number: 4
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Authentication-Method (3): PSK (1)
Group-Description (4): Alternate 1024-bit MODP group (2)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 5
Next payload: Transform (3)
Payload length: 36
Transform number: 5
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): SHA (2)
Authentication-Method (3): PSK (1)
Group-Description (4): Default 768-bit MODP group (1)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 6
Next payload: Transform (3)
Payload length: 36
Transform number: 6
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): 3DES-CBC (5)
Hash-Algorithm (2): MD5 (1)
Authentication-Method (3): PSK (1)
Group-Description (4): Default 768-bit MODP group (1)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 7
Next payload: Transform (3)
Payload length: 36
Transform number: 7
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): SHA (2)
Authentication-Method (3): PSK (1)
Group-Description (4): Default 768-bit MODP group (1)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
Transform payload # 8
Next payload: NONE (0)
Payload length: 36
Transform number: 8
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): DES-CBC (1)
Hash-Algorithm (2): MD5 (1)
Authentication-Method (3): PSK (1)
Group-Description (4): Default 768-bit MODP group (1)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (28800)
0000 00 15 05 a2 c7 00 00 50 bf 16 11 61 08 00 45 00 .......P...a..E.
0010 01 6c 10 ee 00 00 28 11 bb d0 c0 a8 00 15 01 02 .l....(.........
0020 03 04 f1 13 01 f4 01 58 69 18 4d 13 f3 84 e6 a3 .......Xi.M.....
0030 ed af 00 00 00 00 00 00 00 00 01 10 02 00 00 00 ................
0040 00 00 00 00 01 50 00 00 01 34 00 00 00 01 00 00 .....P...4......
0050 00 01 00 00 01 28 01 01 00 08 03 00 00 24 01 01 .....(.......$..
0060 00 00 80 01 00 05 80 02 00 02 80 03 00 01 80 04 ................
0070 00 02 80 0b 00 01 00 0c 00 04 00 00 70 80 03 00 ............p...
0080 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 .$..............
0090 00 01 80 04 00 02 80 0b 00 01 00 0c 00 04 00 00 ................
00a0 70 80 03 00 00 24 03 01 00 00 80 01 00 01 80 02 p....$..........
00b0 00 02 80 03 00 01 80 04 00 02 80 0b 00 01 00 0c ................
00c0 00 04 00 00 70 80 03 00 00 24 04 01 00 00 80 01 ....p....$......
00d0 00 01 80 02 00 01 80 03 00 01 80 04 00 02 80 0b ................
00e0 00 01 00 0c 00 04 00 00 70 80 03 00 00 24 05 01 ........p....$..
00f0 00 00 80 01 00 05 80 02 00 02 80 03 00 01 80 04 ................
0100 00 01 80 0b 00 01 00 0c 00 04 00 00 70 80 03 00 ............p...
0110 00 24 06 01 00 00 80 01 00 05 80 02 00 01 80 03 .$..............
0120 00 01 80 04 00 01 80 0b 00 01 00 0c 00 04 00 00 ................
0130 70 80 03 00 00 24 07 01 00 00 80 01 00 01 80 02 p....$..........
0140 00 02 80 03 00 01 80 04 00 01 80 0b 00 01 00 0c ................
0150 00 04 00 00 70 80 00 00 00 24 08 01 00 00 80 01 ....p....$......
0160 00 01 80 02 00 01 80 03 00 01 80 04 00 01 80 0b ................
0170 00 01 00 0c 00 04 00 00 70 80 ........p.
User Datagram Protocol, Src Port: 61715 (61715), Dst Port: router (520)
Routing Information Protocol
Command: Request (1)
Version: RIPv1 (1)
Address not specified, Metric: 16
Address Family: Unspecified (0)
Metric: 16
0000 00 15 05 a2 c7 00 00 50 bf 16 11 61 08 00 45 00 .......P...a..E.
0010 00 34 fc 52 00 00 2e 11 cb a3 c0 a8 00 15 01 02 .4.R............
0020 03 04 f1 13 02 08 00 20 46 be 01 01 00 00 00 00 ....... F.......
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 10 ..
User Datagram Protocol, Src Port: 61715 (61715), Dst Port: radius (1812)
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x86 (134)
Length: 53
Authenticator: 6005909077740814E8FAB968963DD1BA
Attribute Value Pairs
AVP: l=3 t=User-Name(1): a
User-Name: a
AVP: l=18 t=User-Password(2): Encrypted
User-Password: \321\226\340`I"\265h\312\300\323\374\325UC/
AVP: l=6 t=NAS-IP-Address(4): 255.255.255.255
NAS-IP-Address: 255.255.255.255 (255.255.255.255)
AVP: l=6 t=NAS-Port(5): 1
NAS-Port: 1
0000 00 15 05 a2 c7 00 00 50 bf 16 11 61 08 00 45 00 .......P...a..E.
0010 00 51 22 4b 00 00 39 11 9a 8e c0 a8 00 15 01 02 .Q"K..9.........
0020 03 04 f1 13 07 14 00 3d 7f dd 01 86 00 35 60 05 .......=.....5`.
0030 90 90 77 74 08 14 e8 fa b9 68 96 3d d1 ba 01 03 ..wt.....h.=....
0040 61 02 12 d1 96 e0 60 49 22 b5 68 ca c0 d3 fc d5 a.....`I".h.....
0050 55 43 2f 04 06 ff ff ff ff 05 06 00 00 00 01 UC/............
User Datagram Protocol, Src Port: 61715 (61715), Dst Port: nfs (2049)
Remote Procedure Call, Type:Call XID:0x12345678
XID: 0x12345678 (305419896)
Message Type: Call (0)
RPC Version: 2
Program: NFS (100003)
Program Version: 2
Procedure: NULL (0)
Credentials
Flavor: AUTH_NULL (0)
Length: 0
Verifier
Flavor: AUTH_NULL (0)
Length: 0
Network File System
[Program Version: 2]
[V2 Procedure: NULL (0)]
0000 00 15 05 a2 c7 00 00 50 bf 16 11 61 08 00 45 00 .......P...a..E.
0010 00 44 6a 1d 00 00 25 11 66 c9 c0 a8 00 15 01 02 .Dj...%.f.......
0020 03 04 f1 13 08 01 00 30 52 61 12 34 56 78 00 00 .......0Ra.4Vx..
0030 00 00 00 00 00 02 00 01 86 a3 00 00 00 02 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 ..
User Datagram Protocol, Src Port: 61715 (61715), Dst Port: mdns (5353)
Domain Name System (query)
Transaction ID: 0x0000
Flags: 0x0000 (Standard query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
_services._dns-sd._udp.local: type PTR, class IN, "QM" question
Name: _services._dns-sd._udp.local
Type: PTR (Domain name pointer)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = "QU" question: False
0000 00 15 05 a2 c7 00 00 50 bf 16 11 61 08 00 45 00 .......P...a..E.
0010 00 4a 06 02 00 00 2f 11 c0 de c0 a8 00 15 01 02 .J..../.........
0020 03 04 f1 13 14 e9 00 36 fe a8 00 00 00 00 00 01 .......6........
0030 00 00 00 00 00 00 09 5f 73 65 72 76 69 63 65 73 ......._services
0040 07 5f 64 6e 73 2d 73 64 04 5f 75 64 70 05 6c 6f ._dns-sd._udp.lo
0050 63 61 6c 00 00 0c 00 01 cal.....
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Current thread:
- UDP payloads David Fifield (Jul 03)
- Re: UDP payloads Tom Sellers (Jul 03)
- Re: UDP payloads David Fifield (Jul 03)
- Re: UDP payloads Luis M. (Jul 04)
- Re: UDP payloads David Fifield (Jul 04)
- Re: UDP payloads kx (Jul 04)
- Re: UDP payloads David Fifield (Jul 04)
- Re: UDP payloads David Fifield (Jul 22)
- Wireshark dissections of proposed UDP payloads David Fifield (Aug 10)
- Re: Wireshark dissections of proposed UDP payloads David Fifield (Aug 19)
- Re: Wireshark dissections of proposed UDP payloads Henri Salo (Aug 19)
- Re: UDP payloads Tom Sellers (Jul 03)