Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

UDP payload for STUN

From: David Fifield <david () bamsoftware com>
Date: Fri, 6 Dec 2019 13:51:04 -0700
Here is a UDP payload for STUN, which normally runs on port 3478/udp.
The payload is a Binding request, which asks the STUN server to return
the client's external IP address. It's the same payload sent by the
stun-info script, except that it has an all-zero transaction ID instead
of a random one.

Before:
        # nmap -n -Pn -sU -p 3478 --reason stun.ekiga.net
        Starting Nmap 7.80SVN ( https://nmap.org )
        Nmap scan report for stun.ekiga.net (216.93.246.18)
        Host is up, received user-set.

        PORT     STATE         SERVICE REASON
        3478/udp open|filtered stun    no-response

        Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds

After:
        # nmap -n -Pn -sU -p 3478 --reason stun.ekiga.net
        Starting Nmap 7.80SVN ( https://nmap.org )
        Nmap scan report for stun.ekiga.net (216.93.246.18)
        Host is up, received user-set (0.080s latency).

        PORT     STATE SERVICE REASON
        3478/udp open  stun    udp-response ttl 48

        Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds



From 8513abc4eb3fb34ba159a74899432a019a2ad206 Mon Sep 17 00:00:00 2001

From: David Fifield <david () bamsoftware com>
Date: Fri, 6 Dec 2019 13:48:02 -0700
Subject: [PATCH] Add UDP payload for STUN.

---
 CHANGELOG     | 3 +++
 nmap-payloads | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/CHANGELOG b/CHANGELOG
index 45b8b680e..9244d4c5e 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -57,6 +57,9 @@ o [NSE][GH#1665] The HTTP library no longer crashes when code requests digest
 o [NSE] Fixed a bug in http-wordpress-users.nse that could cause
   extraneous output to be captured as part of a username. [Duarte Silva]
 
+o [NSE] Added a UDP payload for STUN (Session Traversal Utilities for NAT).
+  [David Fifield]
+
 Nmap 7.80 [2019-08-10]
 
 o [Windows] The Npcap Windows packet capturing library (https://npcap.org/)
diff --git a/nmap-payloads b/nmap-payloads
index e13971302..9138fcc7f 100644
--- a/nmap-payloads
+++ b/nmap-payloads
@@ -218,6 +218,13 @@ udp 2302 "\x00\x02\xf1\x26\x01\x26\xf0\x90\xa6\xf0\x26\x57\x4e\xac\xa0\xec\xf8\x
 # Apple Remote Desktop (ARD)
 udp 3283 "\0\x14\0\x01\x03"
 
+# STUN Binding request, see RFC 5389 Section 6
+# message type = 0x001, Binding (see Section 18.1)
+# message length = 0
+# magic cookie = 0x2112a442
+# transaction ID = "\x00"*12
+udp 3478 "\x00\x01\x00\x00\x21\x12\xa4\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+
 # Sun Service Tag Discovery protocol (stdiscover)
 # http://arc.opensolaris.org/caselog/PSARC/2006/638/stdiscover_protocolv2.pdf
 # Would work better with a varying cookie; the second and later sends of this
-- 
2.20.1

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: