«
»

UDP Payload Scanning


** Note: We all love the Internet Storm Center. By far it’s one of the largest conglomerations of brilliant engineers i know. So it doesn’t really surprise me that when i was going to write a blog on Nmap’s new UDP payload scanning yesterday, contributor Rob VandenBrink beat me to it. Here is mine anyways =P Robs goes into great detail with some packet captures to show before and after.

UDP…UDP…UDP… oh how do i scan thee?

The issue facing accurate scanning of UDP ports is the nature of UDP programs themselves. Delivering anything other than a legitimate UDP Payload to a service usually results in a dropped packet. This is bad news for pentesters, as we want a full and accurate scan of our targets.

UDP Payload scanning is the solution (most of the time). Instead of scanning with an empty UDP packet, we send it a legitimate payload that works with the service we are scanning. If we receive a response it indicates an open port.

Before Nmap 5.21, Nmap did not support UDP payload scanning. Pentesters previously counted on free tools like UnicornScan, whose author Jack C. Louis passed away last year (rest in peace Jack), or udp-proto-scanner by Portcullis Labs.

Although these tools are often stellar, sometimes they are buggy and lack the Nmap type features we want in a port scanner.

Nmap 5.21 fixes our dilemma by adding the following UDP fingerprints for scanning:

udp/7 echo
udp/53 domain
udp/111 rpcbind
udp/123 ntp
udp/137 netbios-ns
udp/161 SNMP
udp/177 xdmcp
udp/500 ISAKMP
udp/520 route
udp/1645 RADIUS
udp/1812 RADIUS
udp/2049 NFS
udp/5353 zeroconf
udp/10080 amanda

I know this has been a good number of months in development, thanks for all the good work Fyodor and the Nmap Dev Community!

, ,

This entry was posted on Monday, February 1st, 2010, 1:16 am and is filed under Tool Talk. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. No comments yet.
(will not be published)
  1. No trackbacks yet.