udp payloads

79039385 · Robert Graham · 7270083b · 79039385 · 79039385 · 79039385
Commit 79039385 authored 7 years ago by Robert Graham
--- a/src/proto-udp.c
+++ b/src/proto-udp.c
@@ -66,19 +66,19 @@ handle_udp(struct Output *out, time_t timestamp,


    switch (port_them) {
-        case 53:
+        case 53: /* DNS - Domain Name System (amplifier) */
            status = handle_dns(out, timestamp, px, length, parsed, entropy);
            break;
-        case 123:
+        case 123: /* NTP - Network Time Protocol (amplifier) */
            status = ntp_handle_response(out, timestamp, px, length, parsed, entropy);
            break;
-        case 137:
+        case 137: /* NetBIOS (amplifier) */
            status = handle_nbtstat(out, timestamp, px, length, parsed, entropy);
            break;
-        case 161:
+        case 161: /* SNMP - Simple Network Managment Protocol (amplifier) */
            status = handle_snmp(out, timestamp, px, length, parsed, entropy);
            break;
-        case 11211:
+        case 11211: /* memcached (amplifier) */
            px += parsed->app_offset;
            length = parsed->app_length;
            status = memcached_udp_parse(out, timestamp, px, length, parsed, entropy);

--- a/src/rawsock-pcap.c
+++ b/src/rawsock-pcap.c
@@ -294,6 +294,7 @@ int pcap_init(void)
        switch (GetLastError()) {
            case ERROR_MOD_NOT_FOUND:
                fprintf(stderr, "%s: not found\n", "Packet.dll");
+                fprintf(stderr, "  HINT: you must install either WinPcap or Npcap\n");
                return -1;
            default:
                fprintf(stderr, "%s: couldn't load %d\n", "Packet.dll", (int)GetLastError());

--- a/src/templ-payloads.c
+++ b/src/templ-payloads.c
@@ -52,21 +52,15 @@ struct NmapPayloads {


 struct Payload2 hard_coded_payloads[] = {
-    {161, 65536, 59, 0, snmp_set_cookie,
-     "\x30" "\x39"
-       "\x02\x01\x00"                    /* version */
-       "\x04\x06" "public"               /* community = public */
-       "\xa0" "\x2c"                     /* type = GET */
-        "\x02\x04\x00\x00\x00\x00"      /* transaction id = ???? */
-        "\x02\x01\x00"                  /* error = 0 */
-        "\x02\x01\x00"                  /* error index = 0 */
-         "\x30\x1e"
-          "\x30\x0d"
-           "\x06\x09\x2b\x06\x01\x80\x02\x01\x01\x01\x00" /*sysName*/
-           "\x05\x00"          /*^^^^_____IDS LULZ HAH HA HAH*/
-         "\x30\x0d"
-           "\x06\x09\x2b\x06\x01\x80\x02\x01\x01\x05\x00" /*sysDesc*/
-           "\x05\x00"},        /*^^^^_____IDS LULZ HAH HA HAH*/
+    /* ECHO protocol - echoes back whatever we send */
+    {7, 65536, 12, 0, 0, "masscan-test 0x00000000"},
+
+    /* QOTD - quote of the day (amplifier) */
+    {17, 65536, 12, 0, 0, "masscan-test"},
+    
+    /* chargen - character generator (amplifier) */
+    {19, 65536, 12, 0, 0, "masscan-test"},
+    
    {53, 65536, 0x1f, 0, dns_set_cookie,
        /* 00 */"\x50\xb6"  /* transaction id */
        /* 02 */"\x01\x20"  /* quer y*/
@@ -92,6 +86,31 @@ struct Payload2 hard_coded_payloads[] = {
        "\x00\x21" /* type = nbt */
        "\x00\x01" /* class = iternet*/
    },
+    {161, 65536, 59, 0, snmp_set_cookie,
+     "\x30" "\x39"
+       "\x02\x01\x00"                    /* version */
+       "\x04\x06" "public"               /* community = public */
+       "\xa0" "\x2c"                     /* type = GET */
+        "\x02\x04\x00\x00\x00\x00"      /* transaction id = ???? */
+        "\x02\x01\x00"                  /* error = 0 */
+        "\x02\x01\x00"                  /* error index = 0 */
+         "\x30\x1e"
+          "\x30\x0d"
+           "\x06\x09\x2b\x06\x01\x80\x02\x01\x01\x01\x00" /*sysName*/
+           "\x05\x00"          /*^^^^_____IDS LULZ HAH HA HAH*/
+         "\x30\x0d"
+           "\x06\x09\x2b\x06\x01\x80\x02\x01\x01\x05\x00" /*sysDesc*/
+           "\x05\x00"},        /*^^^^_____IDS LULZ HAH HA HAH*/
+
+    /* UPnP SSDP - Univeral Plug-n-Play Simple Service Discovery Protocol */
+    {1900, 65536, 0xFFFFFFFF, 0, 0,
+            "M-SEARCH * HTTP/1.1\r\n"
+            "HOST: 239.255.255.250:1900\r\n"
+            "MAN: \"ssdp:discover\"\r\n"
+            "MX: 1\r\n"
+            "ST: ssdp:all\r\n"
+            "USER-AGENT: unix/1.0 UPnP/1.1 masscan/1.x\r\n"},
+
    {5060, 65536, 0xFFFFFFFF, 0, 0,
        "OPTIONS sip:carol@chicago.com SIP/2.0\r\n"
        "Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKhjhs8ass877\r\n"
@@ -121,6 +140,13 @@ struct Payload2 hard_coded_payloads[] = {
    {16471, 65536, zeroaccess_getL_length, 0, 0,
        (char *)zeroaccess_getL},

+    /* Quake 3 (amplifier)
+     * http://blog.alejandronolla.com/2013/06/24/amplification-ddos-attack-with-quake3-servers-an-analysis-1-slash-2/
+     */
+    {27960, 65536, 0xFFFFFFFF, 0, 0,
+        "\xFF\xFF\xFF\xFF\x67\x65\x74\x73\x74\x61\x74\x75\x73\x10"},
+
+
    {0,0,0,0,0}
 };