From 79039385bf47b9b09ff4918c3bee595d3c93d6aa Mon Sep 17 00:00:00 2001
From: Robert Graham <robert_david_graham@yahoo.com>
Date: Sun, 1 Apr 2018 01:13:10 -0400
Subject: [PATCH] udp payloads
---
src/proto-udp.c | 10 ++++----
src/rawsock-pcap.c | 1 +
src/templ-payloads.c | 56 ++++++++++++++++++++++++++++++++------------
3 files changed, 47 insertions(+), 20 deletions(-)
diff --git a/src/proto-udp.c b/src/proto-udp.c
index 68d9d26..eac40e9 100644
--- a/src/proto-udp.c
+++ b/src/proto-udp.c
@@ -66,19 +66,19 @@ handle_udp(struct Output *out, time_t timestamp,
switch (port_them) {
- case 53:
+ case 53: /* DNS - Domain Name System (amplifier) */
status = handle_dns(out, timestamp, px, length, parsed, entropy);
break;
- case 123:
+ case 123: /* NTP - Network Time Protocol (amplifier) */
status = ntp_handle_response(out, timestamp, px, length, parsed, entropy);
break;
- case 137:
+ case 137: /* NetBIOS (amplifier) */
status = handle_nbtstat(out, timestamp, px, length, parsed, entropy);
break;
- case 161:
+ case 161: /* SNMP - Simple Network Managment Protocol (amplifier) */
status = handle_snmp(out, timestamp, px, length, parsed, entropy);
break;
- case 11211:
+ case 11211: /* memcached (amplifier) */
px += parsed->app_offset;
length = parsed->app_length;
status = memcached_udp_parse(out, timestamp, px, length, parsed, entropy);
diff --git a/src/rawsock-pcap.c b/src/rawsock-pcap.c
index 2e96d0c..e47ad4a 100644
--- a/src/rawsock-pcap.c
+++ b/src/rawsock-pcap.c
@@ -294,6 +294,7 @@ int pcap_init(void)
switch (GetLastError()) {
case ERROR_MOD_NOT_FOUND:
fprintf(stderr, "%s: not found\n", "Packet.dll");
+ fprintf(stderr, " HINT: you must install either WinPcap or Npcap\n");
return -1;
default:
fprintf(stderr, "%s: couldn't load %d\n", "Packet.dll", (int)GetLastError());
diff --git a/src/templ-payloads.c b/src/templ-payloads.c
index e461e1b..669c6af 100644
--- a/src/templ-payloads.c
+++ b/src/templ-payloads.c
@@ -52,21 +52,15 @@ struct NmapPayloads {
struct Payload2 hard_coded_payloads[] = {
- {161, 65536, 59, 0, snmp_set_cookie,
- "\x30" "\x39"
- "\x02\x01\x00" /* version */
- "\x04\x06" "public" /* community = public */
- "\xa0" "\x2c" /* type = GET */
- "\x02\x04\x00\x00\x00\x00" /* transaction id = ???? */
- "\x02\x01\x00" /* error = 0 */
- "\x02\x01\x00" /* error index = 0 */
- "\x30\x1e"
- "\x30\x0d"
- "\x06\x09\x2b\x06\x01\x80\x02\x01\x01\x01\x00" /*sysName*/
- "\x05\x00" /*^^^^_____IDS LULZ HAH HA HAH*/
- "\x30\x0d"
- "\x06\x09\x2b\x06\x01\x80\x02\x01\x01\x05\x00" /*sysDesc*/
- "\x05\x00"}, /*^^^^_____IDS LULZ HAH HA HAH*/
+ /* ECHO protocol - echoes back whatever we send */
+ {7, 65536, 12, 0, 0, "masscan-test 0x00000000"},
+
+ /* QOTD - quote of the day (amplifier) */
+ {17, 65536, 12, 0, 0, "masscan-test"},
+
+ /* chargen - character generator (amplifier) */
+ {19, 65536, 12, 0, 0, "masscan-test"},
+
{53, 65536, 0x1f, 0, dns_set_cookie,
/* 00 */"\x50\xb6" /* transaction id */
/* 02 */"\x01\x20" /* quer y*/
@@ -92,6 +86,31 @@ struct Payload2 hard_coded_payloads[] = {
"\x00\x21" /* type = nbt */
"\x00\x01" /* class = iternet*/
},
+ {161, 65536, 59, 0, snmp_set_cookie,
+ "\x30" "\x39"
+ "\x02\x01\x00" /* version */
+ "\x04\x06" "public" /* community = public */
+ "\xa0" "\x2c" /* type = GET */
+ "\x02\x04\x00\x00\x00\x00" /* transaction id = ???? */
+ "\x02\x01\x00" /* error = 0 */
+ "\x02\x01\x00" /* error index = 0 */
+ "\x30\x1e"
+ "\x30\x0d"
+ "\x06\x09\x2b\x06\x01\x80\x02\x01\x01\x01\x00" /*sysName*/
+ "\x05\x00" /*^^^^_____IDS LULZ HAH HA HAH*/
+ "\x30\x0d"
+ "\x06\x09\x2b\x06\x01\x80\x02\x01\x01\x05\x00" /*sysDesc*/
+ "\x05\x00"}, /*^^^^_____IDS LULZ HAH HA HAH*/
+
+ /* UPnP SSDP - Univeral Plug-n-Play Simple Service Discovery Protocol */
+ {1900, 65536, 0xFFFFFFFF, 0, 0,
+ "M-SEARCH * HTTP/1.1\r\n"
+ "HOST: 239.255.255.250:1900\r\n"
+ "MAN: \"ssdp:discover\"\r\n"
+ "MX: 1\r\n"
+ "ST: ssdp:all\r\n"
+ "USER-AGENT: unix/1.0 UPnP/1.1 masscan/1.x\r\n"},
+
{5060, 65536, 0xFFFFFFFF, 0, 0,
"OPTIONS sip:carol@chicago.com SIP/2.0\r\n"
"Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKhjhs8ass877\r\n"
@@ -121,6 +140,13 @@ struct Payload2 hard_coded_payloads[] = {
{16471, 65536, zeroaccess_getL_length, 0, 0,
(char *)zeroaccess_getL},
+ /* Quake 3 (amplifier)
+ * http://blog.alejandronolla.com/2013/06/24/amplification-ddos-attack-with-quake3-servers-an-analysis-1-slash-2/
+ */
+ {27960, 65536, 0xFFFFFFFF, 0, 0,
+ "\xFF\xFF\xFF\xFF\x67\x65\x74\x73\x74\x61\x74\x75\x73\x10"},
+
+
{0,0,0,0,0}
};
--
GitLab