UDP Scanning John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul - - PowerPoint PPT Presentation

udp scanning
SMART_READER_LITE
LIVE PREVIEW

UDP Scanning John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul - - PowerPoint PPT Presentation

Sep 09, 2022 212 likes •350 views

UDP Scanning John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago, IL 60604 FIRST 2002 John Kristoff - DePaul University 1 What are we talking about? Remotely probing hosts using UDP messages Comparing UDP, ICMP

slide-1
SLIDE 1

FIRST 2002 John Kristoff - DePaul University 1

UDP Scanning

John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago, IL 60604

slide-2
SLIDE 2

FIRST 2002 John Kristoff - DePaul University 2

What are we talking about?

Remotely probing hosts using UDP messages Comparing UDP, ICMP and TCP scanning UDP scanning details UDP scanning failure scenarios How to make UDP scanning more reliable Why is this talk important?

A colleague expressed the need for public info But really... to help justify my trip to Hawaii!

slide-3
SLIDE 3

FIRST 2002 John Kristoff - DePaul University 3

Why is this important again?

Domain Name System (DNS) Trivial File Transfer Protocol (TFTP) Remote Authentication Dial In User Services

(RADIUS)

Routing Information Protocol (RIP) Simple Network Management Protocol (SNMP) Network Time Protocol (NTP) Dynamic Host Configuration Protocol (DHCP)

slide-4
SLIDE 4

FIRST 2002 John Kristoff - DePaul University 4

UDP message format

slide-5
SLIDE 5

FIRST 2002 John Kristoff - DePaul University 5

UDP port probing

slide-6
SLIDE 6

FIRST 2002 John Kristoff - DePaul University 6

TCP and ICMP scanning

TCP

3-way handshake

and reliability

Lots of header Ever compare UDP

and TCP RFCs?

See nmap's

documentation

ICMP

Request/reply

messages

Lots of messages Implementations

differ widely

See Ofir Arkin's

ICMP paper

slide-7
SLIDE 7

FIRST 2002 John Kristoff - DePaul University 7

The trouble with UDP scanning

From RFC 1122, Requirements for Internet Hosts, section 3.2.2.1: A host SHOULD generate Destination Unreachable messages with code: 2 (Protocol Unreachable), when the designated transport protocol is not supported; or 3 (Port Unreachable), when the designated transport protocol (e.g., UDP) is unable to demultiplex the datagram but has no protocol mechanism to inform the sender.

slide-8
SLIDE 8

FIRST 2002 John Kristoff - DePaul University 8

Other failure scenarios

Packet filtering Non-default host configurations Packet loss Errored packets ICMP rate limiting (see RFC 1812 section 4.3.2.8)

slide-9
SLIDE 9

FIRST 2002 John Kristoff - DePaul University 9

Minimizing false positives

Verify ICMP replies Congestion avoidance Round trip time estimation See SATAN source code Implement application level scanning

slide-10
SLIDE 10

FIRST 2002 John Kristoff - DePaul University 10

UDP application scanning

Solicit application layer replies

Most UDP apps will respond to something

Few general purpose UDP application scanners

Most are for specific application vulnerabilities

UDP application scanning has failure modes too

Which UDP port to scan? How to format the message?

So... I'm no Wietse, but what the heck I tried...

slide-11
SLIDE 11

FIRST 2002 John Kristoff - DePaul University 11

Application scanning examples

Send a TFTP read request and check for error Send an empty RIP request with metric of infinity Send a version=[3|4] and mode=client NTP request App scanning for syslog would be useful, but alas... Other interesting applications?

e.g. games, streaming audio/video, trojans

Most apps should be very easy to scan for

Just format the right request and await a reply

slide-12
SLIDE 12

FIRST 2002 John Kristoff - DePaul University 12

Is it Mai Tai time yet?

UDP scanning is a relatively simple procedure However, be aware of how unreliable it is UDP application specific scanners would be better Application scanning may highlight vulnerabilities If not, PROTOS style projects certainly will