More nmap features

[vesche]

• UDP scanning
• Service scan
• Top 1000 ports
• Scanning multiple IP's / subnet

[vesche]

Emulating UDP scanning is more difficult than I thought. Because of its connection-less nature, you need to send something over UDP and then wait for a response... The problem is if you don't send something valid it typically won't respond. This means that UDP would need to send service-specific requests. That's not something I want to support.

Anyways for documentation purposes, this is the general idea:

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
socket.setdefaulttimeout(0.5)
s.sendto(b'DATA', (ip, port))
recv, svr = s.recv(4096)
print(recv, svr)

The problem is that sending something like DATA won't get a response. If this was a DNS server, sending a DNS request would work however.

Also, a balanced timeout with select would need to implemented in the above approach. Something like this: https://stackoverflow.com/a/2721734 The problem again is that if the right service request is not sent, nothing will come back.

My way forward on this is to first look at how nmap does this, and then if there is not a good solution to document the infeasibility of supporting UDP port scanning in a project this size- and only support TCP port scanning.

[vesche]

Also, calling this module nmap is probably a rip... I'll rename this portscanner or something generic in the next release.

[deadPix3l]

Definitely not a solution for all the ports you have listed in ports.py, but if we cut that down to maybe 10 or so common UDP ports, we can turn it into a dict that holds a valid input for the suspected service. DNS specifically is a simple protocol.

udp_ports = { 53: "AA\x01\0\0\x01\0\0\0\0\0\0\x07example\x03com\0\0\x01\0\x01" }

[vesche]

This means that UDP would need to send service-specific requests. That's not something I want to support.

That's exactly what I don't want to do. A DNS server can easily not run on 53/udp, and are we really going to craft payloads for every UDP service? Is this actually how nmap does it...? If so, sounds like it's time to make custom UDP socket listeners for c2 callback that are impenetrable to port scanners lol.

[deadPix3l]

yea I know. Just wanted to put out a maybe semi solution

UDP scan works by sending a UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, but for most ports the packet is empty unless the --data, --data-string, or --data-length options are specified. If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed. Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) mark the port as filtered. Occasionally, a service will respond with a UDP packet, proving that it is open. If no response is received after retransmissions, the port is classified as open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication. Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones.

Unless you want to write a complicated ICMP listener I think we're cooked.