News - Main Page
Whitepapers
Tools and Download
Presentations

Examples

The simplest (and most common) usage case is to run all probes against a list of IP addresses:

$ udp-proto-scanner.pl -f ips.txt

Starting udp-proto-scanner v0.9 ( http://labs.portcullis.co.uk/application/udp-proto-scanner ) on Wed Oct 29 14:29:50 2008

================================================================================
Bandwith: .................... 250k bits/second                                 
Max Probes: .................. 3                                                
Config file: ................. ./udp-proto-scanner.conf                         
Probes names: ................ DNSStatusRequest,DNSVersionBindReq,NBTStat,NTPRequest,RPCCheck,SNMPv3GetRequest,chargen,citrix,daytime,db2,echo,ike,ms-sql,ms-sql-slam,netop,ntp,rpc,snmp-public,systat,tftp,time,xdmcp                                                                                                                                            
================================================================================                                                                                                 

Sending DNSStatusRequest probes to 512 hosts...
Received reply to probe DNSStatusRequest (target port 53) from 10.0.0.90:53: 000090840000000000000000
Received reply to probe DNSStatusRequest (target port 53) from 10.0.0.96:53: 000090040000000000000000
Received reply to probe DNSStatusRequest (target port 53) from 10.0.0.110:53: 000090040000000000000000
Sending DNSVersionBindReq probes to 512 hosts...                                                        
Received reply to probe DNSVersionBindReq (target port 53) from 10.0.0.90:53: 0006858000010001000000000776657273696f6e0462696e6400001000030756455253494f4e0442494e4400001000030000000000100f342e342e372d52454c2d4e4f455357                                                                                                                                     
Sending NBTStat probes to 512 hosts...                                                                                                                                           
Received reply to probe NBTStat (target port 137) from 10.0.0.50:137: 80f08400000000010000000020434b41414141414141414141414141414141414141414141414141414141414100002100010000000000e30a57324b53514c20202020202020202020040057324b53514c202020202020202020000400574f524b47524f5550202020202020008400574f524b47524f55502020202020201e840057324b53514c202020202020202020030400494e65747e536572766963657320201c840049537e57324b53514c000000000000000400574f524b47524f55502020202020201d040001025f5f4d5342524f5753455f5f0201840041444d494e4953545241544f522020030400000c29a4126c000000000000000000000000000000000000000000000000000000000000000000000000000000008180d8a1810000000000000000550050002a        
...

Note that the output tells you:

  • which probe was replied to
  • which port the probe was sent to
  • the IP and port that it was received from
  • the data in the reply packet (hex-encoded)

The two port numbers mentioned above nearly always match.  The one notable exception being TFTP which replies back from a port other than 69.

The available probes can be listed with the -l option:

$ udp-proto-scanner.pl -l
The following probe names (-p argument) are available from the config file ./udp-proto-scanner.conf:
* DNSStatusRequest
* DNSVersionBindReq
* NBTStat
* NTPRequest
* RPCCheck
* SNMPv3GetRequest
* chargen
* citrix
* daytime
* db2
* echo
* ike
* ms-sql
* ms-sql-slam
* netop
* ntp
* rpc
* snmp-public
* systat
* tftp
* time
* xdmcp

The following example shows how to send a single probe to a list of IP addresses:

$ udp-proto-scanner.pl -p ms-sql -f ips.txt
Starting udp-proto-scanner v0.9 ( http://labs.portcullis.co.uk/application/udp-proto-scanner ) on Wed Oct 29 14:27:49 2008

================================================================================
Bandwith: .................... 250k bits/second
Max Probes: .................. 3
Config file: ................. ./udp-proto-scanner.conf
Probes names: ................ ms-sql
================================================================================

Sending ms-sql probes to 512 hosts...
Received reply to probe ms-sql (target port 1434) from 10.0.0.1:1434: 0570005365727665724e616d653b57324b53514c3b496e7374616e63654e616d653b4d5353514c5345525645523b4973436c757374657265643b4e6f3b56657273696f6e3b382e30302e3139343b7463703b313433333b6e703b5c5c57324b53514c5c706970655c73716c5c71756572793b3b
Received reply to probe ms-sql (target port 1434) from 10.0.0.2:1434: 056a005365727665724e616d653b5342533b496e7374616e63654e616d653b4d5353514c5345525645523b4973436c757374657265643b4e6f3b56657273696f6e3b382e30302e3139343b7463703b313433333b6e703b5c5c5342535c706970655c73716c5c71756572793b3b

Scan complete at Wed Oct 29 14:27:52 2008
Last Updated : 29/10/2008 14:33:32