133 lines
4.7 KiB
C
133 lines
4.7 KiB
C
|
#include "proto-udp.h"
|
||
|
#include "proto-coap.h"
|
||
|
#include "proto-dns.h"
|
||
|
#include "proto-isakmp.h"
|
||
|
#include "proto-netbios.h"
|
||
|
#include "proto-snmp.h"
|
||
|
#include "proto-memcached.h"
|
||
|
#include "proto-ntp.h"
|
||
|
#include "proto-zeroaccess.h"
|
||
|
#include "proto-preprocess.h"
|
||
|
#include "syn-cookie.h"
|
||
|
#include "util-logger.h"
|
||
|
#include "output.h"
|
||
|
#include "masscan-status.h"
|
||
|
#include "unusedparm.h"
|
||
|
|
||
|
|
||
|
/****************************************************************************
|
||
|
* When the "--banner" command-line option is selected, this will
|
||
|
* will take up to 64 bytes of a response and display it. Other UDP
|
||
|
* protocol parsers may also default to this function when they detect
|
||
|
* a response is not the protocol they expect. For example, if a response
|
||
|
* to port 161 obviously isn't ASN.1 formatted, the SNMP parser will
|
||
|
* call this function instead. In such cases, the protocool identifier will
|
||
|
* be [unknown] rather than [snmp].
|
||
|
****************************************************************************/
|
||
|
unsigned
|
||
|
default_udp_parse(struct Output *out, time_t timestamp,
|
||
|
const unsigned char *px, unsigned length,
|
||
|
struct PreprocessedInfo *parsed,
|
||
|
uint64_t entropy)
|
||
|
{
|
||
|
ipaddress ip_them = parsed->src_ip;
|
||
|
unsigned port_them = parsed->port_src;
|
||
|
|
||
|
UNUSEDPARM(entropy);
|
||
|
|
||
|
|
||
|
if (length > 64)
|
||
|
length = 64;
|
||
|
|
||
|
output_report_banner(
|
||
|
out, timestamp,
|
||
|
ip_them, 17, port_them,
|
||
|
PROTO_NONE,
|
||
|
parsed->ip_ttl,
|
||
|
px, length);
|
||
|
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
/****************************************************************************
|
||
|
****************************************************************************/
|
||
|
void
|
||
|
handle_udp(struct Output *out, time_t timestamp,
|
||
|
const unsigned char *px, unsigned length,
|
||
|
struct PreprocessedInfo *parsed, uint64_t entropy)
|
||
|
{
|
||
|
ipaddress ip_them = parsed->src_ip;
|
||
|
unsigned port_them = parsed->port_src;
|
||
|
unsigned status = 0;
|
||
|
|
||
|
/* Report "open" status regardless */
|
||
|
output_report_status(
|
||
|
out,
|
||
|
timestamp,
|
||
|
PortStatus_Open,
|
||
|
ip_them,
|
||
|
17, /* ip proto = udp */
|
||
|
port_them,
|
||
|
0,
|
||
|
parsed->ip_ttl,
|
||
|
parsed->mac_src);
|
||
|
|
||
|
|
||
|
switch (port_them) {
|
||
|
case 53: /* DNS - Domain Name System (amplifier) */
|
||
|
status = handle_dns(out, timestamp, px, length, parsed, entropy);
|
||
|
break;
|
||
|
case 123: /* NTP - Network Time Protocol (amplifier) */
|
||
|
status = ntp_handle_response(out, timestamp, px, length, parsed, entropy);
|
||
|
break;
|
||
|
case 137: /* NetBIOS (amplifier) */
|
||
|
status = handle_nbtstat(out, timestamp, px, length, parsed, entropy);
|
||
|
break;
|
||
|
case 161: /* SNMP - Simple Network Managment Protocol (amplifier) */
|
||
|
status = handle_snmp(out, timestamp, px, length, parsed, entropy);
|
||
|
break;
|
||
|
case 500: /* ISAKMP - IPsec key negotiation */
|
||
|
status = isakmp_parse(out, timestamp,
|
||
|
px + parsed->app_offset, parsed->app_length, parsed, entropy);
|
||
|
break;
|
||
|
case 5683:
|
||
|
status = coap_handle_response(out, timestamp,
|
||
|
px + parsed->app_offset, parsed->app_length, parsed, entropy);
|
||
|
break;
|
||
|
case 11211: /* memcached (amplifier) */
|
||
|
px += parsed->app_offset;
|
||
|
length = parsed->app_length;
|
||
|
status = memcached_udp_parse(out, timestamp, px, length, parsed, entropy);
|
||
|
break;
|
||
|
case 16464:
|
||
|
case 16465:
|
||
|
case 16470:
|
||
|
case 16471:
|
||
|
status = handle_zeroaccess(out, timestamp, px, length, parsed, entropy);
|
||
|
break;
|
||
|
default:
|
||
|
px += parsed->app_offset;
|
||
|
length = parsed->app_length;
|
||
|
status = default_udp_parse(out, timestamp, px, length, parsed, entropy);
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
|
||
|
/* Report banner if some parser didn't already do so.
|
||
|
* Also report raw dump if `--rawudp` specified on the
|
||
|
* command-line, even if a protocol above already created a more detailed
|
||
|
* banner. */
|
||
|
if (status == 0 || out->is_banner_rawudp) {
|
||
|
output_report_banner(
|
||
|
out,
|
||
|
timestamp,
|
||
|
ip_them,
|
||
|
17, /* ip proto = udp */
|
||
|
port_them,
|
||
|
PROTO_NONE,
|
||
|
parsed->ip_ttl,
|
||
|
px + parsed->app_offset,
|
||
|
parsed->app_length);
|
||
|
}
|
||
|
}
|