delorean
/
masscan-mark-ii
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
masscan-mark-ii/src/proto-udp.c

133 lines
4.7 KiB
C
Raw Permalink Blame History

#include "proto-udp.h"
#include "proto-coap.h"
#include "proto-dns.h"
#include "proto-isakmp.h"
#include "proto-netbios.h"
#include "proto-snmp.h"
#include "proto-memcached.h"
#include "proto-ntp.h"
#include "proto-zeroaccess.h"
#include "proto-preprocess.h"
#include "syn-cookie.h"
#include "util-logger.h"
#include "output.h"
#include "masscan-status.h"
#include "unusedparm.h"
/****************************************************************************
* When the "--banner" command-line option is selected, this will
* will take up to 64 bytes of a response and display it. Other UDP
* protocol parsers may also default to this function when they detect
* a response is not the protocol they expect. For example, if a response
* to port 161 obviously isn't ASN.1 formatted, the SNMP parser will
* call this function instead. In such cases, the protocool identifier will
* be [unknown] rather than [snmp].
****************************************************************************/
unsigned
default_udp_parse(struct Output *out, time_t timestamp,
const unsigned char *px, unsigned length,
struct PreprocessedInfo *parsed,
uint64_t entropy)
{
ipaddress ip_them = parsed->src_ip;
unsigned port_them = parsed->port_src;
UNUSEDPARM(entropy);
if (length > 64)
length = 64;
output_report_banner(
out, timestamp,
ip_them, 17, port_them,
PROTO_NONE,
parsed->ip_ttl,
px, length);
return 0;
}
/****************************************************************************
****************************************************************************/
void
handle_udp(struct Output *out, time_t timestamp,
const unsigned char *px, unsigned length,
struct PreprocessedInfo *parsed, uint64_t entropy)
{
ipaddress ip_them = parsed->src_ip;
unsigned port_them = parsed->port_src;
unsigned status = 0;
/* Report "open" status regardless */
output_report_status(
out,
timestamp,
PortStatus_Open,
ip_them,
17, /* ip proto = udp */
port_them,
0,
parsed->ip_ttl,
parsed->mac_src);
switch (port_them) {
case 53: /* DNS - Domain Name System (amplifier) */
status = handle_dns(out, timestamp, px, length, parsed, entropy);
break;
case 123: /* NTP - Network Time Protocol (amplifier) */
status = ntp_handle_response(out, timestamp, px, length, parsed, entropy);
break;
case 137: /* NetBIOS (amplifier) */
status = handle_nbtstat(out, timestamp, px, length, parsed, entropy);
break;
case 161: /* SNMP - Simple Network Managment Protocol (amplifier) */
status = handle_snmp(out, timestamp, px, length, parsed, entropy);
break;
case 500: /* ISAKMP - IPsec key negotiation */
status = isakmp_parse(out, timestamp,
px + parsed->app_offset, parsed->app_length, parsed, entropy);
break;
case 5683:
status = coap_handle_response(out, timestamp,
px + parsed->app_offset, parsed->app_length, parsed, entropy);
break;
case 11211: /* memcached (amplifier) */
px += parsed->app_offset;
length = parsed->app_length;
status = memcached_udp_parse(out, timestamp, px, length, parsed, entropy);
break;
case 16464:
case 16465:
case 16470:
case 16471:
status = handle_zeroaccess(out, timestamp, px, length, parsed, entropy);
break;
default:
px += parsed->app_offset;
length = parsed->app_length;
status = default_udp_parse(out, timestamp, px, length, parsed, entropy);
break;
}
/* Report banner if some parser didn't already do so.
* Also report raw dump if `--rawudp` specified on the
* command-line, even if a protocol above already created a more detailed
* banner. */
if (status == 0 || out->is_banner_rawudp) {
output_report_banner(
out,
timestamp,
ip_them,
17, /* ip proto = udp */
port_them,
PROTO_NONE,
parsed->ip_ttl,
px + parsed->app_offset,
parsed->app_length);
}
}
Reference in New Issue View Git Blame Copy Permalink