Jekyll2023-11-16T17:07:34+00:00https://natesubra.github.io/feed.xmlnatesubraA blog by Nate Subra Nate SubraScanning custom UDP protocols with masscan2023-11-16T00:00:00+00:002023-11-16T00:00:00+00:00https://natesubra.github.io/til/2023/11/16/scan-custom-udp-protocol-masscan

One of my security researcher acquaintances (hi Reid!) was working on an interesting problem set the other day.

The goal was to identify hosts on the internet running a custom UDP protocol. The problem was custom scanning at scale is kind of a pain. You’re looking at writing a decent amount of C to scan for what is often a one off.

Reid discovered that Nmap has a feature that allows you to specify a custom UDP payload to send to a host:

This is great, but Nmap is single threaded and not the fastest scanner out there (by design). We want to scan at scale, so we need something faster.

Well, masscan supports many Nmap (via libpcap), and checking the masscan man file we find this gem:

1
2
3
4

  * `--nmap-payloads FILE`: read in a file in the same format as
    the nmap file `nmap-payloads`. This contains UDP payload, so that we
	can send useful UDP packets instead of empty ones. Similar to
	`--pcap-payloads`.

So, we can use masscan to scan for custom UDP protocols by creating an nmap-payloads file with our port/payload and then pass that file to masscan.

Lets create a new nmap payload file with the following contents:

my-payload-file.txt
1
2
3

# we've been trying to reach you about your cars extended warranty
udp 1234
    "\x77\x65\x27\x76\x65\x20\x62\x65\x65\x6e\x20\x74\x72\x79\x69\x6e\x67\x20\x74\x6f\x20\x72\x65\x61\x63\x68\x20\x79\x6f\x75\x20\x61\x62\x6f\x75\x74\x20\x79\x6f\x75\x72\x20\x63\x61\x72\x73\x20\x65\x78\x74\x65\x6e\x64\x65\x64\x20\x77\x61\x72\x72\x61\x6e\x74\x79"

and then leverage masscan to send that payload when scanning:

1

masscan <target_range> --nmap-payloads my-payload-file.txt -p U:1234

Masscan also has the option to parse a pcap and utilize responses from that when scanning. Save some typing and potentially some fat fingers.

1
2
3
4
5

  * `--pcap-payloads FILE`: read packets from a libpcap file containing packets
    and extract the UDP payloads, and associate those payloads with the
	destination port. These payloads will then be used when sending UDP
	packets with the matching destination port. Only one payload will
	be remembered per port. Similar to `--nmap-payloads`.
These are documented in the man page, but not in the help masscan -h output, always check your man pages and source code to know the true capabilities of your tools
]]>Nate SubraHello World2022-11-04T00:00:00+00:002022-11-04T00:00:00+00:00https://natesubra.github.io/2022/11/04/hello-world

It’s ALIVE

It’s been a long time since I’ve blogged or written anything publicly. I’m aiming to change that with this blog.

My tentative plan is to talk about my thoughts around Red Teaming and the various information security fields I work in. I also plan to talk about some of the tech I work with and share my security research publicly when possible.

The blog itself

I figured I’d start with with talking about the technology this blog is built on. I’ve utilized many of the technologies for both personal and professional applications.

AsciiDoc

The posts are written in AsciiDoc. AsciiDoc is a markup language I found out about a few years ago while looking for a better way to generate technical documentation. I’d describe it as being more powerful that Markdown, but not as complex as LaTeX. It has a great OSS community

Generally, I write most of my documentation in Markdown due to it being the defacto standard for many projects. It’s widely used and most technical folks are at least familiar with the name. For complex projects and personal projects I generally choose AsciiDoc for it’s feature set and enhanced formatting capabilities.

It has a great toolchain, with libraries available for many languages (JS, Java, Ruby to name a few).

It also has fantastic Asciidoctor PDF toolchain. Which I’ve used to generate client documentation and reports (maybe a post on that someday)

Features

Some of the features that AsciiDoc provides:

  1. Automatic ordering of lists (I didn’t type these numbers)

  2. Being able to reference/include other files with syntax highlighting

    The code below exists in my repo, but the content rendered here is inserted dynamically at generation. This allows me to reference code in my documentation, without requiring me to keep a copy in my post.
    1
2
3
4
5

    #!/usr/bin/env bash

set -eou

printf 'hello world'

  3. Macros and text replacement

  4. Admonitions

    This an admonition

  5. Rendering diagrams as code (Mermaid, Kroki, etc)

    Example Mermaid Diagram
    Failed to generate image: mmdc failed:
Error: Could not find Chromium (rev. 1108766). This can occur if either
 1. you did not perform an installation before running the script (e.g. `npm install`) or
 2. your cache path is incorrectly configured (which is: /home/runner/.cache/puppeteer).
For (2), check out our guide on configuring puppeteer at https://pptr.dev/guides/configuration.
    at ChromeLauncher.resolveExecutablePath (file:///usr/local/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/puppeteer-core/lib/esm/puppeteer/node/ProductLauncher.js:263:27)
    at ChromeLauncher.executablePath (file:///usr/local/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/puppeteer-core/lib/esm/puppeteer/node/ChromeLauncher.js:176:25)
    at ChromeLauncher.computeLaunchArguments (file:///usr/local/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/puppeteer-core/lib/esm/puppeteer/node/ChromeLauncher.js:93:37)
    at async ChromeLauncher.launch (file:///usr/local/lib/node_modules/@mermaid-js/mermaid-cli/node_modules/puppeteer-core/lib/esm/puppeteer/node/ProductLauncher.js:57:28)
    at async run (file:///usr/local/lib/node_modules/@mermaid-js/mermaid-cli/src/index.js:404:19)
    at async cli (file:///usr/local/lib/node_modules/@mermaid-js/mermaid-cli/src/index.js:184:3)


flowchart TD
    A[Deploy to production] --> B(Where else would we deploy?);
    B -- True dat --> C[DEPLOY ALL THE THINGS];
    C ----> E(???);
    E --> F[Profit];

For additional details regarding AsciiDoc capabilities, I recommend peeking at the Quick Reference

The Process

Writing the content: Visual Studio Code

I write my posts using VSCode

I use the AsciiDoc to provide linting, syntax highlighting, and live preview of my content.

I use the Spell Right to further mitigate my fat fingers.

What does that look like?

Something like this:

My VSCode Setup
Figure 1. My VSCode Setup

Jekyll (and jekyll-asciidoc)

Jekyll is a static website generation tool. It converts markdown to html to allow for simple and seamless creation of content. By adding the Jekyll AsciiDoc plugin, I can write in AsciiDoc, and it renders it to HTML. Letting me have the power and flexibility of AsciiDoc, while simultaneously being able to use a well known and supported static site generator.

GitHub

I use GitHub Pages to host the content of this site. The means the complete source code is available on GitHub.

GitHub Actions runs the build and saves the rendered content to the gh-pages branch.

You can browse the rendered content in the gh-pages branch here.

If you want to see what this post looked like before it was rendered to HTML, you can see it in AsciiDoc raw format here.

CloudFlare

I use CloudFlare as my domain registrar and to manage DNS for my domain(s).

CloudFlare also provides CDN capabilities as well as terminate SSL.

Combining this with GitHub Pages allows me to use my domain as a landing page. This site is also available at https://natesubra.github.io (which should redirect to https://natesubra.com)

Wrapping things up

Thanks for reading if you’ve made it this far. I mostly write for myself but I hope others find it informative/entertaining.

]]>Nate Subra