Detect RIPv1 via NMAP

1

1

Due to the recent increase of reflection attacks noted by Akamais security teams using original RIP(classful, depreciated) I'm interested to see if some of the CPE running within a network segment here is still open to such abuse. Theres a rather large fleet of a certain model that I strongly suspect is.

My problem is that NMAP cant determine if ports are closed or filtered with UDP. 

nmap -p 520 -v -sU -Pn ??.??.0.0/13

This will produce

520/udp open|filtered route

On every address.

Is there an adjustment I can make to properly probe in this manner?

Linef4ult

Posted 2015-07-09T08:08:36.137

Reputation: 3 705

Maybe using nc rather than nmap, and feed it data where you know the response you will get, then check the response is what it would be for that UDP based protocol – barlop – 2015-07-09T10:44:28.090

Answers

1

Since at least version 5.35DC1, Nmap has included a UDP payload for RIPv1, which is sent when scanning UDP port 520:

# Routing Information Protocol version 1. Special-case request for the entire
# routing table (address family 0, address 0.0.0.0, metric 16). RFC 1058,
# section 3.4.1.
udp 520
  "\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x10"

This 24-byte request is intended to elicit a response from RIPv1 services, and should be the same one that attackers are using for DDoS reflection. When Nmap receives a packet in response to this probe, it marks the port as open.

If you see a flaw in this payload, please send a correction to dev@nmap.org so that other users can benefit. If your version of Nmap does not include the nmap-payloads file, please update to the latest version.

bonsaiviking

Posted 2015-07-09T08:08:36.137

Reputation: 1 563

Running 6.49BETA4, so should be able to use the payload. As I read it nmap will use a known payload when it attempts that port, so I'm currently sending it? – Linef4ult – 2015-07-10T14:34:30.570

1@Linef4ult Should be, but you can verify by using --packet-trace or a packet sniffer. – bonsaiviking – 2015-07-10T18:34:11.490

@ bonsaiviking See http://pastebin.com/wRtRB1zn, its locally exposed anyways. Not sure if the Juniper gear in between me and the pool is filtering 520 or if its non responsive on WAN. Unfortunately I dont have a DSLAM to test the WAN interface. Thanks for the help!

– Linef4ult – 2015-07-10T22:53:32.420

can you include the nmap command line – barlop – 2015-07-11T14:47:59.113

Asked: 2015-07-09T08:08:36.137

Viewed: 345 times

Active: 2015-07-09T14:49:06.947