2. #whoami – Savan Gadhiya
•Principal Security Consultant at NotSoSecure
•Hacker, Security Researcher, Developer and Bounty Hunter ☺
•9 years of experience in Information Technology
•Master of Engineering in IT Systems and Network Security
•LinkedIn: https://in.linkedin.com/in/gadhiyasavan
•Twitter: @gadhiyasavan
•Blog: https://www.gadhiyasavan.com
3. UDP – User Datagram Protocol
•Unreliable delivery
• Send UDP probe and wait for response
• UDP packets can be dropped, lost, timeout etc.
• No acknowledgements, no guarantee
•Connectionless
• Unlike TCP, UDP does not establish a connection
• We can just send and receive packets – No 3-Way Handshake (SYN, SYN-ACK, ACK)
•Useful for time sensitive applications
• Streaming
• VoIP
4. UDP – User Datagram Protocol – Example
•Domain Name Service(DNS) – Port 53
• Used for domain name resolution
• Sends a packet(UDP) with a hostname to resolve it
• Response would be it’s IP address
• Process takes around 2 packets with UDP – TCP would require more than 4
5. UDP Scanning
•Sends a UDP packet to the port
• UDP reply - the port is open
• ICMP unreachable – the port is closed
• No response – the port is open or filtered
•Challenges
• Slow and painful exercise
• There is no connection
• Some services only responds to valid packet and if the packet sent is what the system expect to see
• Not reliable
• ICMP replies are usually rate-limited by hosts, dropped by firewall etc.
7. What is UDP Hunter?
•Python based open source network assessment tool
•Supports IPv4 and IPv6
•25 UDP probes supported
•Bulk UDP probe scanning of large network
•Targeted host, service, probe scanning
•Guidance to exploit the identified services
•Neat text reporting
8. How does UDP Hunter work?
•Creates list of IP addresses from IP range
•Supports domain names – UDP Hunter resolves IP to perform scanning
•Sends UDP probes to all listed IPs
•UDP Hunter sniffs the network traffic particularly for UDP
•Reports UDP service if it get response of UDP probes
9. Supported UDP Probes
• ike - 500 port
• rpc / RPCCheck - 111 port
• ntp / NTPRequest - 123 port
• snmp-public / SNMPv3GetRequest - 161 port
• ms-sql / ms-sql-slam - 1434 port
• netop - 6502 port
• tftp - 69 port
• db2 - 523 port
• citrix - 1604 port
• echo - 7 port
• chargen - 19 port
• systat - 11 port
• daytime / time - 13 port
• DNSStatusRequest / DNSVersionBindReq - 53 port
• NBTStat - 137 port
• xdmcp - 177 port
• net-support - 5405 port
• mdns-zeroconf - 5353 port
• gtpv1 - 2123 port
10. UDP Hunter – Setup
• Download the tool from here or Clone the repository:
• git clone https://github.com/NotSoSecure/udp-hunter
• Requirements:
• Python 3.x
• Python Modules - also mentioned in “requirements.txt” file
• netaddr
• colorama
• argparse
• ifaddr
• datetime
• Install all required modules:
• pip3 install -r requirements.txt
• Configuration files required:
• udp.txt - This file contains UDP probes
• udphelp.txt - This file contains list of tools, suggestions for each UDP probes or services
13. Credits
•UDP probes are mainly taken from:
• amap
• ike-scan
• nmap and
• udp-proto-scanner
•Inspiration for the scanning code was drawn from udp-proto-scanner
Read More: https://www.gadhiyasavan.com/2020/02/udp-hunter.html
14. UDP Hunter – Future Work
•Add more UDP probes
•Different reporting formats
•Update exploitation related helps
Read More: https://www.gadhiyasavan.com/2020/02/udp-hunter.html
