UDP Scanning has always been a slow and painful exercise, and if you add IPv6 on top of UDP, the tool choices get pretty limited. UDP Hunter is a python based open source network assessment tool focused on UDP Service Scanning. With UDP Hunter, we have focused on providing auditing of widely known UDP protocols for IPv6 and IPv4 hosts. As of today, UDP Hunter supports 25 different service probes. The tool allows you to do bulk scanning of large networks as well as targeted host scanning for specific ports and more. Once an open service is discovered, UDP Hunter takes it one step further and even provides you guidance on how you can possibly exploit the discovered services. UDP Hunter provides reports in a neat text format, however, support for more formats is under way. Webinar: https://www.youtube.com/watch?v=yLEL5XrzFyE Read More: https://www.gadhiyasavan.com/2020/02/udp-hunter.html

1. UDP Hunter
NETWORK ASSESSMENT TOOL

2. #whoami – Savan Gadhiya
•Principal Security Consultant at NotSoSecure
•Hacker, Security Researcher, Developer and Bounty Hunter ☺
•9 years of experience in Information Technology
•Master of Engineering in IT Systems and Network Security
•LinkedIn: https://in.linkedin.com/in/gadhiyasavan
•Twitter: @gadhiyasavan
•Blog: https://www.gadhiyasavan.com

3. UDP – User Datagram Protocol
•Unreliable delivery
• Send UDP probe and wait for response
• UDP packets can be dropped, lost, timeout etc.
• No acknowledgements, no guarantee
•Connectionless
• Unlike TCP, UDP does not establish a connection
• We can just send and receive packets – No 3-Way Handshake (SYN, SYN-ACK, ACK)
•Useful for time sensitive applications
• Streaming
• VoIP

4. UDP – User Datagram Protocol – Example
•Domain Name Service(DNS) – Port 53
• Used for domain name resolution
• Sends a packet(UDP) with a hostname to resolve it
• Response would be it’s IP address
• Process takes around 2 packets with UDP – TCP would require more than 4

5. UDP Scanning
•Sends a UDP packet to the port
• UDP reply - the port is open
• ICMP unreachable – the port is closed
• No response – the port is open or filtered
•Challenges
• Slow and painful exercise
• There is no connection
• Some services only responds to valid packet and if the packet sent is what the system expect to see
• Not reliable
• ICMP replies are usually rate-limited by hosts, dropped by firewall etc.

6. UDP Scanning(Cont.)
•Limited tool choices
• Nmap
• Amap
• Unicornscan
• UDP Proto Scanner
•Protocol restrictions
• Limited IPv6 based tools

7. What is UDP Hunter?
•Python based open source network assessment tool
•Supports IPv4 and IPv6
•25 UDP probes supported
•Bulk UDP probe scanning of large network
•Targeted host, service, probe scanning
•Guidance to exploit the identified services
•Neat text reporting

8. How does UDP Hunter work?
•Creates list of IP addresses from IP range
•Supports domain names – UDP Hunter resolves IP to perform scanning
•Sends UDP probes to all listed IPs
•UDP Hunter sniffs the network traffic particularly for UDP
•Reports UDP service if it get response of UDP probes

9. Supported UDP Probes
• ike - 500 port
• rpc / RPCCheck - 111 port
• ntp / NTPRequest - 123 port
• snmp-public / SNMPv3GetRequest - 161 port
• ms-sql / ms-sql-slam - 1434 port
• netop - 6502 port
• tftp - 69 port
• db2 - 523 port
• citrix - 1604 port
• echo - 7 port
• chargen - 19 port
• systat - 11 port
• daytime / time - 13 port
• DNSStatusRequest / DNSVersionBindReq - 53 port
• NBTStat - 137 port
• xdmcp - 177 port
• net-support - 5405 port
• mdns-zeroconf - 5353 port
• gtpv1 - 2123 port

10. UDP Hunter – Setup
• Download the tool from here or Clone the repository:
• git clone https://github.com/NotSoSecure/udp-hunter
• Requirements:
• Python 3.x
• Python Modules - also mentioned in “requirements.txt” file
• netaddr
• colorama
• argparse
• ifaddr
• datetime
• Install all required modules:
• pip3 install -r requirements.txt
• Configuration files required:
• udp.txt - This file contains UDP probes
• udphelp.txt - This file contains list of tools, suggestions for each UDP probes or services

11. python3 udp-hunter.py

12. UDP Hunter – Asciinema - Demo
•Setup
• https://asciinema.org/a/305052
•Usage of UDP Hunter
• https://asciinema.org/a/305053

13. Credits
•UDP probes are mainly taken from:
• amap
• ike-scan
• nmap and
• udp-proto-scanner
•Inspiration for the scanning code was drawn from udp-proto-scanner
Read More: https://www.gadhiyasavan.com/2020/02/udp-hunter.html

14. UDP Hunter – Future Work
•Add more UDP probes
•Different reporting formats
•Update exploitation related helps
Read More: https://www.gadhiyasavan.com/2020/02/udp-hunter.html