Merge pull request #2 from todb-r7/simplify-chargen-detection

Add chargen to udp_probe and udp_sweep

Author: mcantoni

modules/auxiliary/scanner/discovery/udp_probe.rb

@@ -204,6 +204,11 @@ def parse_reply(pkt)
 
     case pkt[2]
 
+      when 19
+        app = 'chargen'
+        return unless chargen_parse(pkt[0])
+        @results[hkey] = true
+
       when 53
         app = 'DNS'
         ver = nil
@@ -362,6 +367,13 @@ def db2disco_parse(data)
     "#{res[2]}_#{res[1]}"
   end
 
+  #
+  # Validate a chargen packet.
+  #
+  def chargen_parse(data)
+    data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i
+  end
+
   #
   # Validate this is truly Citrix ICA; returns true or false.
   #
@@ -397,6 +409,11 @@ def mssql_ping_parse(data)
   # The probe definitions
   #
 
+  def probe_chargen(ip)
+    pkt = Rex::Text.rand_text_alpha_lower(1)
+    return [pkt, 19]
+  end
+
   def probe_pkt_dns(ip)
     data = [rand(0xffff)].pack('n') +
     "\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+

modules/auxiliary/scanner/discovery/udp_sweep.rb

@@ -153,6 +153,12 @@ def scanner_process(data, shost, sport)
 
     case sport
 
+      when 19
+        app = 'chargen'
+        ver = nil
+        return unless chargen_parse(data)
+        @results[hkey] = true
+
       when 53
         app = 'DNS'
         ver = nil
@@ -306,6 +312,13 @@ def scanner_process(data, shost, sport)
     print_status("Discovered #{app} on #{shost}:#{sport} (#{inf})")
   end
 
+  #
+  # Validate a chargen packet.
+  #
+  def chargen_parse(data)
+    data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i
+  end
+
   #
   # Parse a db2disco packet.
   #
@@ -349,6 +362,11 @@ def mssql_ping_parse(data)
   # The probe definitions
   #
 
+  def probe_chargen(ip)
+    pkt = Rex::Text.rand_text_alpha_lower(1)
+    return [pkt, 19]
+  end
+
   def probe_pkt_dns(ip)
     data = [rand(0xffff)].pack('n') +
     "\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+