Scan custom UDP protocol with masscan

[joroMaser]

How can I scan list of IP with only 1 specific UDP port (for example 8765) .

Send to this port "ABC" and check if the answer contains/equal to "QWER"

Thank you all.

[natesubra]

Just in case anyone else was looking for a solution to this problem set, it is already supported (thanks Reid!):

The nmap feature, which masscan supports (at least v1.3.2): Reference

So to scan UDP port 1234 with "abcd"

Create a test payload file:

test.payload:

udp 1234
    "\x61\x62\x63\x64"

and then run the following with masscan

masscan <target_ip> --nmap-payloads test.payload -p U:1234

[reidmefirst]

To add to Nate's comment, if you want to look at the response data to see if it matches what you want, you can add --rawudp flag (added just two days ago to masscan!).

This will record the udp responses. While there is no filtering native to masscan (yet), but you can do something like:

masscan <target_ip> --nmap-payloads test.payload -p U:1234 --rawudp

You will then get results which contain the actual response payload. You can use some external processing/grep/etc to filter out results and look for the QWER response.

[gabinkbl]

Is it possible to use --nmap-payloads to send two separate custom UDP probes for each target. For example, send "ABC" in the first probe and then immediately send "DEF". In my case, my targets respond only after they receive two such messages.