HIGH: Accessible XDMCP Service Report

DESCRIPTION LAST UPDATED: 2024-01-01

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have the X Display Manager service running and accessible on the Internet.

Our probe tests to see if the X Display Manager is accessible by sending a “Query” packet to the XDMCP port (177/UDP) and listening for the responses.

The responses received are typically either of the “Willing” type, which means that the X Display Manager is willing to provide service, or the “Unwilling” type, which means that the X Display Manager is not willing to provide services.

XDMCP leaks information about the host system and, in addition, it can be used in an amplification attack, providing an approximate 7x amplification. Please note that it does not matter if XDMCP responds with a “Willing” or an “Unwilling”; the service provides the same level of amplification.

Technical details of the XDMCP protocol can be found on the x.org website.

You can track XDMCP service scan results on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filenames: scan_xdmcp

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the XDMCP response came on (always UDP)
  • port
    Port that the XDMCP response came from (usually 177/UDP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be xdmcp
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • opcode
    The response of what state of action the X Display Manager is in — this will usually be "Willing" (meaning that our anonymous connection was accepted) or "Unwilling" (meaning that our connection was refused)
  • reported_hostname
    This is the self-reported hostname that is returned in the XDMCP response
  • status
    Any additional information that the X Display Manager returned to us — it may be an error condition or information about the host running XDM
  • response_size
    Payload response size in bytes, excluding the UDP header
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
  • sector
    Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","opcode","reported_hostname","status","response_size","amplification","sector"
"2010-02-10 00:00:00",high,192.168.0.1,udp,177,node01.example.com,xdmcp,64512,ZZ,Region,City,0,,Willing,node01.example.com,"SunOS 5.11",29,4.14,
"2010-02-10 00:00:01",high,192.168.0.2,udp,177,node02.example.com,xdmcp,64512,ZZ,Region,City,0,ptr,Willing,node02.example.com,"Linux 4.12.14-95.29-default",47,6.71,
"2010-02-10 00:00:02",high,192.168.0.3,udp,177,node03.example.com,xdmcp,64512,ZZ,Region,City,0,,Willing,node03.example.com,"Linux 2.6.32-696.el6.x86_64",47,6.71,


Our 130 Report Types