Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: Test for open TCP/UDP Ports

Re: Test for open TCP/UDP Ports

From: Brandon Enright <bmenrigh_at_ucsd.edu>
Date: Thu, 3 Apr 2008 06:39:51 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mario,

There is a fundamental difference in the way TCP and UDP work. With
TCP you setup a connection via a "full handshake" as you call it. It
is this handshake and the subsequent acknowledgment of data that give
TCP its reliability. UDP on the other-hand does not have any such
connection setup or acknowledgement built in. Any UDP packet you get
in response to a probe is entirely up to the application that has the
listening UDP socket. In fact, the only time you'd only expect to get
a packet back when you send to a closed UDP port (ICMP destination
unreachable).

Even with the --data-length 10 directive, most applications will not
respond to your probe. One way to try to determine if a UDP port is
open versus filtered is to use "service version" detection with -sV.
The Nmap service fingerprinting engine knows about quite a few UDP
protocols and can often send probes that will illicit a response.

Nmap has *excellent* documentation and you can read a little bit about
the port scanning techniques here:

http://nmap.org/man/man-port-scanning-techniques.html

James "Professor" Messer has put together quite a bit of training
material on Nmap too. Here is some of his work covering UDP scans:

http://www.networkuptime.com/nmap/page3-10.shtml

UDP scans are valuable but you'll probably want to limit your scans to
just a handful of UDP ports like 53, 137, 161, 1900, etc.

The Unicornscan guys have done a lot of work with UDP and have the
ability to automatically send UDP packets with targeted payload to each
service _during_ the actual scanning. It basically won't work against
hosts that rate-limit ICMP messages though. You might want to check it
out.

Brandon

On Thu, 03 Apr 2008 08:24:51 +0200 or thereabouts "ml_at_bortal.de"
<ml_at_bortal.de> wrote:

> Hello List,
>
> i would like to test if i can reach an open TCP and UDP Port.
>
> Here is the way i use to test a tcp port (-sT does a full handshake,
> right?!):
> /usr/bin/nmap -sT --data-length 10 -n -q -r -e eth0:0 -P0 --open -T
> Aggressive -p 1234 123.123.123.123
> The results seem to make sense here.
>
>
> This is the way how i check a UDP Port:
> /usr/bin/nmap -sU --data-length 10 -n -q -r -e eth0:0 -P0 --open -T
> Aggressive -p 1234 123.123.123.123
>
> the weird thing is that it still reports an open port if i unplug the
> network cable of 123.123.123.
>
>
> Where can i read up how nmap does its udp scan?
>
> Thanks, Mario
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFH9Hu9qaGPzAsl94IRAm6HAKDB7w6wg/gqjl9gn+Hro53brSkj9gCdHqBL
WuUi1sK7K7lis8rrTnJ0hbc=
=zvGB
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Apr 02 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos