mailing list archives
Re: Confused about some port scan results.
From: "Michael Pattrick" <mpattrick () rhinovirus org>
Date: Thu, 26 Jun 2008 11:26:34 -0400
On Thu, Jun 26, 2008 at 5:06 AM, Jason Cipriani
<jason.cipriani () gmail com> wrote:
1. I'm using the correct command line options, right (UDP scan, in
order, 6000 to 6500, of 192.168.2.200)?
Yes, this is the correct command line, however, I would advice also
doing a version scan along with UDP scans -sV, more on that below.
2. I happen to know that the device only watches for data on port
6300. Why does it say all 501 ports are open/filtered?
The problem is that the UDP protocol doesn't require an application to
respond to an 'invalid packet' and the probe that nmap sends is almost
certainly invalid. If the port were closed then the target would send
an RST packet, the target didnt send any packet witch means that it is
ether open(and discarded the packet) or firewalled(and the firewall
discarded the packet). This is why I recommended the version scan
above; version scan sends valid traffic to the port forcing most UDP
servers to respond. That could turn an 'open|filtered' result into
'open'; however, if the server is uncommon or only responds to special
packets then it will still be in a state of 'open|filtered'.
Hope that helps,
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org