Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

Re: nmap -- UDP scanning
From: Fyodor <fyodor () insecure org>
Date: Tue, 10 Aug 2004 11:16:58 -0700
On Tue, Aug 10, 2004 at 12:04:19PM -0000, joshnunan123 () yahoo com wrote:


If the port is open, nmap sends two udp packets with a length of zero -- no data is returned.
If the port is filtered, nmap sends a single udp packet with a length of zero -- no data is returned.


You should try adding the --packet_trace option to Nmap instead of
sniffing at the same time with TCPdump.  That will show you exactly
what packets Nmap is sending and receiving.  In your case, I suspect
it will show that a firewall between you and the target is sending
ICMP destination unreachable messages in response to most of the UDP
probes.  Your "tcpdup targethost port" misses these because the
firewall is sending the unreachables.  And "tcpdump port 123" misses them
because they are ICMP.  Again, try --packet_trace instead, maybe with
-p160-170 to avoid thousands of lines of output.

Cheers,
Fyodor
http://www.insecure.org/

PS: I have spent the last couple weeks rewriting the core Nmap port
scanning engine, including the UDP scanner, to be more efficient and
offer better parallelization over concurrent hosts and ports.  I hope
to release the first alpha to the nmap-dev list in the next week or
so.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]