Penetration Testing: Re: UDP Scanning

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Penetration Testing mailing list archives

Re: UDP Scanning - how nmap really works

From: Martin Mačok <martin.macok () underground cz>
Date: Thu, 12 Aug 2004 11:48:34 +0200

On Tue, Aug 10, 2004 at 06:24:48PM -0700, Robert E. Lee wrote:

So how does it match PORT_FIREWALLED in UDP scanning?  For the
answer to that, if we look around line 1710 of scan_engine.cc we
see:

This basically says, if we receive a p0rt unreachable from the
target, count that as a CLOSED response.  If we get a p0rt
unreachable from any other IP count it as a PORT_FIREWALLED
response.


Anyway, on some multihomed weak ES models end-points (see
RFC1122/3.3.4), you could get ICMP Port Unreachable from different
interface (different IP) than you have sent your probe to without any
firewall involved.

It happend to me with some Cisco last time. (Another useful technique
of finding different interfaces of one network node.)

Martin Mačok
IT Security Consultant

By Date By Thread

Current thread:

nmap -- UDP scanning joshnunan123 (Aug 10)
- Re: nmap -- UDP scanning Fyodor (Aug 10)
  - Re: UDP Scanning - how nmap really works Robert E. Lee (Aug 11)
    - Re: UDP Scanning - how nmap really works Martin Mačok (Aug 12)