Re: Script scan on UDP ports erroneously marks ports as open

[David Fifield <david () bamsoftware com>]

On Mon, Sep 10, 2012 at 06:55:01PM -0500, Christopher Clements wrote:
> I've been trying to track this down, but haven't been able to figure out
> exactly what is happening.  Here's what I have discovered so far though:
>
> 1.  All specified UDP ports are being marked as open by the NSE scan,
> whether I specify one port, or multiple.
> 2.  This happens during NSE run level 1.
> 3.  A tcpdump shows no response from the ports erroneously marked as open
> at anytime during the scan.
> 4.  The firewalk script marks all the specified UDP ports as 'forwarded',
> however, nmap continues to mark the ports as open if I exclude that script.
> 5.  Strangely, this does not seem to occur if I use the same command
> against scanme.insecure.org.
>
> Command I'm using:
>
> nmap -A -vvv -sUC -T4 --script='(default or discovery or safe) and not
> firewalk' -O -p U:1433 -oA nmap-test <target IP>

Thanks for this output. It made it easy to identify the problem, which
was in the rpc-grind script.

The script was doing basically this:
        status, data = rpcConn:ReceivePacket()
        if data then
            -- If we got response, set port to open
            nmap.set_port_state(host, port, "open")
But the problem is that on a timeout, status is nil and data is
"TIMEOUT". I changed the script to check status instead of data in
r29752.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/