Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Test for open TCP/UDP Ports

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 3 Apr 2008 06:39:51 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mario,

There is a fundamental difference in the way TCP and UDP work.  With
TCP you setup a connection via a "full handshake" as you call it.  It
is this handshake and the subsequent acknowledgment of data that give
TCP its reliability.  UDP on the other-hand does not have any such
connection setup or acknowledgement built in.  Any UDP packet you get
in response to a probe is entirely up to the application that has the
listening UDP socket.  In fact, the only time you'd only expect to get
a packet back when you send to a closed UDP port (ICMP destination
unreachable).

Even with the --data-length 10 directive, most applications will not
respond to your probe.  One way to try to determine if a UDP port is
open versus filtered is to use "service version" detection with -sV.
The Nmap service fingerprinting engine knows about quite a few UDP
protocols and can often send probes that will illicit a response.

Nmap has *excellent* documentation and you can read a little bit about
the port scanning techniques here:

http://nmap.org/man/man-port-scanning-techniques.html

James "Professor" Messer has put together quite a bit of training
material on Nmap too.  Here is some of his work covering UDP scans:

http://www.networkuptime.com/nmap/page3-10.shtml

UDP scans are valuable but you'll probably want to limit your scans to
just a handful of UDP ports like 53, 137, 161, 1900, etc.

The Unicornscan guys have done a lot of work with UDP and have the
ability to automatically send UDP packets with targeted payload to each
service _during_ the actual scanning.  It basically won't work against
hosts that rate-limit ICMP messages though.  You might want to check it
out.

Brandon


On Thu, 03 Apr 2008 08:24:51 +0200 or thereabouts "ml () bortal de"
<ml () bortal de> wrote:


Hello List,

i would like to test if i can reach an open TCP and UDP Port.

Here is the way i use to test a tcp port (-sT does a full handshake,
right?!):
   /usr/bin/nmap -sT --data-length 10 -n -q -r -e eth0:0 -P0 --open -T
Aggressive -p 1234 123.123.123.123
The results seem to make sense here.


This is the way how i check a UDP Port:
   /usr/bin/nmap -sU --data-length 10 -n -q -r -e eth0:0 -P0 --open -T
Aggressive -p 1234 123.123.123.123

the weird thing is that it still reports an open port if i unplug the
network cable of 123.123.123.


Where can i read up how nmap does its udp scan?

Thanks, Mario


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFH9Hu9qaGPzAsl94IRAm6HAKDB7w6wg/gqjl9gn+Hro53brSkj9gCdHqBL
WuUi1sK7K7lis8rrTnJ0hbc=
=zvGB
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: