Re: Confused about some port scan results.

["Michael Pattrick" <mpattrick () rhinovirus org>]

Hey Jason,

On Thu, Jun 26, 2008 at 5:06 AM, Jason Cipriani
<jason.cipriani () gmail com> wrote:
> 1. I'm using the correct command line options, right (UDP scan, in
> order, 6000 to 6500, of 192.168.2.200)?
Yes, this is the correct command line, however, I would advice also
doing a version scan along with UDP scans -sV, more on that below.

> 2. I happen to know that the device only watches for data on port
> 6300. Why does it say all 501 ports are open/filtered?
The problem is that the UDP protocol doesn't require an application to
respond to an 'invalid packet' and the probe that nmap sends is almost
certainly invalid. If the port were closed then the target would send
an RST packet, the target didnt send any packet witch means that it is
ether open(and discarded the packet) or firewalled(and the firewall
discarded the packet). This is why I recommended the version scan
above; version scan sends valid traffic to the port forcing most UDP
servers to respond. That could turn an 'open|filtered' result into
'open'; however, if the server is uncommon or only responds to special
packets then it will still be in a state of 'open|filtered'.

Hope that helps,
Michael

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org