Re: UDP scan

[David Fifield <david () bamsoftware com>]

On Wed, Feb 03, 2010 at 04:02:25PM +0100, Pierre Noguès wrote:
> Hello,
>
> Is it possible to introduce an option that will perform a UDP protocol based scan only ?
>
> In pentest I scan all the tcp ports of my targets like that :
>
> nmap -sS -P0 -p0-65535 target/24
>
> I would like to also scan the UDP port so i can do:
>
> nmap -sU -sS -P0 -p0-65535 target/24
>
> But now it will scan the 65535 UDP ports and will wait 65536 times for a 
> ICMP response which will never come back most of the time, it will be too 
> long...
>
> What I would like to do is to scan all the tcp ports and the UDP ports 
> that nmap support in the new UDP protocol based scan.
>
> I think the solution is to use this command :
> nmap -sU -sS -P0 -pT:0-65535,U:7,53,111... target/24
>
> with U:7,53,111... containing the list of all the ports which are 
> implemented by the nmap UDP protocol based scan (the ones in payload.cc).

Yes, your solution is correct.

I don't think we should add an option to scan just the payload-bearing
ports. For one thing, there are some ports, like daytime, that will
return a positive response to a zero-byte probe. Another thing is that
you are probably going to miss some ports that you care about if you
only send payload probes. If you are concerned about speed, you might
look into using the --top-ports option instead.

I think you are better off just building the port list and using it in
your command line. This is something that can be automated with a Zenmap
profile.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/