Penetration Testing mailing list archives
Re: UDP Scanning - how nmap really works
From: Martin Mačok <martin.macok () underground cz>
Date: Thu, 12 Aug 2004 11:48:34 +0200
On Tue, Aug 10, 2004 at 06:24:48PM -0700, Robert E. Lee wrote:
So how does it match PORT_FIREWALLED in UDP scanning? For the answer to that, if we look around line 1710 of scan_engine.cc we see:
This basically says, if we receive a p0rt unreachable from the target, count that as a CLOSED response. If we get a p0rt unreachable from any other IP count it as a PORT_FIREWALLED response.
Anyway, on some multihomed weak ES models end-points (see RFC1122/3.3.4), you could get ICMP Port Unreachable from different interface (different IP) than you have sent your probe to without any firewall involved. It happend to me with some Cisco last time. (Another useful technique of finding different interfaces of one network node.) Martin Mačok IT Security Consultant
Current thread:
- nmap -- UDP scanning joshnunan123 (Aug 10)
- Re: nmap -- UDP scanning Fyodor (Aug 10)
- Re: UDP Scanning - how nmap really works Robert E. Lee (Aug 11)
- Re: UDP Scanning - how nmap really works Martin Mačok (Aug 12)
- Re: UDP Scanning - how nmap really works Robert E. Lee (Aug 11)
- Re: nmap -- UDP scanning Fyodor (Aug 10)