Penetration Testing mailing list archives

Re: nmap shows open UDP port 113

From: "WiM" <vulndev () vision rma ac be>
Date: Thu, 25 Mar 2004 19:14:36 +0100

From the man page of nmap:


-sU    UDP scans: This method is used  to  determine  which  UDP  (User
       Datagram Protocol, RFC 768) ports are open on a host.  The tech-
       nique is to send 0 byte udp packets to each port on  the target
       machine.  If  we receive an ICMP port unreachable message, then
       the port is closed.  Otherwise we assume it is  open.   Unfortu-
       nately,  firewalls  often  block the port unreachable messages,
       causing the port to appear open. Sometimes an  ISP  will  block
       only a few specific dangerous ports such as 31337 (back orifice)
       and 139 (Windows NetBIOS), making it look like these  vulnerable
       ports  are open. So don't panic immediately.  Unfortunately, it
       isn't always trivial to  differentiate  between  real  open  UDP
       ports and these filtered false-positives.

WiM

----- Original Message ----- 
From: "BillyBobKnob" <billybobknob () hotmail com>
To: <pen-test () lists securityfocus com>
Sent: Thursday, March 25, 2004 3:57 AM
Subject: nmap shows open UDP port 113

My friend asked me to see if I could scan or penetrate his firewall.  He =
only told me that it was a Linux box setup as a firewall running NAT to =
hide internal IPs.

- I did a nmap -O and a nmap -O --fuzzy but it said "too many =
fingerprints match for accurate OS guess"
        but it did tell me that TCP port 113 was in the closed state
- so I tried a TCP reverse inet scan (nmap -sT -I) and it still gave me =
same info as this port was closed
- so I tried nmap -sU and no results
- then I tried nmap -sU -p 113 and it said that UDP port 113 was open !!

I was then able to netcat to it (nc -u ipaddress 113) and I verified =
that I was connected with a netstat.

While connected via netcat I tried sending it commands like (ls, cd .., =
help, echo) but got nothing.


Is there anything that can be done with this connection ??
Or is there anyway to find out what internal IPs are behind it ?


Thanks,
Bill


--------------------------------------------------------------------------

You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
--------------------------------------------------------------------------

--



---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

Current thread:

nmap shows open UDP port 113 BillyBobKnob (Mar 25)
- Re: nmap shows open UDP port 113 WiM (Mar 25)
- Re: nmap shows open UDP port 113 R. DuFresne (Mar 25)
- RE: nmap shows open UDP port 113 Gary Rollie (Mar 25)
  - Re: nmap shows open UDP port 113 David Cannings (Mar 25)
- Re: nmap shows open UDP port 113 Gabriel Alexandros (Mar 25)
- Re: nmap shows open UDP port 113 Jon Hart (Mar 26)
- Re: nmap shows open UDP port 113 Gregory Spath (Mar 30)
- <Possible follow-ups>
- Re: nmap shows open UDP port 113 Don Parker (Mar 26)