Re: what's listening on udp 161?

[Conor McGrath <conormc () uchicago edu>]

Quarantine once said:
> Hi all.  WinMap is reporting 161/udp open on several of my Win2K servers.
> The problem is that SNMP isn't installed on these machines, and I don't know
> of anything else that would be accepting traffic on that port.  Here's the
> result of a netstat -a -n -p udp on one of the machines:
>
> Active Connections
>
>   Proto  Local Address
>   UDP    0.0.0.0:135
>   UDP    0.0.0.0:445
>   UDP    0.0.0.0:1034
>   UDP    0.0.0.0:1251
>   UDP    0.0.0.0:1434
>   UDP    0.0.0.0:2344
>   UDP    0.0.0.0:3456
>   UDP    0.0.0.0:6050
>   UDP    xxx.xxx.xxx.xxx:137
>   UDP    xxx.xxx.xxx.xxx:138
>   UDP    xxx.xxx.xxx.xxx:500
>   UDP    xxx.xxx.xxx.xxx:41524
>
> I've confirmed that on a machine with the SNMP service installed and
> started, the same netstat command shows UDP 0.0.0.0:161.  Can anybody
> explain this to me?

From the nmap man page:

UDP scans: This method is used to determine  which  UDP
          (User  Datagram  Protocol, RFC 768) ports are open on a
          host.  The technique is to send 0 byte udp  packets  to
          each port on the target machine.  If we receive an ICMP
          port unreachable message,  then  the  port  is  closed.
          Otherwise we assume it is open.

Therefore, if your hosts are not allowing ICMP in and/or out, you will 
get a false positive.  Try scanning the machine(s) for all UDP ports
( -p1- is the argument for that on the Unix nmap) and I'll bet you
get a report showing them all open.

-Conor

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com