Security Incidents mailing list archives

RE: what's listening on udp 161?

From: "Adcock, Matt" <Matt.Adcock () gsccca org>
Date: Wed, 13 Feb 2002 18:42:52 -0500

I think that might be the solution and a very polite way to say RTFM.  :-)
As it turns out after further looking, there is some internal NATting going
on of which I was not aware.  These machines will show false positives when
you run winmap against the NATted address, but winmap reads properly when
run against the real address.  Thanks for the help.

Matt

<snip>

From the nmap man page:


UDP scans: This method is used to determine  which  UDP
          (User  Datagram  Protocol, RFC 768) ports are open on a
          host.  The technique is to send 0 byte udp  packets  to
          each port on the target machine.  If we receive an ICMP
          port unreachable message,  then  the  port  is  closed.
          Otherwise we assume it is open.

Therefore, if your hosts are not allowing ICMP in and/or out, you will 
get a false positive.  Try scanning the machine(s) for all UDP ports
( -p1- is the argument for that on the Unix nmap) and I'll bet you
get a report showing them all open.

-Conor
</snip>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

what's listening on udp 161? Quarantine (Feb 13)
- Re: what's listening on udp 161? Conor McGrath (Feb 13)
- <Possible follow-ups>
- RE: what's listening on udp 161? Smith, Steve (Feb 13)
- RE: what's listening on udp 161? Adcock, Matt (Feb 13)