Re[2]: feature suggestion: --udp_reliable

[Bo Cato <jcato73 () comcast net>]

Another solution would be to have nmap simply state if it has seen any
icmp unreacheables from the ip it's scanning as part of verbose.

Example:

Starting nmap V. 3.TheAlphaNeverEnds ( www.insecure.org/nmap )
Host NINJA (192.168.0.236) appears to be up ... good.
Initiating SYN Stealth Scan against NINJA (192.168.0.236)
Adding open port 135/tcp
Adding open port 445/tcp
Adding open port 139/tcp
The SYN Stealth Scan took 9 seconds to scan 1024 ports.
Initiating UDP Scan against NINJA (192.168.0.236)
The UDP Scan took 11 seconds to scan 1024 ports.
Adding open port 445/udp
Adding open port 500/udp
Adding open port 138/udp
Adding open port 137/udp
Adding open port 135/udp
Interesting ports on NINJA (192.168.0.236):
(The 2040 ports scanned but not shown below are in state: closed)
Port       State       Service
135/tcp    open        loc-srv
135/udp    open        loc-srv
137/udp    open        netbios-ns
138/udp    open        netbios-dgm
139/tcp    open        netbios-ssn
445/tcp    open        microsoft-ds
445/udp    open        microsoft-ds
500/udp    open        isakmp
I saw ICMP unreachables from the host!

Nmap run completed -- 1 IP address (1 host up) scanned in 20 seconds

Or if no ICMP unreachables were seen.. "I did not see any ICMP
unreachables from the host!"

Or perhaps have nmap indicate by default (not needing to ask it to be
-verbose) when ever you scan for udp if it has seen any ICMP
unreachables or not. Like so:

Starting nmap V. 3.StableDueIn3YearsOrSo. ( www.insecure.org/nmap )
Interesting ports on NINJA (192.168.0.236):
(The 2040 ports scanned but not shown below are in state: closed)
Port       State       Service
135/tcp    open        loc-srv
135/udp    open        loc-srv
137/udp    open        netbios-ns
138/udp    open        netbios-dgm
139/tcp    open        netbios-ssn
445/tcp    open        microsoft-ds
445/udp    open        microsoft-ds
500/udp    open        isakmp
ICMP Unreachables detected from this host.

Nmap run completed -- 1 IP address (1 host up) scanned in 19 seconds

--Bo

RA> Fyodor wrote:

> > On Fri, Nov 22, 2002 at 11:52:35PM -0800, Florin Andrei wrote:
> >
> > > That's why i think it would be useful to have an option to mark
> > > unresponsive UDP ports as "filtered", just the same as the ports that
> > > send back port-unreachable, and mark "open" only the ports that actually
> > > send back a UDP reply.
> >
> >
> > The problem with this is that most open UDP ports do NOT send back any
> > reply to the 0-byte UDP packet.  So "filtered" ports that do not send
> > back an ICMP administratively-prohibited erro look just like open
> > ports.  In that case, I would usually rather err on the side of
> > reporting filtered ports as open.  That is usually less dangerous than


RA> I was thinking about this the other day, there should be an option (e.g. 
RA> --clarify) to clarify every state. Like this:

RA> filtered (no response)
RA> open (no response)
RA> open (SYNACK recieved)
RA> closed (RST recieved)
RA> closed (ICMP port unreachable recieved)
RA> firewalled (ICMP unreachable recieved from intermediate router)

RA> ...and so on, for every state in every scan type. I'll try writing it up 
RA> if I get the time. If anyone else wants to do it, please do!


RA> ---------------------------------------------------------------------
RA> For help using this (nmap-dev) mailing list, send a blank email to 
RA> nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).




-- 
Best regards,
 Bo                            mailto:jcato73 () comcast net


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).