Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Confused about some port scan results.

From: "Ron (list)" <ron () skullsecurity net>
Date: Thu, 26 Jun 2008 09:07:52 -0500
Hi Jason,

Jason Cipriani wrote:

1. I'm using the correct command line options, right (UDP scan, in
order, 6000 to 6500, of 192.168.2.200)?

Yes, that's correct.


2. I happen to know that the device only watches for data on port
6300. Why does it say all 501 ports are open/filtered?

See the next answer.


3. What does "open/filtered" mean? Actually what does "filtered" mean?
When I think "filtered" I think "blocked" which is sort of the
opposite of open, but I'm pretty sure nmap isn't trying to tell me
that "all 501 ports are either open or they aren't", lol.

The problem with UDP scans is that there isn't necessarily an indication 
that a port is open or filtered. If no data is returned, it may be 
because the port is being filtered, or it may be because no data is 
being returned. This is the biggest difficulty with UDP scans.

nmap (I believe) attempts to send data to the ports to try and coax the 
services to respond, proving that they're open, but for unknown 
protocols this may not always be the case.

Something I just recently learned (with thanks to Ed Skoudis at SANS) is 
the --reason flag for nmap. If you use that, you should get output like 
this:
  6000/udp closed unknown port-unreach
The last column (port-unreach) tells you that the reason it was marked 
as "closed" is because the port was unreachable. If you get one that 
says something like, "no response", it tells you that the reason it was 
marked as open|filtered is because the port didn't respond to any of the 
probes.

Hope that helps, and let me know if I stopped making sense somewhere!
Ron



Thanks!
Jason

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: