Nmap Development mailing list archives

Re: Script scan on UDP ports erroneously marks ports as open

From: Christopher Clements <christopher.a.clements () gmail com>
Date: Mon, 10 Sep 2012 18:55:01 -0500

I've been trying to track this down, but haven't been able to figure out
exactly what is happening.  Here's what I have discovered so far though:

1.  All specified UDP ports are being marked as open by the NSE scan,
whether I specify one port, or multiple.
2.  This happens during NSE run level 1.
3.  A tcpdump shows no response from the ports erroneously marked as open
at anytime during the scan.
4.  The firewalk script marks all the specified UDP ports as 'forwarded',
however, nmap continues to mark the ports as open if I exclude that script.
5.  Strangely, this does not seem to occur if I use the same command
against scanme.insecure.org.

Command I'm using:

nmap -A -vvv -sUC -T4 --script='(default or discovery or safe) and not
firewalk' -O -p U:1433 -oA nmap-test <target IP>

tcpdump output:

root@Auditor-1:~# tcpdump -ni eth0 host <target_ip> and port 1433
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:40:18.997791 IP <my_ip>.48224 > <target_ip>.1433: UDP, length 0
18:40:19.144148 IP <my_ip>.48225 > <target_ip>.1433: UDP, length 0
18:40:19.341899 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 40
18:40:24.347024 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 30
18:40:29.352188 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 12
18:40:34.357346 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 50
18:40:39.359130 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 8
18:40:44.364290 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 229
18:40:51.870951 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 1
18:40:56.876120 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 48
18:41:01.879119 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 51
18:41:06.883463 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 60
18:41:11.888610 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 7
18:41:16.893768 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 32
18:41:21.898918 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 46
18:41:26.904089 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 30
18:41:31.909232 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 113
18:41:36.913548 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 61
18:41:44.498626 IP <my_ip>.25926 > <target_ip>.1433: UDP, length 0
18:41:44.554257 IP <my_ip>.52861 > <target_ip>.1433: UDP, length 40
18:41:46.514872 IP <my_ip>.52575 > <target_ip>.1433: UDP, length 0
18:41:48.557735 IP <my_ip>.29859 > <target_ip>.1433: UDP, length 0


I've got a capture of a -d6 output of the script scan, but I wasn't able to
identify what script(s) were marking the ports as open.  I just get lines
like this:

Discovered open port 162/udp on <target_ip>
NSE: rpc-grind: RPC checking function response data is not RPC.
NSE: Target port 162 is not a RPC port.
NSE: Finished 'rpc-grind' (thread: 0x376a620) against <target_ip>:162.
Discovered open port 1434/udp on <target_ip>
NSE: rpc-grind: RPC checking function response data is not RPC.
NSE: Target port 1434 is not a RPC port.
NSE: Finished 'rpc-grind' (thread: 0x29cee20) against <target_ip>:1434.
Discovered open port 161/udp on <target_ip>
NSE: rpc-grind: RPC checking function response data is not RPC.
NSE: Target port 161 is not a RPC port.
NSE: Finished 'rpc-grind' (thread: 0x2e35950) against <target_ip>:161.
Discovered open port 1433/udp on <target_ip>
NSE: rpc-grind: RPC checking function response data is not RPC.
NSE: Target port 1433 is not a RPC port.
NSE: Finished 'rpc-grind' (thread: 0x3711ed0) against <target_ip>:1433.
Completed NSE at 15:49, 30.26s elapsed
NSE: Starting runlevel 2 (of 3) scan.


Anything else I can try?


Chris


On Fri, Aug 31, 2012 at 9:50 PM, David Fifield <david () bamsoftware com>wrote:

On Wed, Aug 29, 2012 at 05:49:55PM -0500, Christopher Clements wrote:

If I perform a script scan along with a UDP scan (-sUC), the NSE
run erroneously marks UDP ports as open.  This is easily repeatable for

me.

 What's the best way to help figure out why this is happening?


Thanks for reporting this. Is it all UDP ports or only some of them? If
it's aonly a few of the, which ones is it. Can you tell which scripts
are causing the ports to be marked open?

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Script scan on UDP ports erroneously marks ports as open Christopher Clements (Aug 30)
- Re: Script scan on UDP ports erroneously marks ports as open David Fifield (Aug 31)
  - Re: Script scan on UDP ports erroneously marks ports as open Christopher Clements (Sep 10)
    - Re: Script scan on UDP ports erroneously marks ports as open David Fifield (Sep 10)