Nmap Development mailing list archives
Re: Script scan on UDP ports erroneously marks ports as open
From: Christopher Clements <christopher.a.clements () gmail com>
Date: Mon, 10 Sep 2012 18:55:01 -0500
I've been trying to track this down, but haven't been able to figure out exactly what is happening. Here's what I have discovered so far though: 1. All specified UDP ports are being marked as open by the NSE scan, whether I specify one port, or multiple. 2. This happens during NSE run level 1. 3. A tcpdump shows no response from the ports erroneously marked as open at anytime during the scan. 4. The firewalk script marks all the specified UDP ports as 'forwarded', however, nmap continues to mark the ports as open if I exclude that script. 5. Strangely, this does not seem to occur if I use the same command against scanme.insecure.org. Command I'm using: nmap -A -vvv -sUC -T4 --script='(default or discovery or safe) and not firewalk' -O -p U:1433 -oA nmap-test <target IP> tcpdump output: root@Auditor-1:~# tcpdump -ni eth0 host <target_ip> and port 1433 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:40:18.997791 IP <my_ip>.48224 > <target_ip>.1433: UDP, length 0 18:40:19.144148 IP <my_ip>.48225 > <target_ip>.1433: UDP, length 0 18:40:19.341899 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 40 18:40:24.347024 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 30 18:40:29.352188 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 12 18:40:34.357346 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 50 18:40:39.359130 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 8 18:40:44.364290 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 229 18:40:51.870951 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 1 18:40:56.876120 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 48 18:41:01.879119 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 51 18:41:06.883463 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 60 18:41:11.888610 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 7 18:41:16.893768 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 32 18:41:21.898918 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 46 18:41:26.904089 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 30 18:41:31.909232 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 113 18:41:36.913548 IP <my_ip>.33192 > <target_ip>.1433: UDP, length 61 18:41:44.498626 IP <my_ip>.25926 > <target_ip>.1433: UDP, length 0 18:41:44.554257 IP <my_ip>.52861 > <target_ip>.1433: UDP, length 40 18:41:46.514872 IP <my_ip>.52575 > <target_ip>.1433: UDP, length 0 18:41:48.557735 IP <my_ip>.29859 > <target_ip>.1433: UDP, length 0 I've got a capture of a -d6 output of the script scan, but I wasn't able to identify what script(s) were marking the ports as open. I just get lines like this: Discovered open port 162/udp on <target_ip> NSE: rpc-grind: RPC checking function response data is not RPC. NSE: Target port 162 is not a RPC port. NSE: Finished 'rpc-grind' (thread: 0x376a620) against <target_ip>:162. Discovered open port 1434/udp on <target_ip> NSE: rpc-grind: RPC checking function response data is not RPC. NSE: Target port 1434 is not a RPC port. NSE: Finished 'rpc-grind' (thread: 0x29cee20) against <target_ip>:1434. Discovered open port 161/udp on <target_ip> NSE: rpc-grind: RPC checking function response data is not RPC. NSE: Target port 161 is not a RPC port. NSE: Finished 'rpc-grind' (thread: 0x2e35950) against <target_ip>:161. Discovered open port 1433/udp on <target_ip> NSE: rpc-grind: RPC checking function response data is not RPC. NSE: Target port 1433 is not a RPC port. NSE: Finished 'rpc-grind' (thread: 0x3711ed0) against <target_ip>:1433. Completed NSE at 15:49, 30.26s elapsed NSE: Starting runlevel 2 (of 3) scan. Anything else I can try? Chris On Fri, Aug 31, 2012 at 9:50 PM, David Fifield <david () bamsoftware com>wrote:
On Wed, Aug 29, 2012 at 05:49:55PM -0500, Christopher Clements wrote:If I perform a script scan along with a UDP scan (-sUC), the NSE run erroneously marks UDP ports as open. This is easily repeatable forme.What's the best way to help figure out why this is happening?Thanks for reporting this. Is it all UDP ports or only some of them? If it's aonly a few of the, which ones is it. Can you tell which scripts are causing the ports to be marked open? David Fifield
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Script scan on UDP ports erroneously marks ports as open Christopher Clements (Aug 30)
- Re: Script scan on UDP ports erroneously marks ports as open David Fifield (Aug 31)
- Re: Script scan on UDP ports erroneously marks ports as open Christopher Clements (Sep 10)
- Re: Script scan on UDP ports erroneously marks ports as open David Fifield (Sep 10)
- Re: Script scan on UDP ports erroneously marks ports as open Christopher Clements (Sep 10)
- Re: Script scan on UDP ports erroneously marks ports as open David Fifield (Aug 31)