Re: UDP scanning within Nmap

[David Fifield <david () bamsoftware com>]

On Tue, Nov 11, 2014 at 04:02:00PM -0600, Daniel Miller wrote:
> Chris,
>
> Thanks for this analysis. My thoughts are inline below:
>
> On Mon, Nov 3, 2014 at 9:04 AM, Chris McNab <chris () cloudsoc net> wrote:
> > Hi Dan,
> >
> > Any plans to decouple the two UDP scanning modes in Nmap? i.e. payload
> > scanning (sending real datagrams to service ports and getting responses),
> > and inverse scanning (relying on ICMP responses to infer open ports)
>
> Nmap's UDP scan (-sU) uses payloads where they are available,
> otherwise empty datagrams are sent. The interpretation of responses
> are the same: ICMP response means closed, UDP response means open, and
> no response is the ambiguous "open|filtered".

Dan is right. There aren't two different UDP scanning modes. The
behavior is always the same:
        1. Response packet → open
        2. No response → open|filtered
        3. ICMP error → closed
We send, for some ports, a protocol-specific payload that makes case (1)
more likely and case (2) less likely. But it really isn't a different
mode.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/