Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: someone please explain this?!

From: David Fifield <david () bamsoftware com>
Date: Wed, 18 May 2016 09:02:37 -0700
On Wed, May 18, 2016 at 02:23:52PM +0000, Mike . wrote:

so explain this because it makes no sense. i scanned 1 address today with a UDP
/Svc scan. i know it only has 1 service open (dns-sd).  look at this output: 

Service scan sending probe SIPOptions to 192.168.0.10:139 (udp)
Service scan sending probe Help to 192.168.0.10:158 (udp)
Service scan sending probe SIPOptions to 192.168.0.10:88 (udp)
Service scan sending probe SIPOptions to 192.168.0.10:123 (udp)
Service scan sending probe SIPOptions to 192.168.0.10:158 (udp)
Service scan sending probe Sqlping to 192.168.0.10:7 (udp)
Service scan sending probe Sqlping to 192.168.0.10:9 (udp)
Service scan sending probe Sqlping to 192.168.0.10:17 (udp)
Service scan sending probe Sqlping to 192.168.0.10:19 (udp)
Service scan sending probe Sqlping to 192.168.0.10:49 (udp)
Service scan sending probe Sqlping to 192.168.0.10:53 (udp)
Service scan sending probe Sqlping to 192.168.0.10:67 (udp)
Service scan sending probe Sqlping to 192.168.0.10:68 (udp)
Service scan sending probe Sqlping to 192.168.0.10:69 (udp)
Service scan sending probe Sqlping to 192.168.0.10:80 (udp)
Service scan sending probe Sqlping to 192.168.0.10:111 (udp)

i used the -F first when i started. ok, fine. but would it not make more sense
to actually FIRST see what we have open THEN start the service grinding at the
end? this just seems pointless going after ports not even open! the only port
open att was 5353. or am i missing something?


That's because you're scanning UDP ports. In constrast to TCP, there's
no general way to discover from the network that a UDP port is closed.
You'll notice that Nmap will mark non-responsive UDP ports as
"open|filtered" rather than "closed", because the port might be
listening but just not responding to Nmap's probes, or it might not be
listening at all. Sometimes version scan, by sending a wider variety of
probes, can get a response and change "open|filtered" to "open". See:
https://nmap.org/book/vscan.html
        A final problem is that filtered UDP ports often look the same
        to a simple port scanner as open ports. But if they respond to
        the service-specific probes sent by Nmap version detection, you
        know for sure that they are open (and often exactly what is
        running).
https://nmap.org/book/man-port-scanning-basics.html
        open|filtered: Nmap places ports in this state when it is unable
        to determine whether a port is open or filtered. This occurs for
        scan types in which open ports give no response. The lack of
        response could also mean that a packet filter dropped the probe
        or any response it elicited. So Nmap does not know for sure
        whether the port is open or being filtered.

Try using --version-light to speed up UDP version detection.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: