Nmap Development mailing list archives
Re: someone please explain this?!
From: David Fifield <david () bamsoftware com>
Date: Wed, 18 May 2016 09:02:37 -0700
On Wed, May 18, 2016 at 02:23:52PM +0000, Mike . wrote:
so explain this because it makes no sense. i scanned 1 address today with a UDP /Svc scan. i know it only has 1 service open (dns-sd). look at this output: Service scan sending probe SIPOptions to 192.168.0.10:139 (udp) Service scan sending probe Help to 192.168.0.10:158 (udp) Service scan sending probe SIPOptions to 192.168.0.10:88 (udp) Service scan sending probe SIPOptions to 192.168.0.10:123 (udp) Service scan sending probe SIPOptions to 192.168.0.10:158 (udp) Service scan sending probe Sqlping to 192.168.0.10:7 (udp) Service scan sending probe Sqlping to 192.168.0.10:9 (udp) Service scan sending probe Sqlping to 192.168.0.10:17 (udp) Service scan sending probe Sqlping to 192.168.0.10:19 (udp) Service scan sending probe Sqlping to 192.168.0.10:49 (udp) Service scan sending probe Sqlping to 192.168.0.10:53 (udp) Service scan sending probe Sqlping to 192.168.0.10:67 (udp) Service scan sending probe Sqlping to 192.168.0.10:68 (udp) Service scan sending probe Sqlping to 192.168.0.10:69 (udp) Service scan sending probe Sqlping to 192.168.0.10:80 (udp) Service scan sending probe Sqlping to 192.168.0.10:111 (udp) i used the -F first when i started. ok, fine. but would it not make more sense to actually FIRST see what we have open THEN start the service grinding at the end? this just seems pointless going after ports not even open! the only port open att was 5353. or am i missing something?
That's because you're scanning UDP ports. In constrast to TCP, there's no general way to discover from the network that a UDP port is closed. You'll notice that Nmap will mark non-responsive UDP ports as "open|filtered" rather than "closed", because the port might be listening but just not responding to Nmap's probes, or it might not be listening at all. Sometimes version scan, by sending a wider variety of probes, can get a response and change "open|filtered" to "open". See: https://nmap.org/book/vscan.html A final problem is that filtered UDP ports often look the same to a simple port scanner as open ports. But if they respond to the service-specific probes sent by Nmap version detection, you know for sure that they are open (and often exactly what is running). https://nmap.org/book/man-port-scanning-basics.html open|filtered: Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. Try using --version-light to speed up UDP version detection. _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- someone please explain this?! Mike . (May 18)
- Re: someone please explain this?! David Fifield (May 18)