Penetration Testing mailing list archives
Re: UDP port scan results
From: Anders Thulin <Anders.Thulin () kiconsulting se>
Date: Tue, 23 Apr 2002 08:45:02 +0200
Noonan, Wesley wrote:
to be, and it kind of makes sense, that UDP being connectionless, the scanner has no real method to differentiate between an opened port, and a port that was silently dropped (which most firewalls should[1] do).
It is possible, but very protocol dependent. For 53/UDP (DNS), for example, it's possible to send a 'Server Status Request' packet, on which almost all DNS servers reply 'Feature not implemented', while the remaining one or two server types reply with a status response, assuming they're not filtered. (All responses contain further information about the server which may be interesting for pen-testing purposes.) For protocols that lack the required 'echo-type' requests, it may be impossible, unless there is a difference between the protocol specification, and the actual implementation, which sometimes happens. Some SNMP implementations will seemingly send responses in certain situations even though community name is wrong.
Is there a port scanner on the market (free or $$$) that does not generate the "false positive" result of a UDP scan against a stealth host?
The easiest thing is probably to patch NMAP accordingly, and replace 'open' UDP ports with 'state unknown'. Or add a postprocessing step that does this. However, it's usually best to learn the tool so that you can interpret what it says. The latest NMAP beta may produce output for the '-sR' scanning method, but that does unfortunately not mean that you can trust the output to mean what you think it says. Also, if you try ... I think it was ACK-scanning with a specified source port, some NMAP beta versions may not do exactly what you have asked for.
[1] I say should because most references I have seen recommend a firewall operating in a stealth fashion as being more effective since it requires any scanning, etc. to time out before proceeding causing more time to pass and increasing the likelihood of catching it occurring.
Detecting an UDP port scan does not much depend on whether scans are time-outed or not, unless you have some kind of IDS-specific constraints to work with. Time-outs may increase the likelihood that a scan will be interrupted as non-promising, though. But then, pros won't UDP scan anyway except in fairly special situations -- they'll go for the vulnerabile port directly, and detect successful intrusions by other means. -- Anders Thulin anders.thulin () kiconsulting se 040-661 50 63 Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- UDP port scan results Noonan, Wesley (Apr 22)
- Re: UDP port scan results Anders Thulin (Apr 23)
- <Possible follow-ups>
- RE: UDP port scan results Dawes, Rogan (ZA - Johannesburg) (Apr 22)
- Re: UDP port scan results Franck Veysset (Apr 26)
- Re: UDP port scan results R. DuFresne (Apr 26)
- Re: UDP port scan results Franck Veysset (Apr 26)
- RE: UDP port scan results Dario N. Ciccarone (Apr 24)