Penetration Testing mailing list archives

Re: UDP port scan results

From: Anders Thulin <Anders.Thulin () kiconsulting se>
Date: Tue, 23 Apr 2002 08:45:02 +0200


Noonan, Wesley wrote:

to be, and it kind of makes sense, that UDP being connectionless, the
scanner has no real method to differentiate between an opened port, and a
port that was silently dropped (which most firewalls should[1] do).



  It is possible, but very protocol dependent.  For 53/UDP (DNS),
for example, it's possible to send a 'Server Status Request' packet,
on which almost all DNS servers reply 'Feature not implemented', while
the remaining one or two server types reply with a status response,
assuming they're not filtered. (All responses contain further
information about the server which may be interesting for pen-testing
purposes.)

  For protocols that lack the required 'echo-type' requests, it may be
impossible, unless there is a difference between the protocol specification,
and the actual implementation, which sometimes happens. Some SNMP
implementations will seemingly send responses in certain situations even
though community name is wrong.

Is there a port scanner on the market (free or $$$) that does not generate
the "false positive" result of a UDP scan against a stealth host?



  The easiest thing is probably to patch NMAP accordingly, and replace
'open' UDP ports with 'state unknown'. Or add a postprocessing step that
does this.

  However, it's usually best to learn the tool so that you can
interpret what it says.  The latest NMAP beta may produce output
for the '-sR' scanning method, but that does unfortunately not mean
that you can trust the output to mean what you think it says.  Also,
if you try ... I think it was ACK-scanning with a specified source
port, some NMAP beta versions may not do exactly what you have
asked for.

[1] I say should because most references I have seen recommend a firewall
operating in a stealth fashion as being more effective since it requires any
scanning, etc. to time out before proceeding causing more time to pass and
increasing the likelihood of catching it occurring.



  Detecting an UDP port scan does not much depend on whether scans
are time-outed or not, unless you have some kind of IDS-specific
constraints to work with.

  Time-outs may increase the likelihood that a scan will be
interrupted as non-promising, though. But then, pros won't UDP
scan anyway except in fairly special situations -- they'll go for
the vulnerabile port directly, and detect successful intrusions
by other means.


--
Anders Thulin   anders.thulin () kiconsulting se   040-661 50 63        
Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

UDP port scan results Noonan, Wesley (Apr 22)
- Re: UDP port scan results Anders Thulin (Apr 23)
- <Possible follow-ups>
- RE: UDP port scan results Dawes, Rogan (ZA - Johannesburg) (Apr 22)
  - Re: UDP port scan results Franck Veysset (Apr 26)
    - Re: UDP port scan results R. DuFresne (Apr 26)
- RE: UDP port scan results Dario N. Ciccarone (Apr 24)