Penetration Testing mailing list archives
RE: UDP port scan results
From: "Dario N. Ciccarone" <dciccaro () cisco com>
Date: Tue, 23 Apr 2002 20:17:54 -0300
all comments are personal opinions based on personal tests - please keep that in mind !
I think nmap has an explanation of how it determines whether a UDP port is listening or not.
simple. an ICMP type 3, code 3 (port unreachable) means closed port. no ICMP, open port. an ICMP 3/13 means a filtered port (code 13 is "Communication Administratively Prohibited" - RFC-1812, Requirements for Internet routers)
However, this behaviour is easily mimicked (?sp) with a firewall in front of the target server. If the firewall is configured to silently drop unauthorised packets, the scanner will receive no response to its packets, and assume that ALL ports are open.
the default behaviour of, say, a PIX is to drop the packet and NOT to send anything back- hence, the port is reported as open.
If there is a screening router in front of the target, and it is configured to send ICMP unreachables (fairly standard Cisco filter result), the scanner can report that the port is filtered, since the unreachable is coming from a different IP address to that of the target.
it's the other way around :) by default, a Cisco router generates ICMP unrecheables like 3/13. adding "no icmp unre" under the incoming interface for the packet would block generation of those messages. but by default, ICMP unreachables ARE generated. And most customers DO NOT deactivate unreach generation.
The scanner would have to try EVERY UDP protocol it knows about against every port, in order to discern between "not there", and "I'm ignoring invalid packets" on non-standard ports. An example might be a TFTP server running on the SNMP well-known port. It wouldn't answer to a SNMP handshake, but would likely respond to a TFTP handshake . . . .
and even yet, the SNMP port could be "open", but access limited to an ACL - and you would NOT see anything back. so . . . ================================================================================================= Cisco SAFE - A Security Blueprint for Enterprise Networks SAFE for Enterprise, SMB, IPSec VPNs, Wireless and IP Telephony www.cisco.com/go/safe ================================================================================================= Disclaimer: These are my own personal opinions and not necessarily those of Cisco Systems. Sed quis custodiet ipsos custodes? Dario N. Ciccarone Cisco Systems Argentina, Paraguay, Uruguay y Bolivia Ing. Enrique Butty 240 Piso 17 C1001ABF, Buenos Aires , Argentina Phone/Vmail: 54-11-4341-0203 Fax: 54-11-4341-0149 dciccaro () cisco com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- UDP port scan results Noonan, Wesley (Apr 22)
- Re: UDP port scan results Anders Thulin (Apr 23)
- <Possible follow-ups>
- RE: UDP port scan results Dawes, Rogan (ZA - Johannesburg) (Apr 22)
- Re: UDP port scan results Franck Veysset (Apr 26)
- Re: UDP port scan results R. DuFresne (Apr 26)
- Re: UDP port scan results Franck Veysset (Apr 26)
- RE: UDP port scan results Dario N. Ciccarone (Apr 24)