Penetration Testing mailing list archives
Re: nmap -- UDP scanning
From: Fyodor <fyodor () insecure org>
Date: Tue, 10 Aug 2004 11:16:58 -0700
On Tue, Aug 10, 2004 at 12:04:19PM -0000, joshnunan123 () yahoo com wrote:
If the port is open, nmap sends two udp packets with a length of zero -- no data is returned. If the port is filtered, nmap sends a single udp packet with a length of zero -- no data is returned.
You should try adding the --packet_trace option to Nmap instead of sniffing at the same time with TCPdump. That will show you exactly what packets Nmap is sending and receiving. In your case, I suspect it will show that a firewall between you and the target is sending ICMP destination unreachable messages in response to most of the UDP probes. Your "tcpdup targethost port" misses these because the firewall is sending the unreachables. And "tcpdump port 123" misses them because they are ICMP. Again, try --packet_trace instead, maybe with -p160-170 to avoid thousands of lines of output. Cheers, Fyodor http://www.insecure.org/ PS: I have spent the last couple weeks rewriting the core Nmap port scanning engine, including the UDP scanner, to be more efficient and offer better parallelization over concurrent hosts and ports. I hope to release the first alpha to the nmap-dev list in the next week or so.
Current thread:
- nmap -- UDP scanning joshnunan123 (Aug 10)
- Re: nmap -- UDP scanning Fyodor (Aug 10)
- Re: UDP Scanning - how nmap really works Robert E. Lee (Aug 11)
- Re: UDP Scanning - how nmap really works Martin Mačok (Aug 12)
- Re: UDP Scanning - how nmap really works Robert E. Lee (Aug 11)
- Re: nmap -- UDP scanning Fyodor (Aug 10)