Nmap Announce mailing list archives
Re: UDP port scanning...
From: Simple Nomad <thegnome () nmrc org>
Date: Thu, 10 Feb 2000 09:43:35 -0600 (CST)
Jesus Christ..... Okay, I'll let the script kiddie comment slide, but I was just interpreting the terms "good" and "bad" differently. At any point any scanner that detects all open UDP ports is what I would consider a bad thing, as this is almost certainly a false positive, unless there is a seriously misconfigured packet filtering device in place. As far as my comments about state tables, I had pulled together a series of security patches written by others for Linux 2.0.36 kernels and included some of my own tweaks that did very basic state table stuff. See http://www.nmrc.org/files/sunix/nmrcOS.patch.tar.gz for details. And before someone asks, yes I'll probably update this to a 2.2 kernel for mass consumption, but I have been rather busy and am unsure when this will happen. Hopefully the new job will allow it. For those not wishing to pick through the kernel patch, let me explain what I was refering to: - Kernel receives packet. - Kernel checks to see if packet is a SYN, if so it allows other existing items (such as ipfw, ipchains, tcp wrappers etc) to deal with it. - If not a SYN, it checks to see if it is a part of an existing conversation, and if it is, allows the packet (the state table). - If not a part of an existing conversation, drop the packet (and alternately log it). The point is that most of the stealthly scans will not show up in most logs, hence this is why they are stealthly and why they are being used. By using the above scenario you force the only TCP scanning method that will work to be the one guaranteed to make itself known in logs. I don't understand why the above four steps are not standard in all networked systems anyway -- they make sense, and prevent a LOT of extra crap from coming in. Granted it kills "push" technologies, but big deal, I don't see as many web banner ads.... - Simple Nomad - No rest for the Wicca'd - - thegnome () nmrc org - www.nmrc.org - - thegnome () razor bindview com - www.bindview.com - On Thu, 10 Feb 2000, Joe Hacker wrote:
Er, wasn't that just what Reed said? ;) -joe At 09:36 09/02/00 -0600, Simple Nomad wrote:Yes but if the firewall or router is simply dropping the packets (common with filter-based rules) then all UDP ports will show up as open, when in fact they are not. - Simple Nomad - No rest for the Wicca'd - - thegnome () nmrc org - www.nmrc.org - - thegnome () razor bindview com - www.bindview.com - On Wed, 9 Feb 2000, Darren Reed wrote:It maybe worthwhile putting in a note when doing UDP scan that the "open ports" are generated when no packets are received back. Too many lay people seem to assume that "all UDP ports open" as reported by nmap is a `bad thing' when in fact it's a good thing(tm). Darren
Current thread:
- UDP port scanning... Darren Reed (Feb 08)
- Re: UDP port scanning... Simple Nomad (Feb 09)
- how to know scan is correct? Reinoud Koornstra (Feb 09)
- Re: how to know scan is correct? Simple Nomad (Feb 09)
- Re: UDP port scanning... Darren Reed (Feb 09)
- Re: UDP port scanning... antirez (Feb 10)
- RE: UDP port scanning... Ofir Arkin (Feb 10)
- how to know scan is correct? Reinoud Koornstra (Feb 09)
- Re: UDP port scanning... Simple Nomad (Feb 09)
- <Possible follow-ups>
- Re: UDP port scanning... Simple Nomad (Feb 10)
- Re: UDP port scanning... Rob Quinn (Feb 11)