Nmap Development mailing list archives
Re: Test for open TCP/UDP Ports
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 3 Apr 2008 06:39:51 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mario, There is a fundamental difference in the way TCP and UDP work. With TCP you setup a connection via a "full handshake" as you call it. It is this handshake and the subsequent acknowledgment of data that give TCP its reliability. UDP on the other-hand does not have any such connection setup or acknowledgement built in. Any UDP packet you get in response to a probe is entirely up to the application that has the listening UDP socket. In fact, the only time you'd only expect to get a packet back when you send to a closed UDP port (ICMP destination unreachable). Even with the --data-length 10 directive, most applications will not respond to your probe. One way to try to determine if a UDP port is open versus filtered is to use "service version" detection with -sV. The Nmap service fingerprinting engine knows about quite a few UDP protocols and can often send probes that will illicit a response. Nmap has *excellent* documentation and you can read a little bit about the port scanning techniques here: http://nmap.org/man/man-port-scanning-techniques.html James "Professor" Messer has put together quite a bit of training material on Nmap too. Here is some of his work covering UDP scans: http://www.networkuptime.com/nmap/page3-10.shtml UDP scans are valuable but you'll probably want to limit your scans to just a handful of UDP ports like 53, 137, 161, 1900, etc. The Unicornscan guys have done a lot of work with UDP and have the ability to automatically send UDP packets with targeted payload to each service _during_ the actual scanning. It basically won't work against hosts that rate-limit ICMP messages though. You might want to check it out. Brandon On Thu, 03 Apr 2008 08:24:51 +0200 or thereabouts "ml () bortal de" <ml () bortal de> wrote:
Hello List, i would like to test if i can reach an open TCP and UDP Port. Here is the way i use to test a tcp port (-sT does a full handshake, right?!): /usr/bin/nmap -sT --data-length 10 -n -q -r -e eth0:0 -P0 --open -T Aggressive -p 1234 123.123.123.123 The results seem to make sense here. This is the way how i check a UDP Port: /usr/bin/nmap -sU --data-length 10 -n -q -r -e eth0:0 -P0 --open -T Aggressive -p 1234 123.123.123.123 the weird thing is that it still reports an open port if i unplug the network cable of 123.123.123. Where can i read up how nmap does its udp scan? Thanks, Mario
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFH9Hu9qaGPzAsl94IRAm6HAKDB7w6wg/gqjl9gn+Hro53brSkj9gCdHqBL WuUi1sK7K7lis8rrTnJ0hbc= =zvGB -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Test for open TCP/UDP Ports ml () bortal de (Apr 02)
- Re: Test for open TCP/UDP Ports Brandon Enright (Apr 02)