Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: False/Positive - NMAP Scan

From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 14 Sep 2015 20:31:04 -0500
Steban,

This is a fundamental feature of UDP which makes it hard to scan for: there
is no universal "Yes I'm listening" response. For TCP, we send a SYN and
expect a SYN/ACK for open ports. For UDP, we send an empty packet and hope
that the service responds with something, anything. In special cases, we
send a data payload [1] like a DTLS client hello or DNS status request in
order to increase the odds that we'll get a data response. If we get a data
response, the port is marked "open". If we get an ICMP Port Unreachable,
the port is marked "closed." Some other ICMP responses will result in
"filtered", but if no response is received at all, you get "open|filtered",
which is a nice way of saying "no clue, but not closed."

Your best bet would be to find a data payload that can be sent to the
service to get a response. Then insert that into the nmap-payloads file.
Alternatively, use a TCP service or ICMP probe to check for host
responsiveness, though I would guess you're intentionally checking for this
service in particular.

Dan

[1] https://nmap.org/book/nmap-payloads.html

On Mon, Sep 14, 2015 at 1:03 PM, Esteban Javier Calvache <
stebancc_27 () hotmail es> wrote:



Hello,

I'm writing you because we are using NMAP for discovering workstations.
Our application use a specific port which is 52311. We use an nmap scan in
order to know if that port is in use or not. If the port is in use the
application assumes that system has already installed an agent. If not,
that system doesn't have an agent. During a scan we found too many false
positives because NMAP scan showed an open|filtered status for that port,
even when any application is working on that port.

We're using the last available version of NMAP on Windows 7 - 64bits.

Could you advise what we can do in order to get a correct status of that
port? Maybe some parameters of NMAP.
Thank you in advanced.


*Steban*

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: