Nmap Development mailing list archives
Re: False/Positive - NMAP Scan
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 14 Sep 2015 20:31:04 -0500
Steban, This is a fundamental feature of UDP which makes it hard to scan for: there is no universal "Yes I'm listening" response. For TCP, we send a SYN and expect a SYN/ACK for open ports. For UDP, we send an empty packet and hope that the service responds with something, anything. In special cases, we send a data payload [1] like a DTLS client hello or DNS status request in order to increase the odds that we'll get a data response. If we get a data response, the port is marked "open". If we get an ICMP Port Unreachable, the port is marked "closed." Some other ICMP responses will result in "filtered", but if no response is received at all, you get "open|filtered", which is a nice way of saying "no clue, but not closed." Your best bet would be to find a data payload that can be sent to the service to get a response. Then insert that into the nmap-payloads file. Alternatively, use a TCP service or ICMP probe to check for host responsiveness, though I would guess you're intentionally checking for this service in particular. Dan [1] https://nmap.org/book/nmap-payloads.html On Mon, Sep 14, 2015 at 1:03 PM, Esteban Javier Calvache < stebancc_27 () hotmail es> wrote:
Hello, I'm writing you because we are using NMAP for discovering workstations. Our application use a specific port which is 52311. We use an nmap scan in order to know if that port is in use or not. If the port is in use the application assumes that system has already installed an agent. If not, that system doesn't have an agent. During a scan we found too many false positives because NMAP scan showed an open|filtered status for that port, even when any application is working on that port. We're using the last available version of NMAP on Windows 7 - 64bits. Could you advise what we can do in order to get a correct status of that port? Maybe some parameters of NMAP. Thank you in advanced. *Steban* _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- RE: False/Positive - NMAP Scan Esteban Javier Calvache (Sep 14)
- Re: False/Positive - NMAP Scan Daniel Miller (Sep 14)