Penetration Testing mailing list archives
Re: Fast UDP scan
From: David Jacoby <security () outpost24 com>
Date: Wed, 22 Aug 2007 07:05:00 +0200
Hi Attari, First of all, UDP port scanning is a slow procedure if you are not on the same network and your not scanning a machine which is firewalled and doesn't respond with ICMP messages. If im not misstaken UDP port scanning works that you send a UDP packet to a UDP port and if you do NOT get a ICMP packet back with the error message ""ICMP Destination Unreachable: Port Unreachable" you may consider the port as open. The problem with this is if you scan a host which is firewalled you may not receive the error message and it may result in all ports reported as open. Another issue is that ICMP is considered as a low profile protocol and has lower priority than for example TCP, so if the machine that you are scanning is receiving alot of traffic it may queue up those ICMP messages and you wont simple receive them when you expect them. Because of the type of technique used in nmap you need to wait for the ICMP messages to get back to you and this is probably whats causing your scan to take a long time. The problem with UDP port scanning is that some UDP services require a specific source and destination port, if the packet it receives doesn't have the correct headers it will simply discard the packet and it may also require a specific payload, so when scanning with for example nmap it may result in that you get a inaccurate result (and by the way, im not bashing in nmap :)) What i would recommend that you do is that you do not scan a wide range of ports because it will not really scale, UDP port scanning is slow and thats it, i don't think there is much you can do about the speed factor, but there is alot of things you can do regarding the accuracy of the scan. What you need to do is to make the service request with either a valid response or a ICMP error message. The Outpost24 engine recently updated its core engine where we have solved this problem. Best regards, David Jacoby Attari Attari wrote:
Hi Group: Is there a way to increase speed of UDP scan? I'm running a full UDP scan since 3 days on 3 IP addresses and it is still not complete. I gave following command: nmap -sU -p1-65535 -P0 xxx.yyy.zzz.aaa One way I can think of is is running parallel nmap scans by dividing ports like: nmap -sU -p1-30000 -P0 xxx.yyy.zzz.aaa nmap -sU -p30000-65535 -P0 xxx.yyy.zzz.aaa Would appreciate some inputs on this. Regards Once upon a time there was 1 GB storage in your inbox. To know the happy ending go to http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
-- David Jacoby Vice President Customer Experience http://www.outpost24.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Fast UDP scan, (continued)
- Re: Fast UDP scan Jamie Riden (Aug 21)
- RE: Fast UDP scan Strykar (Aug 21)
- RE: Fast UDP scan Strykar (Aug 21)
- Re: Fast UDP scan Anders Thulin (Aug 21)
- Re: Fast UDP scan Nikhil Wagholikar (Aug 21)
- Re: Fast UDP scan Pete Herzog (Aug 21)
- Re: Fast UDP scan Jan Heisterkamp (Aug 21)
- Re: Fast UDP scan Attari Attari (Aug 25)
- RE: Fast UDP scan Strykar (Aug 26)
- RE: Fast UDP scan Henderson, Dennis K. (Aug 29)
- Re: Fast UDP scan Jan Heisterkamp (Aug 21)
- Re: Fast UDP scan David Jacoby (Aug 23)
- Re: Fast UDP scan Robert E. Lee (Aug 23)