Scanning for open UDP ports is done with the -sU option. With this scan type,Nmap sends 0-byte UDP packets to each target port on the victim. Receipt ofan ICMP Port Unreachable message signifies the port is closed, otherwise it isassumed open.
One major problem with this technique is that, when a firewall blocks outgoingICMP Port Unreachable messages, the port will appear open. These falsepositivesare hard to distinguish from real open ports.
Another disadvantage with UDP scanning is the speed at which it can beperformed. Most operating systems limit the number of ICMP Port Unreachablemessages which can be generated in a certain time period, thus slowing the speedof a UDP scan. Nmap adjusts its scan speed accordingly to avoid flooding anetwork with useless packets. An interesting point to note here is that Microsoftdo not limit the Port Unreachable error generation frequency, and thus it is easyto scan a Windows machine’s 65,535 UDP Ports in very little time!!UDP Scanning is not usually useful for most types of attack, but it can revealinformation about services or trojans which rely on UDP, for example SNMP,NFS, the Back Orifice trojan backdoor and many other exploitable services.Most modern services utilise TCP, and thus UDP scanning is not usuallyincluded in a pre-attack information gathering exercise unless a TCP scan orother sources indicate that it would be worth the time taken to perform a UDPscan.7 IP Protocol Scans [-sO]The IP Protocol Scans attempt to determine the IP protocols supported on atarget. Nmap sends a raw IP packet without any additional protocol header (seea good TCP/IP book for information about IP packets), to each protocol on thetarget machine. Receipt of an ICMP Protocol Unreachable message tells us theprotocol is not in use, otherwise it is assumed open. Not all hosts send ICMPProtocol Unreachable messages. These may include firewalls, AIX, HP-UX andDigital UNIX). These machines will report all protocols open.This scan type also falls victim to the ICMP limiting rate described in theUDP scans section, however since only 256 protocols are possible (8-bit field forIP protocol in the IP header) it should not take too long.Results of an -sO on my Linux workstation are included below.
1 [chaos]# nmap -sO 127.0.0.1
2
3 Starting Nmap 4.01 at 2006-07-14 12:56 BST
4 Interesting protocols on chaos(127.0.0.1):8
5 (The 251 protocols scanned but not shown below are
6 in state: closed)
7 PROTOCOL STATE SERVICE
8 1 open icmp
9 2 open|filtered igmp
10 6 open tcp
11 17 open udp
12 255 open|filtered unknown
13
14 Nmap finished: 1 IP address (1 host up) scanned in
15 1.259 seconds
1 [chaos]# nmap -sO 127.0.0.1
2
3 Starting Nmap 4.01 at 2006-07-14 12:56 BST
4 Interesting protocols on chaos(127.0.0.1):8
5 (The 251 protocols scanned but not shown below are
6 in state: closed)
7 PROTOCOL STATE SERVICE
8 1 open icmp
9 2 open|filtered igmp
10 6 open tcp
11 17 open udp
12 255 open|filtered unknown
13
14 Nmap finished: 1 IP address (1 host up) scanned in
15 1.259 seconds
Comments :
Post a Comment