Sign in to follow this  

UDP ports and port scanners

This topic is 4613 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Only if there is an application listening to that specific port that is programmed to send a response based on the packet recieved to a port the scanner machine has open and is listening to. In short, general purpose UDP port scanning won't work. You have to be looking for a specific service.

Share this post


Link to post
Share on other sites
From nmap man page:

Quote:

UDP scans:
This method is used to determine which UDP (User
Datagram Protocol, RFC 768) ports are open on a host. The tech-
nique is to send 0 byte udp packets to each port on the target
machine. If we receive an ICMP port unreachable message, then
the port is closed. Otherwise we assume it is open.

Some people think UDP scanning is pointless. I usually remind
them of the recent Solaris rcpbind hole. Rpcbind can be found
hiding on an undocumented UDP port somewhere above 32770. So it
doesn't matter that 111 is blocked by the firewall. But can you
find which of the more than 30,000 high ports it is listening
on? With a UDP scanner you can! There is also the cDc Back Ori-
fice backdoor program which hides on a configurable UDP port on
Windows machines. Not to mention the many commonly vulnerable
services that utilize UDP such as snmp, tftp, NFS, etc.

Unfortunately UDP scanning is sometimes painfully slow since
most hosts implement a suggestion in RFC 1812 (section 4.3.2.8)
of limiting the ICMP error message rate. For example, the Linux
kernel (in net/ipv4/icmp.h) limits destination unreachable mes-
sage generation to 80 per 4 seconds, with a 1/4 second penalty
if that is exceeded. Solaris has much more strict limits (about
2 messages per second) and thus takes even longer to scan. nmap
detects this rate limiting and slows down accordingly, rather
than flood the network with useless packets that will be ignored
by the target machine.

As is typical, Microsoft ignored the suggestion of the RFC and
does not seem to do any rate limiting at all on Win95 and NT
machines. Thus we can scan all 65K ports of a Windows machine
very quickly. Woop!


So yes, but it might not be accurate.

-Halo7

Share this post


Link to post
Share on other sites

This topic is 4613 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this