From: Anders Thulin (Anders.Thulin@kiconsulting.se)
Date: Tue Apr 23 2002 - 02:45:02 EDT
Noonan, Wesley wrote:
> to be, and it kind of makes sense, that UDP being connectionless, the
> scanner has no real method to differentiate between an opened port, and a
> port that was silently dropped (which most firewalls should[1] do).
It is possible, but very protocol dependent. For 53/UDP (DNS),
for example, it's possible to send a 'Server Status Request' packet,
on which almost all DNS servers reply 'Feature not implemented', while
the remaining one or two server types reply with a status response,
assuming they're not filtered. (All responses contain further
information about the server which may be interesting for pen-testing
purposes.)
For protocols that lack the required 'echo-type' requests, it may be
impossible, unless there is a difference between the protocol specification,
and the actual implementation, which sometimes happens. Some SNMP
implementations will seemingly send responses in certain situations even
though community name is wrong.
> Is there a port scanner on the market (free or $$$) that does not generate
> the "false positive" result of a UDP scan against a stealth host?
The easiest thing is probably to patch NMAP accordingly, and replace
'open' UDP ports with 'state unknown'. Or add a postprocessing step that
does this.
However, it's usually best to learn the tool so that you can
interpret what it says. The latest NMAP beta may produce output
for the '-sR' scanning method, but that does unfortunately not mean
that you can trust the output to mean what you think it says. Also,
if you try ... I think it was ACK-scanning with a specified source
port, some NMAP beta versions may not do exactly what you have
asked for.
> [1] I say should because most references I have seen recommend a firewall
> operating in a stealth fashion as being more effective since it requires any
> scanning, etc. to time out before proceeding causing more time to pass and
> increasing the likelihood of catching it occurring.
Detecting an UDP port scan does not much depend on whether scans
are time-outed or not, unless you have some kind of IDS-specific
constraints to work with.
Time-outs may increase the likelihood that a scan will be
interrupted as non-promising, though. But then, pros won't UDP
scan anyway except in fairly special situations -- they'll go for
the vulnerabile port directly, and detect successful intrusions
by other means.
-- Anders Thulin anders.thulin@kiconsulting.se 040-661 50 63 Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT