From: David Jacoby (security@outpost24.com)
Date: Wed Aug 22 2007 - 01:05:00 EDT
Hi Attari,
First of all, UDP port scanning is a slow procedure if you are not on
the same network and your not scanning a machine which is firewalled
and doesn't respond with ICMP messages.
If im not misstaken UDP port scanning works that you send a UDP packet
to a UDP port and if you do NOT get a ICMP packet back with the error
message ""ICMP Destination Unreachable: Port Unreachable" you may
consider the port as open.
The problem with this is if you scan a host which is firewalled you
may not receive the error message and it may result in all ports
reported as open. Another issue is that ICMP is considered as a low
profile protocol and has lower priority than for example TCP, so if
the machine that you are scanning is receiving alot of traffic it may
queue up those ICMP messages and you wont simple receive them when you
expect them.
Because of the type of technique used in nmap you need to wait for the
ICMP messages to get back to you and this is probably whats causing
your scan to take a long time. The problem with UDP port scanning is
that some UDP services require a specific source and destination port,
if the packet it receives doesn't have the correct headers it will
simply discard the packet and it may also require a specific payload,
so when scanning with for example nmap it may result in that you get a
inaccurate result (and by the way, im not bashing in nmap :))
What i would recommend that you do is that you do not scan a wide
range of ports because it will not really scale, UDP port scanning is
slow and thats it, i don't think there is much you can do about the
speed factor, but there is alot of things you can do regarding the
accuracy of the scan.
What you need to do is to make the service request with either a valid
response or a ICMP error message. The Outpost24 engine recently
updated its core engine where we have solved this problem.
Best regards,
David Jacoby
Attari Attari wrote:
> Hi Group:
>
> Is there a way to increase speed of UDP scan?
>
> I'm running a full UDP scan since 3 days on 3 IP
> addresses and it is still not complete.
>
> I gave following command:
>
> nmap -sU -p1-65535 -P0 xxx.yyy.zzz.aaa
>
> One way I can think of is is running parallel nmap
> scans by dividing ports like:
>
> nmap -sU -p1-30000 -P0 xxx.yyy.zzz.aaa
> nmap -sU -p30000-65535 -P0 xxx.yyy.zzz.aaa
>
> Would appreciate some inputs on this.
>
> Regards
>
>
>
>
>
> Once upon a time there was 1 GB storage in your inbox. To know the happy ending go to http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
-- David Jacoby Vice President Customer Experience http://www.outpost24.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:03 EDT