Re: UDP Scanning - how nmap really works

From: Martin Mačok (martin.macok@underground.cz)
Date: Thu Aug 12 2004 - 05:48:34 EDT

• Next message: H D Moore: "Metasploit Framework v2.2"
• Previous message: McKenna Henage: "Escalating from Netware box"
• In reply to: Robert E. Lee: "Re: UDP Scanning - how nmap really works"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tue, Aug 10, 2004 at 06:24:48PM -0700, Robert E. Lee wrote:

> So how does it match PORT_FIREWALLED in UDP scanning? For the
> answer to that, if we look around line 1710 of scan_engine.cc we
> see:

> This basically says, if we receive a p0rt unreachable from the
> target, count that as a CLOSED response. If we get a p0rt
> unreachable from any other IP count it as a PORT_FIREWALLED
> response.

Anyway, on some multihomed weak ES models end-points (see
RFC1122/3.3.4), you could get ICMP Port Unreachable from different
interface (different IP) than you have sent your probe to without any
firewall involved.

It happend to me with some Cisco last time. (Another useful technique
of finding different interfaces of one network node.)

Martin Mačok
IT Security Consultant

• Next message: H D Moore: "Metasploit Framework v2.2"
• Previous message: McKenna Henage: "Escalating from Netware box"
• In reply to: Robert E. Lee: "Re: UDP Scanning - how nmap really works"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT