Re: UDP port scan results

From: Anders Thulin (Anders.Thulin@kiconsulting.se)
Date: 04/23/02


Date: Tue, 23 Apr 2002 08:45:02 +0200
From: Anders Thulin <Anders.Thulin@kiconsulting.se>
To: "'pen-test@securityfocus.com'" <pen-test@securityfocus.com>


Noonan, Wesley wrote:

> to be, and it kind of makes sense, that UDP being connectionless, the
> scanner has no real method to differentiate between an opened port, and a
> port that was silently dropped (which most firewalls should[1] do).

   It is possible, but very protocol dependent. For 53/UDP (DNS),
for example, it's possible to send a 'Server Status Request' packet,
on which almost all DNS servers reply 'Feature not implemented', while
the remaining one or two server types reply with a status response,
assuming they're not filtered. (All responses contain further
information about the server which may be interesting for pen-testing
purposes.)

   For protocols that lack the required 'echo-type' requests, it may be
impossible, unless there is a difference between the protocol specification,
and the actual implementation, which sometimes happens. Some SNMP
implementations will seemingly send responses in certain situations even
though community name is wrong.

> Is there a port scanner on the market (free or $$$) that does not generate
> the "false positive" result of a UDP scan against a stealth host?

   The easiest thing is probably to patch NMAP accordingly, and replace
'open' UDP ports with 'state unknown'. Or add a postprocessing step that
does this.

   However, it's usually best to learn the tool so that you can
interpret what it says. The latest NMAP beta may produce output
for the '-sR' scanning method, but that does unfortunately not mean
that you can trust the output to mean what you think it says. Also,
if you try ... I think it was ACK-scanning with a specified source
port, some NMAP beta versions may not do exactly what you have
asked for.

> [1] I say should because most references I have seen recommend a firewall
> operating in a stealth fashion as being more effective since it requires any
> scanning, etc. to time out before proceeding causing more time to pass and
> increasing the likelihood of catching it occurring.

   Detecting an UDP port scan does not much depend on whether scans
are time-outed or not, unless you have some kind of IDS-specific
constraints to work with.

   Time-outs may increase the likelihood that a scan will be
interrupted as non-promising, though. But then, pros won't UDP
scan anyway except in fairly special situations -- they'll go for
the vulnerabile port directly, and detect successful intrusions
by other means.

-- 
Anders Thulin   anders.thulin@kiconsulting.se   040-661 50 63	
Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/



Relevant Pages

  • RE: Some technical errors
    ... If the SMTP server is not running on port 25 TCP it is not a public ... Manager - Computer Assurance Services BDO Chartered Accountants & ...
    (Security-Basics)
  • Re: Managing "capabilities" for security
    ... default tickets are held by the kernel and can be chosen by the parent ... The default ticket for any particular call is assumed unless the ... than to check that the server address on the ticket is good. ... the kernel had to invoke the RPC if the service port IN YOUR ...
    (comp.arch.embedded)
  • Re: SRV RRs support in Internet Explorer?
    ... The port number could be implicit (i.e. ... At any point in time, a server could fail ... can't effectively LB or backup because NSs cache the records for the TTL ... I still don't see how SRV records would help backup or LB. ...
    (microsoft.public.win2000.dns)
  • Re: Still cant connect to RWW or OWA remotely
    ... I get 'cannot find server or dns error' on both ... TCP [port number]> to open the ports. ... As for error messages when I fail to access RWW with the laptop, ... network, no connection seems possible. ...
    (microsoft.public.windows.server.sbs)
  • Re: cannot send mail from Windows mail
    ... When a username/password combination doesn't work in Windows Mail, ... I mean I dont use it but as outgoing address for my ISP account. ... youir username and password are correct for your mail server". ... Ask your home ISP if they support SMTP on a port other than 25. ...
    (microsoft.public.windows.vista.mail)