Nmap

DPAI · March 16, 2002, 3:28pm

I am pretty new at running nmap ,and i have some doubt about some o/ps the nmap shows

I tried to scan my own system for UDP open ports

I see that if i use one UDP port say 13
It shows that its in open state , etc

But if i scan for the whole UDP ports in the nmap-services . I gives te number of ports open as in a filtered state .

Can some one explain me why this is so .

(I GUARANTEE THAT I AM TRYING TO FIND OPEN PORTS FOR MY OWN SYSTEM HERE )

DP

thomas.jones · March 18, 2002, 9:51pm

A possible solution is that while performing a single port scan you are getting a correct response from an "active" or open port.

Now under a full 65535 port scan you are pushing alot of packets! You hadn't stated your time frequency of datagram submittal...but with an educated guess......i'd say that you are pumping them out as quick as possible.

When a system is under a pretty heavy load...the stack gets a bit quirky. Thus the inconsistent recognitions.....i.e...a "filtered" state.

Especially when your only traversing a portion of your TCP/IP stack, and not the whole OSI model.

Have you reviewed RFC 793 (Transmission Control Protocol) for valid responses? I suggest capturing packets to verify your systems responses.

HTH.

LivinFree · March 19, 2002, 4:04am

What kind of system are you scanning here? I know that on some (notably Redhat 7.2), firewalling is set up by default. When nmap finds a bunch of non-closed ports, it reports them as "interesting". UDP scanning is kind of tough, since it's "connectionless". But here's how nmap does it (from the man page):

This somewhat contradicts reality though, at least the way I see it. For example, I took a scan of an OpenBSD box (UDP only, default port selection), and it reported all 1453 ports as filtered. Go fig. Then again, it took 96 seconds on a 100base-t network on -T Insane, and reported the OS versions as "AIX 4.3.1 on a IBM RS/6000 R40"... Good ol' OBSD.

The best I can figure, is that if all ports are closed, it assumes it got no responses due to a packet filter - thus "filtered". But if you get at least one reply, the rest must just be closed... wild guess, though.

The important part though, is that you didn't see any open ports.
On a Linux system, you can also get a list of UDP ports with netstat -au... that is, assuming you haven't been cracked into and had your netstat replaced...

Hope this helps a little.