I was just wondering, why does Nmap need root when doing an -sU UDP Scan?
Please and Thank You.
UDP is "best effort" protocol and it will not inform the sender if a packet gets dropped. UDP applications either need to implement error detection in the application (NFS) or decide that some dropped data is acceptable (SYSLOG). nmap needs access to ICMP to see the results of sending UDP packets. ICMP requires root access.
This moves the question to why ICMP requires root access. Clearly sending ICMP messages opens up the ability to do nasty things. It's less clear why root is needed to simply listen to ICMP. But you would only need access to ICMP for unusual applications like nmap. So maybe it is just to be cautious.
To clarify, this is because a UDP packet might get dropped for reasons which wouldn't tell UDP anything, but would cause some router along the way to send an independent ICMP message back like "MTU too large" or "TTL exceeded" etc.
Actually, nmap listens to ICMP during UDP scans primarily for ICMP unreachable messages. In theory, if you reach the system with a UDP packet, but the port the packet is addressed to is not listening, the system should discard the UDP packet and send an ICMP unreachable to the sender. The app can't see these messages, but an alert system administrator will notice them (remember we're talking theory here).
1 Like