neraliu's blog internet profession in between hongkong/china and silicon valley (no longer, but the world!)

testing the udb awareness of the nmap 5.21

for a typically network scanner, when it is going to scan the udb services available on the hosts, it simply sends the udb packets without knowing the exact content of the specific services. when the hosts receive the packet, there are few things possible happen. if the hosts do not listen on that port, it would reply the ICMP port unreachable (type 3, code 3). if the hosts listen on port, they may drop the packet or do not reply of not understanding packet contents. anyway, the similar behavior happen for firewall protected port.

in the new version of nmap 5.21, it provides a new feature of udb awareness during the udb scanning. for simplicity, the nmap is actually talking some specific protocol, like dns, ntp etc. during scanning, rather than scanning with some malcontent. below is the comparison of nmap 5.0 and 5.21

# nmap -sU -p53 208.67.222.222
Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-07 15:39 HKT
Interesting ports on resolver1.opendns.com (208.67.222.222):
PORT   STATE         SERVICE
53/udp open|filtered domain
Nmap done: 1 IP address (1 host up) scanned in 2.33 seconds

# nmap -sU -p53 208.67.222.222
Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-07 15:54 HKT
Nmap scan report for resolver1.opendns.com (208.67.222.222)
Host is up (0.18s latency).
PORT   STATE         SERVICE
53/udp open  domain
NNmap done: 1 IP address (1 host up) scanned in 0.64 seconds

from the returned result, you can notice that nmap 5.0 reports the port 53 is of the state of "open/filtered" while nmap 5.21 reports the state of "open", as the new version of nmap is actually talking the dns protocol rather than scanning with malcontent, it is not sure about whether it is firewall protected or not.

• reference - http://nmap.org/book/man-port-scanning-basics.html
• reference - http://www.rfc-editor.org/rfc/rfc792.txt

關於 nera

just about my recent interest