Saturday, December 24, 2011

[Quick Notes] Nmap TCP / UDP scanning

TCP Scanning:
Pretty straight...

1. TCP SYN sent
TCP SYN / ACK received
=> Target TCP Port is open
=> Nmap marks this result as 'Open'
2. TCP SYN sent
RST / ACK received
=> Target TCP port is closed
OR
=> Firewall blocked the request / response | i.e. we cannot reach that port at all
=> Nmap marks this result as 'Closed'
3. TCP SYN sent
ICMP Port unreachable received
=> A network / host firewall is blocking access to port
=> Nmap marks this result as 'Filtered'
4. TCP SYN sent
No Response received
=> Nmap resends SYN packet. If still nothing is received, then either port is closed or a network / host firewall is blocking our request packet.
=> Nmap marks this result as 'Filtered'

UDP scanning:

1. UDP datagram sent
Response received
=> Target UDP port is open
=> Nmap marks this result as 'Open'
2. UDP datagram sent
'ICMP Port Unreachable' received
=> Target UDP port is closed
OR
=> Firewall blocked the outbound response
For this scenario, Nmap checks if response is ICMP port unreachable Type 3, Code 3. If it is, then Nmap confirms that port is 'Closed'. For any other ICMP port unreachable errors - type 3, code 1, 2, 9, 10, or 13, Nmap will mark the port as 'Filtered'.
3. UDP datagram sent
No response received
This could be because of several reasons such as closed port, firewall blocking incoming UDP probe packet, firewall may be blocking outbound UDP response, or that the UDP port being probed could be expecting a data in order to respond back.
Specific to this scenario, where a UDP port may be looking for data in the incoming request packet, Nmap makes use of a handful of payloads. This payload is protocol specific like DNS 53, SNMP 161, rpc 111 etc. In response to these payloads, a relevant listening UDP port will send back a response. Therefore, the reliability of UDP scan results goes up.
=> Based on the response / no response, Nmap will mark this port as 'Open|Filtered'.

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.