On Fri, Mar 22, 2002 at 07:26:54AM -0500, Christopher C. Northrop wrote: > I started getting port 137/udp scans, even though I had nothing using these > ports I decided to run a scan for the Microslop cum hack me ports just in > case(Thank U Stephen Northcut). > > nmap -sU -p0 -p 135-139 HOST-IP > > This returned open on all ports.
UDP scans are not very reliable. If the port is open, no packet is returned, and if the port is closed, an icmp port unreachable is returned. However, if the replies are blocked or lost, you'll have false positives. > nmap -sU -p0 -p 100-139 HOST-IP > > I got a no ports open. nmap only notes the ports that are in a different state than the rest when you scan large numbers, to avoid giving you a flood of identical information. You probably had a line like this in the output: All 40 scanned ports on 1.2.3.4 are: filtered For a UDP scan, there's no way to distinguish between "open" and "filtered". nmap makes some assumptions based on the number of ports scanned, but it's really only a guess. Therefore, this result is really the same as your previous result. This is no bug in nmap, though maybe it's a shortcoming in the documentation. Maybe there should be a note, something like "if you see no closed ports in a UDP scan, the host may be firewalled or down, and the results are not reliable." -- Scottie Shore <[EMAIL PROTECTED]> "Experience is that marvelous thing that enables you to recognize a mistake when you make it again." -- F. P. Jones
msg01182/pgp00000.pgp
Description: PGP signature
