Noonan, Wesley wrote:
> to be, and it kind of makes sense, that UDP being connectionless, the > scanner has no real method to differentiate between an opened port, and a > port that was silently dropped (which most firewalls should[1] do). It is possible, but very protocol dependent. For 53/UDP (DNS), for example, it's possible to send a 'Server Status Request' packet, on which almost all DNS servers reply 'Feature not implemented', while the remaining one or two server types reply with a status response, assuming they're not filtered. (All responses contain further information about the server which may be interesting for pen-testing purposes.) For protocols that lack the required 'echo-type' requests, it may be impossible, unless there is a difference between the protocol specification, and the actual implementation, which sometimes happens. Some SNMP implementations will seemingly send responses in certain situations even though community name is wrong. > Is there a port scanner on the market (free or $$$) that does not generate > the "false positive" result of a UDP scan against a stealth host? The easiest thing is probably to patch NMAP accordingly, and replace 'open' UDP ports with 'state unknown'. Or add a postprocessing step that does this. However, it's usually best to learn the tool so that you can interpret what it says. The latest NMAP beta may produce output for the '-sR' scanning method, but that does unfortunately not mean that you can trust the output to mean what you think it says. Also, if you try ... I think it was ACK-scanning with a specified source port, some NMAP beta versions may not do exactly what you have asked for. > [1] I say should because most references I have seen recommend a firewall > operating in a stealth fashion as being more effective since it requires any > scanning, etc. to time out before proceeding causing more time to pass and > increasing the likelihood of catching it occurring. Detecting an UDP port scan does not much depend on whether scans are time-outed or not, unless you have some kind of IDS-specific constraints to work with. Time-outs may increase the likelihood that a scan will be interrupted as non-promising, though. But then, pros won't UDP scan anyway except in fairly special situations -- they'll go for the vulnerabile port directly, and detect successful intrusions by other means. -- Anders Thulin [EMAIL PROTECTED] 040-661 50 63 Ki Consulting AB, Box 85, SE-201 20 Malm�, Sweden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
