Does NMAP need ICMP for accurate UDP state
This is a discussion on Does NMAP need ICMP for accurate UDP state within the Linux Security forums, part of the System Security and Security Related category; An Nmap scan on my server reports open states on ports 137:139. But I know they are not open ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-10-2003
|
|||
|
|||
Does NMAP need ICMP for accurate UDP state
An Nmap scan on my server reports open states on ports 137:139. But I know
they are not open because I am dropping INPUT packets on those ports in the firewall rules, and definitely can't connect to those ports from the outside using an smbclient or nmbstat command. That said, samba is running on the machine for use internally. My question... what would give Nmap a "false positive"? I read that nmap needs an destination-unreachable icmp packet, and the absence of one would be interpreted as "open". I think I'm outputting that icmp type. Are there any other possibilities? Or is any udp packet explicity dropped in iptables going to show as "open" to nmap? 
|
|
07-10-2003
|
|||
|
|||
|
Re: Does NMAP need ICMP for accurate UDP state
On Wed, 9 Jul 2003 22:41:24 -0400, Dusty wrote:
> An Nmap scan on my server reports open states on ports 137:139. But I know > they are not open because I am dropping INPUT packets on those ports in the > firewall rules, and definitely can't connect to those ports from the outside > using an smbclient or nmbstat command. That said, samba is running on the > machine for use internally. > > My question... what would give Nmap a "false positive"? I read that nmap > needs an destination-unreachable icmp packet, and the absence of one would > be interpreted as "open". This is true. > I think I'm outputting that icmp type. You are using REJECT then, not DROP? # tcpdump -vvvni <external interface> icmp and src <your ip address> run this while scanning from the outside, and you'll see exactly what ICMP packets you send. > Are there > any other possibilities? Or is any udp packet explicity dropped in iptables > going to show as "open" to nmap? It's the way UDP works, really. Normally, there are only two ways a host will _not_ recieve either an icmp 'unreachable' or an icmp 'time exceeded': a) the packet is accepted by an application (open), or b) the packet dies a horrible death in some packet filter (filtered). Neither Nmap, nor any bad guys can tell the difference. - Eirik -- New and exciting signature!
|
|
07-10-2003
|
|||
|
|||
|
Re: Does NMAP need ICMP for accurate UDP state
"Dusty" <Spamb_bull@yahoo.com---No Spam> wrote in
news:vgpkgjan98h0a1@corp.supernews.com: > An Nmap scan on my server reports open states on ports 137:139. But I > know they are not open because I am dropping INPUT packets on those > ports in the firewall rules, and definitely can't connect to those > ports from the outside using an smbclient or nmbstat command. That > said, samba is running on the machine for use internally. > > My question... what would give Nmap a "false positive"? I read that > nmap needs an destination-unreachable icmp packet, and the absence of > one would be interpreted as "open". I think I'm outputting that icmp > type. Are there any other possibilities? Or is any udp packet > explicity dropped in iptables going to show as "open" to nmap? > > > Yes, nmap does need the unreachable icmp to show the port as closed. If you are silently dropping the packets, then nmap reports open.
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 09:25 AM.
