From: WiM (vulndev@vision.rma.ac.be)
Date: Thu Mar 25 2004 - 13:14:36 EST
>From the man page of nmap:
-sU UDP scans: This method is used to determine which UDP (User
Datagram Protocol, RFC 768) ports are open on a host. The tech-
nique is to send 0 byte udp packets to each port on the target
machine. If we receive an ICMP port unreachable message, then
the port is closed. Otherwise we assume it is open. Unfortu-
nately, firewalls often block the port unreachable messages,
causing the port to appear open. Sometimes an ISP will block
only a few specific dangerous ports such as 31337 (back orifice)
and 139 (Windows NetBIOS), making it look like these vulnerable
ports are open. So don't panic immediately. Unfortunately, it
isn't always trivial to differentiate between real open UDP
ports and these filtered false-positives.
WiM
----- Original Message -----
From: "BillyBobKnob" <billybobknob@hotmail.com>
To: <pen-test@lists.securityfocus.com>
Sent: Thursday, March 25, 2004 3:57 AM
Subject: nmap shows open UDP port 113
> My friend asked me to see if I could scan or penetrate his firewall. He =
> only told me that it was a Linux box setup as a firewall running NAT to =
> hide internal IPs.
>
> - I did a nmap -O and a nmap -O --fuzzy but it said "too many =
> fingerprints match for accurate OS guess"
> but it did tell me that TCP port 113 was in the closed state
> - so I tried a TCP reverse inet scan (nmap -sT -I) and it still gave me =
> same info as this port was closed
> - so I tried nmap -sU and no results
> - then I tried nmap -sU -p 113 and it said that UDP port 113 was open !!
>
> I was then able to netcat to it (nc -u ipaddress 113) and I verified =
> that I was connected with a netstat.
>
> While connected via netcat I tried sending it commands like (ls, cd .., =
> help, echo) but got nothing.
>
>
> Is there anything that can be done with this connection ??
> Or is there anyway to find out what internal IPs are behind it ?
>
>
> Thanks,
> Bill
>
>
> --------------------------------------------------------------------------
-
> You're a pen tester, but is google.com still your R&D team?
> Now you can get trustworthy commercial-grade exploits and the latest
> techniques from a world-class research group.
> www.coresecurity.com/promos/sf_ept1
> --------------------------------------------------------------------------
-- > --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT