Foundstone, Inc.© ScanLine::
positive open ports. So what ScanLine does with its UDP scanning is to first you will never see any open UDP ports detected using this technique
http://www.foundstone.com/us/resources/proddesc/scanline.htmHOME |
After an unfortunate encouter with a buggy online portscanner (pcflank, check other thread posted by me today) I decided to test OP2 in several ways. Scanned with several other online scanners like Sygate and Symantec, used few firewall-leakage-testers and asked a friend to run a nmap portscan on my system. OP2 passed the online scanners and the leakage testers, but the nmap run showed LOTS of open UDP ports. TCP all closed. My question: how is this possible?
Scanning and Defending Networks with Nmap - The Communitys Center for ::
news and information on security, linux, open source, firewalls, networks, privacy, encryption, cryptography, hacks, what ports are open to UDP on a
http://www.linuxsecurity.com/content/view/117695/49/HOME |
System/config details:
- winXPpro SP1 fully patched/updated
- outpost pro 2.0 running @ block most mode
- direct internet connection (cable)
- ruleset that came with installation, except few progs in trusted zone: internet explorer, outlook express, windows messenger. This is just temporary, will create ruleset after some experimenting...
Attachments: nmap log
Hi chris,
Thnx anyway for the tip. All help is welcome.
Not strange, seems that this is the normal UDP behaviour.
From the scanner point of view a open port and a stealth port are the same, no response. NMAP shows open.
Thanks to SectionOne to pointing to the current direction ;)
Regards,
@ Chrisclu:
Yes I have. Most services I don't need are disabled on my system. But even If UPnP was running as a service on my system, shouldn't OP block all hazardous connections regarding that service? (handled by svchost)
Findports.com - Age of Mythology::
Online game/application router/firewall tcp/udp protocol port forwarding database, game system requirements how to open or forward ports please check your
http://www.findports.com/document.php?id=527HOME |
@ Muchod:
Thnx. I look forward to a solution.
Hi Megahertz,
I've checked my logs and the scans were indeed blocked. I first believed the log showed a block message when the scan was actually not blocked, but now it seems it's the other way around. Nmap says the port is open while it is closed and stealthed. (kinda strange, isn't it? :D)
Anyway, thnx for your input.
Hi Petrovsky,
Seems that you're right, I've the same results.
Reported to Agnitum, I'll keep you informed.
Regards,
Hi Peter,
Sorry, Idon't use XP and am not familiar with the differences. I just saw UDP and remembered uPnP.
Regards,
Chris
Originally posted by SectionOne
DirectX: Ports required to play on a network::
For the specific ports that you should follow to open these ports. The following TCP and UDP ports must be open on the firewall or proxy server:
http://support.microsoft.com/kb/240429HOME |
CIACTech02-003: Office for Mac X Antipiracy Mechanism Opens Server Ports::
open Office application opens a tcp port with a number greater than 3000 and udp On the udp side, ports 137, 138, 855, 2222, syslog, and 49156 are open.
http://www.ciac.org/ciac/techbull/CIACTech02-003.shtmlHOME |
Hi muchod,
I found this on a security site..
Quote from this security site (http://lists.insecure.org/lists/pen-test/2002/Apr/0037.html)
I think nmap has an explanation of how it determines whether a UDP port is listening or not. Essentially, if a UDP port has a listener, the packet will be accepted, most times silently (i.e. if it is not the correct format that the listener would normally respond to). If there is no listener there, the machine will return an ICMP port unreachable message, containing the port number in question.
Hence, a port scanner can assume, if it gets no response, that there is something listening, i.e. the port is "open".
However, this behaviour is easily mimicked (?sp) with a firewall in front of the target server. If the firewall is configured to silently drop unauthorised packets, the scanner will receive no response to its packets, and assume that ALL ports are open.
If there is a screening router in front of the target, and it is configured to send ICMP unreachables (fairly standard Cisco filter result), the scanner can report that the port is filtered, since the unreachable is coming from a different IP address to that of the target.
Hope this was useful.
Rogan
So the short answer is that NMAP concludes that stealth ports (dropped pkts) are open if it does not get a reply that the port is in fact closed due to the nature of UDP.. at least that is my interpretation of it.
Ariel... Since SectionOne did not reply to this thread I will post this here (hope no one minds). All I can say is check your blocked logs to see if the scans were indeed blocked.
Hi Petrovski,
I noticed you are on WinXP. Do you have Upnp disabled?
Chris
 Red Hat's Rough Recovery From CFO Exit
 Windows Live Finds a New, Pre-installed Home
|
HOME