Third Party IP Network Scanning Methods - UDP Port Scanning
(Page 3 of 4 )
Because UDP is a connectionless protocol, there are only two ways to effectively enumerate accessible UDP network services across an IP network:
Send UDP probe packets to all 65535 UDP ports, then wait for “ICMP destination port unreachable” messages to identify UDP ports that aren’t accessible.
Use specific UDP service clients (such as snmpwalk, dig, or tftp) to send UDP datagrams to target UDP network services and await a positive response.
Figure 4-11. Vscan used to launch an IP ID header scan
Many security-conscious organizations filter ICMP messages to and from their Internet-based hosts, so it is often difficult to assess which UDP services are accessible via simple port scanning. If “ICMP destination port unreachable” messages can escape the target network, a traditional UDP port scan can be undertaken to identify open UDP ports on target hosts deductively.
Figures 4-12 and 4-13 show the UDP packets and ICMP responses generated by hosts when ports are open and closed.
Figure 4-12. An inverse UDP scan result when a port is open
UDP port scanning is an inverted scanning type in which open ports don’t respond. In particular, the scan looks for “ICMP destination port unreachable” (type 3 code 3) messages from the target host, as shown in Figure4-13 .
Figure 4-13. An inverse UDP scan result when a port is closed
Tools That Perform UDP Port Scanning
Nmap supports UDP port scanning with the –sU option. SuperScan 4 also supports UDP port scanning. However, both tools wait for negative “ICMP destination port unreachable” messages to identify open ports (i.e., those ports that don’t respond). If these ICMP messages are filtered by a firewall as they try to travel out of the target network, the results will be inaccurate.
During a comprehensive audit of Internet-based network space, you should send crafted UDP client packets to popular services and await a positive response. The scanudp utility developed by Fryxar (http://www.geocities.com/fryxar) does this very well. Example 4-7 shows scanudp being run against a Windows 2000 server at192.168.0.50.
