On Thu, 21 Oct 1999, Christoph Schneeberger wrote: > While scanning a customers public corporate website (on request) with nmap > (2.3BETA6 and 2.02) I found the following open ports: > Port State Protocol Service [...] > 12345 filtered tcp NetBus > > and udp: > Port State Protocol Service [...] > 31337 open udp BackOrifice > > I then went with the customer through the following procedures: [...] > -Running netstat -an on the server in question > The two ports 12345 tcp and 31337 udp where not shown, all other listening > services were shown as expected. > -installing Back Orificer Friendly from http://www.nfr.net/bof/ on the > server (I hoped it would complain not being able to listen to 31337 udp) > Started and did not complain > -I then connected to the server with 'netcat -u 31337' and typed some > random chars which should normally trigger bof to pop-up and notify the user > Nothing happened, all other ports like i.e. pop3 triggered bof immediately > So, am I missing a chapter or does this look like something really strange ? The nmap udp scan works by sending udp packets to the specified ports and waiting for icmp port unreachable messages. If the scanner doesn't get an icmp back, it assumes the port is open. My guess is that a router or a firewall somewhere between your machine and the NT box is filtering 31337/udp. Nmap wouldn't get a port unreachable back since the packet never hit the target machine, and you wouldn't be able to communicate with BOF on that port. Looks like a similar situation for netbus. Note that nmap lists it as 'filtered' rather than 'open.' It's getting neither a SYN|ACK nor an RST back so something is probably dropping your packets en route. - Matt
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:53 PDT