NMAP Bug Analysis

Nmap scan reports bugs

1 udp 3478 Status Report Error

The following experiment is used to reproduce the problem:

A Windows xp2 virtual machine is installed locally and the firewall is enabled. Run the netstat command in the virtual machine to view the port status:

Run the command netstat-An to obtain the following results:

At the same time, use nmap6.00 on the local PC to scan the UDP port of the Virtual Machine XP. NMAP will report that UDP 3478 of this virtual machine is open. The Virtual Machine IP address is 192.168.1.121, and the local pc ip address is 192.168.1.103.

2 Wireshark packet capture and debugging log

Nmap scan command:

NMAP-su-SV-P 3478-D3 -- reason 192.168.1.121> F:/nmapudp1_8.txt

 

In Wireshark, no UDP response packets from the target machine are displayed. The log shows that the debugging information line contains "read timeout". The read information times out. Therefore, NMAP does not read any data from the UDP port.

 

3 root cause analysis

Use the debugger to track and gradually troubleshoot the problem. The script file stun. Lua contains the following functions:

-- Gets the server version ifit was returned by the server

-- @ Return status true onsuccess, false on Failure

-- @ Return version stringcontaining the server product and version

Getversion = function (Self)

-- Check ifthe server version was cached

If (not (self. cache) or not (self. cache. Version) then

SELF: getexternaladdress ()

End

Return true, (self. cache and self. cache. server or "")

End,

This function is used to obtain the version information of the stun (Service name corresponding to port 3478) server. This function is called every time stun service scan is performed.

In our scenario, we open the firewall of the target machine. When using NMAP for port scanning, we will not receive a UDP reply packet of 3478, therefore, NMAP sets the status of 3478 to open | filtered (see Nmap scan Principles). In the service scan phase, NMAP performs a service scan for such ports that may be open, in this case, stun is called. the getversion () function in the Lua script.

If this function is enabled on the stun port of the target machine, the execution process is correct. If the stun port is not enabled, an error occurs. The reason is that in the above red lines, only the external address of stun is obtained and no result is determined. In the subsequent returned rows, true (indicating that the service is enabled) and server version information (possibly empty) are directly returned ). Therefore, even if the peer stun port is not enabled at all, it is determined to be enabled here.

4. Solution

He discussed this issue with Patrik, author of The stun. Lua script. He agreed that this is a bug.

The Code has been modified as follows:

-- Gets the server version if it was returned by the server

-- @ Return status true on success, false on Failure

-- @ Return version string containing the server product and version

Getversion = function (Self)

Local Status, response = false, Nil

-- Check if the server version was cached

If (not (self. cache) or not (self. cache. Version) then

Local Status, response = self: getexternaladdress ()

If (Status) then

Return true, (self. cache and self. cache. server or "")

End

Return false, response

End

Return true, (self. cache and self. cache. server or "")

End,