Nmap scan reports bugs
1 udp 3478 Status Report Error
The following experiment is used to reproduce the problem:
A Windows xp2 virtual machine is installed locally and the firewall is enabled. Run the netstat command in the virtual machine to view the port status:
Run the command netstat-An to obtain the following results:
At the same time, use nmap6.00 on the local PC to scan the UDP port of the Virtual Machine XP. NMAP will report that UDP 3478 of this virtual machine is open. The Virtual Machine IP address is 192.168.1.121, and the local pc ip address is 192.168.1.103.
2 Wireshark packet capture and debugging log
Nmap scan command:
NMAP-su-SV-P 3478-D3 -- reason 192.168.1.121> F:/nmapudp1_8.txt
In Wireshark, no UDP response packets from the target machine are displayed. The log shows that the debugging information line contains "read timeout". The read information times out. Therefore, NMAP does not read any data from the UDP port.
3 root cause analysis
Use the debugger to track and gradually troubleshoot the problem. The script file stun. Lua contains the following functions:
-- Gets the server version ifit was returned by the server
-- @ Return status true onsuccess, false on Failure
-- @ Return version stringcontaining the server product and version
Getversion = function (Self)
-- Check ifthe server version was cached
If (not (self. cache) or not (self. cache. Version) then
SELF: getexternaladdress ()
End
Return true, (self. cache and self. cache. server or "")
End,
This function is used to obtain the version information of the stun (Service name corresponding to port 3478) server. This function is called every time stun service scan is performed.
In our scenario, we open the firewall of the target machine. When using NMAP for port scanning, we will not receive a UDP reply packet of 3478, therefore, NMAP sets the status of 3478 to open | filtered (see Nmap scan Principles). In the service scan phase, NMAP performs a service scan for such ports that may be open, in this case, stun is called. the getversion () function in the Lua script.
If this function is enabled on the stun port of the target machine, the execution process is correct. If the stun port is not enabled, an error occurs. The reason is that in the above red lines, only the external address of stun is obtained and no result is determined. In the subsequent returned rows, true (indicating that the service is enabled) and server version information (possibly empty) are directly returned ). Therefore, even if the peer stun port is not enabled at all, it is determined to be enabled here.
4. Solution
He discussed this issue with Patrik, author of The stun. Lua script. He agreed that this is a bug.
The Code has been modified as follows:
-- Gets the server version if it was returned by the server
-- @ Return status true on success, false on Failure
-- @ Return version string containing the server product and version
Getversion = function (Self)
Local Status, response = false, Nil
-- Check if the server version was cached
If (not (self. cache) or not (self. cache. Version) then
Local Status, response = self: getexternaladdress ()
If (Status) then
Return true, (self. cache and self. cache. server or "")
End
Return false, response
End
Return true, (self. cache and self. cache. server or "")
End,