But how can you find which
of the more than 30,000 high ports it is listening on?
With a UDP scanner you can! There is also the cDc
Back Orifice backdoor program, which hides on a
configurable UDP port on Windows machines, not to
mention the many commonly vulnerable services that
utilize UDP such as SNMP, TFTP, and NFS.
-sA ACK scan This advanced method is usually used to
map out firewall rulesets. In particular, it can help
determine whether a firewall is stateful or just a simple
packet filter that blocks incoming SYN packets. This scan
type sends an ACK packet (with random looking
acknowledgment/sequence numbers) to the ports
specified. If an RST comes back, the port is classified as
unfiltered. If nothing comes back (or if an ICMP
unreachable is returned), the port is classified as filtered.
Note that nmap usually does not print unfiltered ports,
so getting no ports shown in the output is usually a sign
that all the probes got through (and returned RSTs). This
scan will obviously never show ports in the open state.
-sW Window scan This advanced scan is very similar to
the ACK scan, except that it can sometimes detect open
ports as well as filtered/nonfiltered ones due to an
anomaly in the TCP window size reporting by some
operating systems. Systems vulnerable to this include at
least some versions of AIX, Amiga, BeOS, BSDI, Cray, Tru64
UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX,
OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, QNX,
Rhapsody, SunOS 4.
Pages:
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243