[unisog] Determining local servers and banners

John Kristoff jtk at northwestern.edu
Mon Apr 4 21:48:10 GMT 2005


On Mon, 04 Apr 2005 16:54:44 -0400
Harry Hoffman <hhoffman at ip-solutions.net> wrote:

> We don't have a way, currently, to grab udp servers. I understand that a 
> similar setup could be done with argus and the "-M hostsvc" flags and I 
> am currently investigating this option. Is anyone doing this?

I'll try to get at a partial answer somewhat indirectly.  I did some
experiments with UDP-specific application scanning awhile back and as
I recall you had to often be very specific in the initial probe to
even solicit any response whatsoever.  Furthermore, someting like TFTP
only uses a single packet from the client to the server using port 69
so even if there were a TFTP server banner, it will likely appear to
be coming from various random ports on a single host each time it
transfers a file.

> I'm quite interesting to hear how others are solving this problem. Nmap 
> against 65000 ports to find a "quiet" ftp server isn't really an option.

The problem is even worse with UDP, because you can't just scan as
fast as you like and you can't always trust the results you get back
(or don't get back).  There are some further details on the problems
with UDP here:

  <http://condor.depaul.edu/~jkristof/papers/udpscanning.pdf>

John


More information about the unisog mailing list