nmap localhost UDP scan fails, even though netcat is listening

Question

I open two terminal windows on my linux box. On one, I have netcat listen to a UDP port and on other I nmap -sU that port. Netcat receives the connection and the data, but nmap reports the udp port closed. I also see an ICMP port unreachable in nmap logs (not sure why OS is sending it). I've tried --max-retries 1 also. Any advice is much appreciated.

$ nc -l -u -p 12345 -v
listening on [any] 12345 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 65188
test

In a different window

$ sudo nmap -Pn -sU -p 12345 localhost --data-string test -vvv --packet-trace

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-15 19:29 EDT
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Initiating UDP Scan at 19:29
Scanning localhost (127.0.0.1) [1 port]
SENT (0.0481s) UDP 127.0.0.1:65188 > 127.0.0.1:12345 ttl=42 id=17191 iplen=32 
RCVD (0.0479s) UDP 127.0.0.1:65188 > 127.0.0.1:12345 ttl=42 id=17191 iplen=32 
SENT (1.0482s) UDP 127.0.0.1:65189 > 127.0.0.1:12345 ttl=59 id=50254 iplen=32 
RCVD (1.0482s) UDP 127.0.0.1:65189 > 127.0.0.1:12345 ttl=59 id=50254 iplen=32 
RCVD (1.0482s) ICMP [127.0.0.1 > 127.0.0.1 Port 12345 unreachable (type=3/code=3) ] IP [ttl=64 id=4558 iplen=60 ]
Completed UDP Scan at 19:29, 1.20s elapsed (1 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up, received user-set (0.000067s latency).
Other addresses for localhost (not scanned): ::1
Scanned at 2015-10-15 19:29:52 EDT for 2s
PORT      STATE  SERVICE REASON
12345/udp closed unknown port-unreach ttl 64

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds
           Raw packets sent: 2 (64B) | Rcvd: 3 (124B)

score 2 · Answer 1 · answered Oct 16 '15 at 06:42

With netcat:

In listen mode, controls the address on which Ncat listens; if you omit it, Ncat will bind to all local interfaces (INADDR_ANY). If the port number is omitted, Ncat uses its default port 31337. Typically only privileged (root) users may bind to a port number lower than 1024. A listening TCP server normally accepts only one connection and will exit after the client disconnects. Combined with the --keep-open option, Ncat accepts multiple concurrent connections up to the connection limit. With --keep-open (or -k for short), the server receives everything sent by any of its clients, and anything the server sends is sent to all of them. A UDP server will communicate with only one client (the first one to send it data), because in UDP there is no list of “connected” clients.

So, when nmap will try the connection, nc will exit after the first packet received. But nmap, for testing a port, will send several packets. So the second packet will be lost and nmap will consider the port cloased, and moreover, your OS will send a ICMP port unreachable for the second test.

If you want to test your UDP ports and have a open result in nmap, you must force nmap to do only one connection: nmap -Pn -sU -p 12345 localhost -vvv --max-retries 0

score 0 · Answer 2 · answered Oct 15 '15 at 23:50

0

netcat only allows one connection at a time. ncat may allow multiple simultaneous "connections". I see the expected scan result with --max-retries 0.

answered Oct 15 '15 at 23:50

zonked.zonda

11
2

this worked for me as well – P3nT3ster Oct 16 '15 at 04:29

nmap localhost UDP scan fails, even though netcat is listening

2 Answers2