0

I am pushing my way through some beginner level security readings and exercises (ECSA 1 & 2) without much of a networking background. I happened upon an interesting suggestion or command: to use nmap -sU -p 23 target to find out if a target is running a telnet service. I hopped over to the telnet Wikipedia page and found that telnet is a TCP based protocol (it likely doesn't use UDP). Even RFC 854 states that "A TELNET connection is a Transmission Control Protocol (TCP) connection".

I've not dove very deep into the related protocol specifications (and perhaps I should), but I've caught myself in my own confusion or mistaken assumption. How does nmap -sU (a UDP scan) detect if a TCP port is open or closed? Are there ever reasons to match the target port/service protocol or is detecting the state of a port somehow completely independent of the target port (and its bindings?)? How so?

If your answer(s) is to simply point me to some reference material that's fine. I realize I might be trying to take some shortcuts here.

enter image description here

Update:

The book gives a little background about the telnet service but does not specify whether or not it is TCP or UDP based. It then says "You must scan the telnet ports using Nmap with the following command: nmap -sU -p 23 x.x.x.x". I can't quite tell if that's bad advice or not? Informative either way I think.

gordlonious
  • 103
  • 3
  • 1
    I think the suggestion you've found is simply wrong (yes, this can happen) or you understand it wrong (you only show your interpretation, not the exact wording). – Steffen Ullrich Sep 30 '20 at 04:41
  • Thanks for the clue. I uploaded a screenshot to imgur: https://imgur.com/s6znp6j (the book even has an example command execution with output that looks legit to me). – gordlonious Sep 30 '20 at 05:11
  • 1
    @gordlonious the `open|filtered` status simply means no response was received. In the case of `-sU -p23`, this is almost certainly because of a firewall setting. Telnet does not work over UDP. – bonsaiviking Oct 01 '20 at 02:06

1 Answers1

1

Technically port 23 is registered for telnet for both tcp and udp - see IANA port registry. And this is what nmap is showing: something is on udp port 23 (for example nc -u -p23) and based on the port mapping it writes "telnet" as service. This does not mean that there is an actual telnet service running on this port though.

This assignment of both tcp and udp for typically TCP-only services is fairly common for services, i.e. SMTP, FTP, HTTP, POP3, IMAP ... all have the port for both tcp and udp reserved even though all of these are tcp-only services.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • That makes the example in the book a real/usable example then? A network card will generally respond to a udp datagram when a tcp service is bound to the target port because udp is also registered/valid for that port? – gordlonious Sep 30 '20 at 05:30
  • @gordlonious: First, a normal network card does not respond at all but just propagates the received packets to the OS and transmits the packets from the OS to the target, i.e. the application logic is not in the network card itself. And a tcp service and udp service are independent, i.e just having a telnet service on port 23 tcp does not magically make port 23 udp open too. But these are actually not security questions anymore, i.e. primarily off-topic here. – Steffen Ullrich Sep 30 '20 at 06:12