Netcat – Why UDP Port Scans Always Succeed

access-control-listncnetcatport

I'm trying to verify that a couple of our servers can communicate via certain ports before migrating some of our services to them, and that they're not blocked by our organizations firewall ACLs.

Makes Sense

[mrduki@mybox1~]$ nc -ul 40000
---
[mrduki@mybox2~]$ nc -zvuw2 mybox1.com 40000
Connection to mybox1.com 40000 port [udp/*] succeeded!

Doesn't Make Sense

[mrduki@mybox1~]$ nc -ul 40000
[mrduki@mybox1~]$ ^C
---
[mrduki@mybox2~]$ nc -zvuw2 mybox1.com 40000
Connection to mybox1.com 40000 port [udp/*] succeeded!

In fact, if I do a port scan from 40000-40100, every single port succeeds.

If I do the same tests without -u (so that it tests TCP instead of UDP), I get 40000 (tcp) timed out: Operation now in progress errors, as I would expect (since I have no such TCP service listening on 40000).

Doing a sudo netstat -alnp | grep LISTEN on mybox1 though shows no such services listening on these ports. So what am I missing?

Best Answer

nc may not be the best tool for testing port status. Have you tried nmap? It's actually a port scanner. I checked a file server on my home network and 127.0.0.1, both report that UDP port 40000 is closed.

nmap

# nmap -sU -p 40000 igor

Starting Nmap 7.01 ( https://nmap.org ) at 2016-08-18 18:27 EDT
Nmap scan report for igor (192.168.1.125)
Host is up (0.00027s latency).
rDNS record for 192.168.1.125: igor.swass
PORT      STATE  SERVICE
40000/udp closed unknown
MAC Address: 68:05:CA:3A:BF:B7 (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds

Kernel + /dev

You can also use the kernel to do this like so. But nmap is probably better.

# timeout 3 cat < /dev/udp/example.com/40000

When I tried nc on the same server (igor) I was getting the same results as you. But I went back to try again, and now it returning no output (no succeeded message) and wireshark is showing "Destination unreachable" being sent back over ICMP. I don't understand any of this. But I'd switch to a different method of checking UDP port status.

Related Solutions

How to get a udp response with netcat

Netcat starts "talking" UDP (default is TCP) by specifying the -u command line option. Here's an example of connecting to an RFC 867 time server using UDP. Note the IP address or DNS name of the other host is specified first and the port number is specified second - just like most telnet programs. After the connection is made you'll probably need to press the Enter key to get the time server to send you the current time. (maybe this is your problem)

nc -u igor.alcpress.com 13

Thu Sep 15 14:41:57 2005

Since UDP is not a connection-oriented protocol, the connection will remain "open" until you terminate the program by pressing Ctrl-C.

======================================================================

Does it reply if you don't redirect output ?
try : echo "request" | nc -u 1.1.1.1 9999 | tee response.txt

Listen to UDP data on local port with netcat

To quote the nc man page:

-l Used to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host. It is an error to use this option in conjunction with the -p, -s, or -z options. Additionally, any timeouts specified with the -w option are ignored.

The key here is that -p cannot be combined with the -l flag. When using the -l flag, any ports specified in the positional arguments are used. So instead, you could use the following:

netcat -ul 2115

Best Answer

Related Solutions

How to get a udp response with netcat

Listen to UDP data on local port with netcat

Related Topic