Always getting success, even when should get failure for UDP port scan

[larnth]

I can run the following netcat command on a linux box and get 'error, connection refused' -- but when I do the associated command in this library through pync, it says success.... on any port I try....
netcat command that gives me the success (on good port) and failure (on bad port)
nc -vnzu <some ip> <some port>

Associated pync I tried to use:

def checkDNSPortOpen(ip, port):
    pync('-vnzu '+ip+' '+port)

This returns: "Connection to port [udp/*] succeeded!" in all cases.

[bw0rth]

Hi, first of all, thank you for trying this library out. I really appreciate it. :)

Secondly, pync is still in early development and there's so much more on my list I need to do.
I expect there are quite a lot of issues with it yet.

But thank you so much for raising this issue.
I'll do my best to look into it for you when I'm not busy.

If you don't mind, please could I have a bit more information on the linux OS you are running it on and also the version of netcat you are running.

It's probably worth mentioning I have largely based pync on the netcat-openbsd 1.105-7 ubuntu/debian version as that's what I have installed on my VPS.

Could I also confirm that you are running the latest version of pync and still getting the problem.

Does GitHub allow gifs in comments too?
A gif of the problem would be good, if it's possible... 🤔
It doesn't matter if you can't make a gif though.

Thank you. :)

[larnth]

The library was exactly what I was working on writing myself, so it was a nice find :)

I wish I'd found it sooner in my searches, I spent a day working on the UDP test myself, and it was getting quite out of hand.

I may have isolated the issue a bit more since originally opening it - I am unable to reproduce the issue in my linux server. When I hit the IP and port configuration on the linux box (with netcat and with this library), I get the responses I expect.

HOWEVER - when I am running this on a windows machine on the same network, I get the unreliable behavior I described before. UDP always says "success" even when I know the port is closed.

This is a windows 10 machine, I can provide whatever other details you need. This is with the latest version of pync.

[larnth]

My windows machine running the script.

[larnth]

This is the linux box - appropriately saying connection failed.

[bw0rth]

Thanks for narrowing it down for me.

I have a windows 10 machine at home so I will try and reproduce the problem myself and see if I can find what's causing it. 👍

I think I remember there being a problem with TCP port scans on Windows too (huge delay between port connections causing a very slow scan) so I'll have a look at that too.

[larnth]

Few notes, as I was researching it... may be helpful, may not.

https://stackoverflow.com/questions/70120916/how-to-check-if-udp-port-is-open-python
https://serverfault.com/questions/797763/why-do-netcat-scans-for-udp-ports-always-succeed

Found this in an article, but not sure of veracity. I'm pretty green for networking stuff. Seems to suggest firewall issues may cause this.... not sure if there's a way to catch that situation and flag it differently in output or what.

UDP Scanning

UDP scanning is also possible, although there are technical challenges. UDP is a connectionless protocol so there is no equivalent to a TCP SYN packet. However, if a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method, and use the absence of a response to infer that a port is open. However, if a port is blocked by a firewall, this method will falsely report that the port is open. If the port unreachable message is blocked, all ports will appear open. This method is also affected by ICMP rate limiting.

An alternative approach is to send application-specific UDP packets, hoping to generate an application layer response. For example, sending a DNS query to port 53 will result in a response, if a DNS server is present. This method is much more reliable at identifying open ports. However, it is limited to scanning ports for which an application specific probe packet is available. Some tools (e.g., nmap) generally have probes for less than 20 UDP services, while some commercial tools (e.g., nessus) have as many as 70. In some cases, a service may be listening on the port, but configured not to respond to the particular probe packet.

[bw0rth]

Hi Caleb.

I'm just wondering if you've tried installing netcat on your windows machine to see if it has the same behaviour (false positive UDP scan). 🤔

Also, I've noticed at the bottom of netcat's man page theres a "caveats" section that notes:

"UDP port scans will always succeed (i.e. report the port as open), rendering the -uz combination of flags relatively useless."

Maybe netcat isn't the right tool for what you want. 🤔