Poor Man's Port Scanning

For TCP, telnet will tell you if a port is open and reachable
telnet <host> <port>
- If it connects, the port is open
- Many protocols can be run "by hand": daytime, smtp, http, others
nmap -sT <host>
nc -v -z <host> <port range>
What do you do for UDP? Pretend you're a real client.
- Sniffer to capture UDP data
- Netcat to send it

We can use telnet to pretend we're a web browser, or mail program, or whatever. Even for binary/complex protocols, telnet can tell the port is open by connecting to it.

nmap automates this, even for non-root users (called a TCP connect scan). Of course it does fancier scans too.

netcat can do this sort of scan (connect and close without sending data).

This doesn't work for UDP though. UDP port scans (like netcat's) send an empty packet out and see what comes back. If the port is closed, an ICMP error will come back (destination unreachable). If open, nothing comes back (because the server there won't reply to an empty packet). That isn't very useful because ports look open if a firewall drops the scan or blocks the ICMP message.

So we pretend we're a legitimate client. Netcat will send bytes over UDP for us. It comes with some sort of byte generator but it seems easier to sniff the right bytes. If you know what "right" is you can write them in hex and xxd them.

Why do we want to go through all this trouble for a single UDP port? Keyserver™, by Sassafras Software is a license server that uses a proprietary protocol on UDP to issue licenses for commercial software. The admin client is slow and not very informative if a server is down, so we build our own scanner with the features we need.