116 Chapter 5 ■ Scanning Networks
The first thing you must know is what happens in UDP scanning when a port is open or
closed. Table 5.2 provides that answer.TABLE 5.2 Results of UDP scanning against closed and open portsPort status ResultOpen No responseClosed ICMP Port Unreachable message returnedNote the differences in the results as opposed to TCP scanning. In TCP scanning you get
different responses than you see here, but the connectionless protocol UDP does not react
the same way to probe requests.UDP does not employ a mechanism like TCP’s three-way hand-
shake. Remember that TCP is connection oriented whereas UDP is
connectionless.OS Fingerprinting
Much like individuals, operating systems have unique fingerprints that help identify them.
You just have to know how to look for these unique details and determine what each
means.
There are two types of fingerprinting: passive and active. Table 5.3 compares the two.TABLE 5.3 Active vs. passive fingerprintingActive PassiveHow it works Uses specially crafted packets. Uses sniffing techniques to capture
packets coming from a system.Analysis Responses are compared to a
database of known responses.Responses are analyzed looking for
details of OS.Chance of
detectionHigh, because it introduces
traffic to the network.Low, because sniffing does not
introduce traffic to the network.