NMAP Adventures

Today, I spent some time checking some firewall rules to see if any were still valid and which ones could be cleaned up. (These are internal firewall rules between our cloud account and our data center.) I was using nmap.

At a point, I wanted to be able to check both TCP and UDP protocols for a specific port for a specific host. I read through the help and man pages to see that I can use -sO. This is where things got a little wonky. (Number have been changed to protect the innocent.)

$ nmap -sO 1-17 -p 52001 10.10.10.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-24 13:16 EDT
Protocols specified must be between 0 and 255 inclusive
QUITTING!

Huh?

$ nmap -sO 1,6,17 -p 52001 10.10.10.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-24 13:16 EDT
Protocols specified must be between 0 and 255 inclusive
QUITTING!

This goes on for a little longer using different syntax. I dig further into the man page. After hashing it out, this sentence reveals the confusion:

Yet it still uses the -p option to select scanned protocol numbers, reports its results within the normal port table format, and even uses the same underlying scan engine as the true port scanning methods. So it is close enough to a port scan that it belongs here.

Wait, so, the -p option is used differently than everywhere else? Seems like it. I feel like points should be deducted here.

Using the following gets me the list of my protocols, however they are not completely what I need to know:

$ nmap -sO 10.10.10.5 -p 1,6,17

Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-24 14:06 EDT

Nmap scan report for 10.69.55.214

Host is up (0.00086s latency).

PROTOCOL STATE         SERVICE

1        open          icmp

6        open|filtered tcp

17       open          udp

Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds

Here's the real truth, though:

$ nmap -sU -sT -p 52001 10.10.10.5

Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-24 13:32 EDT

Nmap scan report for 10.69.55.214

Host is up (0.00081s latency).

PORT      STATE  SERVICE

52001/tcp open   unknown

52001/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

And it leads me to this final bit of confusion: Why does the scan using -sT -sU -p 52001 not give me the same as using the -p U:52001,T:52001 syntax? This is what the latter gives me:

$ nmap -p U:52001,T:52001 10.10.10.5

Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-24 14:06 EDT

Nmap scan report for 10.69.55.214

Host is up (0.00084s latency).

PORT      STATE SERVICE

52001/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

This is very confusing. Comment if you have some insight into this.