Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
From: Pavel Kankovsky (peak@argo.troja.mff.cuni.cz)
Date: 12/26/02
- Previous message: Mathias Wegner: "Re: RPAT - Realtime Proxy Abuse Triangulation"
- In reply to: alfaentomega: "Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Next in thread: alfaentomega: "Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Reply: alfaentomega: "Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz> Date: Thu, 26 Dec 2002 16:50:51 +0100 (MET) To: alfaentomega <alfaentomega@yahoo.com>
On Mon, 23 Dec 2002, alfaentomega wrote:
> First I thought that they may be some ports, which are
> kind-of open, but they never finish TCP handshake, but
> they are detected only with basic nmap scan -sT, a TCP
> connect() scan, and never by any other kind of scan,
> like -sS SYN half-open scan (if they never finish the
> handshake, then it would make more sense if -sS
> detects them, while -sT thinks they're closed, not the
> other way around - but I may be wrong here).
>
> Here are other of my observations:
> I ran nmap in a loop scanning TCP ports 1-10000 every
> time (first it scanned 1-65535 but higher ports were
> never open), and for 1000 ports found, there was 875
> unique ones, with lowest 1036 and highest 4989, so
> they look quite randomly distributed in this range.
Your local port range (/proc/sys/net/ipv4/ip_local_port_range)
is 1024-5000, right? You are probably seeing some autobound
sockets.
Hypothesis: one of the services listening on your machine opens a
short-lived listening sockets on an automatically assigned port (ie.
in 1024-5000 range) when it accepts a connection. This would explain
why SYN scan does not trigger it but connect() scan does.
Try this:
for each port p in 1-1023
perform a connect() scan of p and 1024-5000
Only a small set of p, perhaps a single value of p--the hypothetic
offending service (see above)--should make the mysterious listening port
appear.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Fyodor: "Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Previous message: Mathias Wegner: "Re: RPAT - Realtime Proxy Abuse Triangulation"
- In reply to: alfaentomega: "Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Next in thread: alfaentomega: "Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Reply: alfaentomega: "Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
