Is it possible for Nessus and Netstat under win2k to get confused about what is really a "listener"?

From: James Bowman (jim_at_drexel.edu)
Date: 10/21/03

  • Next message: Jeffrey: "RE: Mini Access Point" 
    Date: 21 Oct 2003 10:33:03 -0000
To: pen-test@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Is it possible for Nessus and Netstat under win2k to get confused about what is really a "listener"?

    Here's the scenario:

    I scan a win2k IIS server using Nessus. Get back say 11 open ports. I scan it again with NMAP and get back different numbers of open ports. I then scan it again, using the NMAP capabilities under Nessus. I again get differing numbers of open ports, some ports being suspect, (e.g. TCP 1120 and 1032).

    I immediately investigate the box itself using netstat -an. I see roughly 12 Listeners, some of which again have me worried, (TCP 1120, 1032).

    I Install fport and active ports, close some MS unneeded services, reboot and suspect ports are gone. Fport and active ports were worthless, probably due to lock down procedures.

    Question is - "is it possible that Nessus and Netstat were reading an established connection or were these real listeners?"

    Anyone else have a similar experience?

    Searches show 1120 as possibly Netbus and 1032 as ICQ.

    ---------------------------------------------------------------------------
    FREE Whitepaper: Better Management for Network Security

    Looking for a better way to manage your IP security?
    Learn how Solsoft can help you:
    - Ensure robust IP security through policy-based management
    - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    networks
    - Quickly respond to network events from a central console

    Download our FREE whitepaper at:
    http://www.securityfocus.com/sponsor/Solsoft_pen-test_031015
    ----------------------------------------------------------------------------

  • Next message: Jeffrey: "RE: Mini Access Point"