RE: Very strange nmap scan results

I've seen similar output when I happened upon an old hub. Perhaps you
can ask your client is he has any old network devices still residing in
his DMZ, (assuming your client has an up to date inventory)?

Cheers,
Jim

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Adrian Sanabria
Sent: Monday, September 24, 2007 4:20 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Very strange nmap scan results

Perhaps a different kind of scan will filter those out? I've seen this
happen long, long ago, but never tested different types of scans (for
example, since you tried a connect scan, try a SYN scan, etc...).

--Adrian

On 9/22/07, Hans-J. Ullrich <hans.ullrich@xxxxxxx> wrote:
Am Freitag 21 September 2007 schrieb Juan B:
Hi all,

For a client in scaning his Dmz from the internet.

I know the servers are behind a pix 515 without any add security
features ( they dont have any ips or the didnt enabled the ips
feature of the pix). they also

dont have any honeypot etc..

the strange is that two I receive too many open ports!
for example I scan the mail relay and although just port 25 is
open it report lots of more open ports!
this is the nmap scan I issued:

nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA cpsa.txt

( I changed the ip's here...)

and the result for the mail relay for example are:


nteresting ports on mail.cpsa.com (200.61.44.50):
PORT STATE SERVICE
1/tcp open tcpmux
2/tcp open compressnet
3/tcp open compressnet
4/tcp open unknown
5/tcp open rje
6/tcp open unknown
7/tcp open echo
8/tcp filtered unknown
9/tcp open discard
10/tcp open unknown
11/tcp open systat
12/tcp open unknown
13/tcp open daytime
14/tcp open unknown
15/tcp open netstat
16/tcp open unknown
17/tcp open qotd
18/tcp filtered msp
19/tcp open chargen
20/tcp open ftp-data
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
24/tcp open priv-mail
25/tcp open smtp
26/tcp open unknown
27/tcp open nsw-fe
28/tcp open unknown
29/tcp open msg-icp
30/tcp open unknown
31/tcp open msg-auth
32/tcp open unknown
33/tcp open dsp
34/tcp open unknown

this continues up to port 1024..

any ideas how to eliminate so many false positives?

thanks a lot,

Juan


_____________________________________________________________________
______
_________

Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get

listings, and more!
http://tv.yahoo.com/collections/3658



_____________________________________________________________________
______ _________ Don't let your dream ride pass you by. Make it a
reality with Yahoo! Autos. http://autos.yahoo.com/index.html




--------------------------------------------------------------------
----
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
--------------------------------------------------------------------
----

Hi Juan !

Yes, this happnes, when there is a "firewall" running. I have
portsentry running, and when I do a portscan, it seems, every ports
are available.
Indeed, they are not ! And if someone is scanning me, portsentry has
already detected it and is executing the preconfigurated task (i.e.
logging, diconnecting, putting IP into /etc/hosts.deny or whatever I
told it)

Best regards

Hans


----------------------------------------------------------------------
--
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
----------------------------------------------------------------------
--



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: [Full-disclosure] Very strange nmap scan results
    ... I scan the mail relay and although just port 25 is open it report ... open rje 6/tcp open unknown 7/tcp open echo 8/tcp ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: Scanning--more then one side to the argument
    ... UPnP port open to the internet but just don't know it, ... changes (ie backdoor gets put on a machine, customer starts a new ... > 5241/tcp open unknown ... Filtered means that a firewall, filter, or other network obstacle ...
    (Security-Basics)
  • backdoor menu on conexant chipset dsl router (Zoom X3)
    ... i have just installed an adsl modem sold under the brand of Zoom X3 ... PORT STATE SERVICE ... 254/tcp open unknown ... ports 23 and 80 give access to the configuration menu and html interface ...
    (Bugtraq)
  • [Full-Disclosure] backdoor menu on conexant chipset dsl router (Zoom X3)
    ... i have just installed an adsl modem sold under the brand of Zoom X3 ... PORT STATE SERVICE ... 254/tcp open unknown ... ports 23 and 80 give access to the configuration menu and html interface ...
    (Full-Disclosure)
  • backdoor menu on conexant chipset dsl router (Zoom X3)
    ... i have just installed an adsl modem sold under the brand of Zoom X3 ... PORT STATE SERVICE ... 254/tcp open unknown ... ports 23 and 80 give access to the configuration menu and html interface ...
    (Full-Disclosure)