Re: Help understanding NMAP results

From: Nikolai Alexandrov (voyager123bg_at_gmail.com)
Date: 07/11/05

  • Next message: Jules Rogers: "Re: Network Related Tools" 
    Date: Tue, 12 Jul 2005 00:36:01 +0300
To: t-wynnychenko@northwestern.edu

    Theodore Wynnychenko wrote:

    >So, while looking around, I came across NMAP, and decided to use it to scan
    >myself. Went over to a friend's house, and ran an NMAP scan against myself
    >(nmap -sS -v -P0 -O xx.xx.xx.xx), and it says "Discovered open port
    >5190/tcp".
    >
    >
    >
    Try chkrootkit... is it possible the machine to be compromised? Do you
    have any active connections from that port? What does the "netstat -na"
    says? you are likely to find your port... Yet, if that is used only for
    firewall... there shouldn't be even single port open.

    >Now, this really confuses me. When I scan myself using "online" scanners
    >(directed specifically at 5190), I get back that packets were
    >dropped/"stealthed," but NMAP says its open. I added a specific rule (in
    >addition to the default drop policy) to drop anything to tcp 5190, but this
    >made no difference. The "online" scanners still say nothing there, NMAP
    >still says its open.
    >
    >
    The -P0 does:
    Do not try to ping hosts at all before scanning them. This
    allows the scanning of networks that don't allow ICMP echo
    requests (or responses) through their firewall.
    It is only useful if your firewall doesn't return ICMP's :)

    >NMAPs OS identification gives me several possibilities including "Linux
    >2.4.x|2.5.x," so NMAP does seem to be getting some imformation from the
    >firewall.
    >
    >
    >
    Nmap gets information for OS from various flags of returned tcp
    packets... google "OS fingerprinting" for more info.

    >TCP 5190 is apparently related to AOL IM, but this is not something I have
    >ever used, and I can't think of any reason why the LEAF Firewall would have
    >it open.
    >
    >
    >
    Not necessarily related. It could be anything...

    >What am I missing?
    >
    >Thanks in advance for any help.
    >
    >bye - ted
    >
    >
    >
    >
    >

  • Next message: Jules Rogers: "Re: Network Related Tools"

    Relevant Pages

    • RE: how nmap can know my firewalled servers ?
      ... Thus, say for port 80, it tries to create a connection. ... Depending on how your firewall handles this nmap can figure out that there ...
      (Security-Basics)
    • RE: firewalk and nmap
      ... Suppose you ran nmap on a machine, and you got "port 25 is filtered". ... completely independent from the firewall. ... If a port with nmap is closed, it surely is not filterd by the FW, ...
      (Pen-Test)
    • nmap reports filtered udp ports to be open !?
      ... I have got a problem with understanding the results of an nmap scan. ... I attempt to do a security audit of a firewall setup. ... But when I start to reduce the port range to scan: ... it reports those upd connection attempts ...
      (comp.os.linux.security)
    • nmap reports filtered udp ports to be open !?
      ... I have got a problem with understanding the results of an nmap scan. ... I attempt to do a security audit of a firewall setup. ... But when I start to reduce the port range to scan: ... it reports those upd connection attempts ...
      (comp.security.firewalls)
    • RE: how nmap can know my firewalled servers ?
      ... Are you running Nmap from a machine inside your firewall? ... I know that "nmap" can show open ports. ...
      (Security-Basics)
    • Quantcast