Re: Help understanding NMAP results
From: Sander (n00bical_at_gmail.com)
Date: Mon, 25 Jul 2005 03:33:53 +0200 To: email@example.com
Theodore Wynnychenko wrote:
>Well, hopefully this isn't too "stupid" a question to ask, but I have to ask
>anyway. I am nothing like a "computer security expert," (my job has nothing
>to do with IT) but I have been playing with old computers and Linux in my
>spare time (always learning).
>Anyway, I have an old computer that runs LEAF LRP (linux kernel 2.4.27 or
>so) as an external firewall to my home network. This system basically uses
>Shorewall to administer IPTABLES, and is set to default DROP any packets
>comming in on the exernal NIC.
>In the past, I did some basic port scans against myself using "online
>scanners", and always got back information indicating that no ports were
>responding (everything was "Stealth" - everything silently dropped).
>So, while looking around, I came across NMAP, and decided to use it to scan
>myself. Went over to a friend's house, and ran an NMAP scan against myself
>(nmap -sS -v -P0 -O xx.xx.xx.xx), and it says "Discovered open port
>Now, this really confuses me. When I scan myself using "online" scanners
>(directed specifically at 5190), I get back that packets were
>dropped/"stealthed," but NMAP says its open. I added a specific rule (in
>addition to the default drop policy) to drop anything to tcp 5190, but this
>made no difference. The "online" scanners still say nothing there, NMAP
>still says its open.
>NMAPs OS identification gives me several possibilities including "Linux
>2.4.x|2.5.x," so NMAP does seem to be getting some imformation from the
>TCP 5190 is apparently related to AOL IM, but this is not something I have
>ever used, and I can't think of any reason why the LEAF Firewall would have
>What am I missing?
>Thanks in advance for any help.
>bye - ted
I am no computer expert too but i also enjoy playing with pc s too :)
I have no all in one package solution to your problem but perhaps the
words below help
You could listen on that port and see what traffic is passing when you
do a scan. And/or let shorewall log all traffic of that port.
And the way you scan :
- (nmap -sS -v -P0 -O xx.xx.xx.xx)
is telling nmap to send the host a -syn packet and that means something
is listening on that port by returning an -ack packet.
wich is referred in the nmap manual as half open scanning
+ man nmap
So my guess is that something on your host is listening on that port
wich is succesfully blocked by shorewall in case tcp-connect scanning
- (nmap -sT -v -P0 -O xx.xx.xx.xx)
There are also other way to sniff the traffic on that port with programs like
An other way is to get your hand on a security related live cd boot and you have all kinds of auditing tools to get the answers you need without installing all kinds of potentialy dangerous programs on your firewall machine.
Hope this helps