Re: AW: Re: nmap -sS SYN-SCAN does not find all open Ports?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi again,

short answer:
http://insecure.org/nmap/man/man-port-scanning-techniques.html
http://www.rfc-editor.org/rfc/rfc793.txt
These are BASIC information.

You have to know one more thing:
Every TCP/IP-Stack acts/works little bit different as it should be. What
do you think, how nmap or p0f do TCP OS Fingerprinting!? Differences in
the tcp/ip packets.


If you still have questions, feel free to ask.


Kind regards,

Arturas Zalenekas
Network Security Engineer and Analyst


Hi,

Sorry but I found out, that there is actually no problem with nmap. I've
just not read the output of nmap intently.


When I use -sT, nmap shows port 25 and port 4100 are open. That's right.
And additionally nmap says, that port 80 and 443 are FILTERED!
Because I am new in using nmap I did not think much about this. All other
ports that are not listed by nmap are in state closed.

When I use -sS, nmap shows again port 25 and 4100 are open. BUT NOW (using
-sS) all other ports are in state filtered. And that's why I thought, that
nmap does not show all open ports because I was wondering why nmap does
not list port 80 and 443.

I don't understand, why there is a difference between a connect()-scan and
a syn-scan relating to the results nmap provides. Why closed ports are
stated as closed when performing a connect()-scan and why cloesed ports
are stated as filtered when performing a -sS scan?

Could it somehow be related to my backend firewall? I have a frontend
fierwall watchguard and a backend firewall isa. Nevertheless, in my
opinion both -sT and -sS should state all closed ports as filtered.

So why are the results are different when using -sS and -sT ?

Best regards
-Benjamin Wagrocki-







-----Ursprüngliche Nachricht-----
Von: FocusHacks [mailto:focushacks@xxxxxxxxx]
Gesendet: Montag, 25. September 2006 17:49
An: Arturas Zalenekas
Cc: Benjamin Wagrocki; security-basics@xxxxxxxxxxxxxxxxx
Betreff: Re: Re: nmap -sS SYN-SCAN does not find all open Ports?

I echo the sentiment about booting the live CD on a standalone machine.
VMWare sometimes acts unpredictably with network tools.

Also, If you can, get a tcpdump or ethereal capture of your port scan.
This will help determine what's going on. Ideally, you should do it on
the monitor port of the switch that your scanning machine is using, or
use a hub. Running the capture on the scanning machine directly might
yield decieving results (i.e. tcpdump may say that a packet was sent when
it may have never actually hit the wire).

On 9/25/06, Arturas Zalenekas <security@xxxxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

that with VM-Ware could be a problem. Try to boot from the Live-CD
directly and then do the scan. That is what you told. You could give
Sentoo a try. Its also a Live-CD based on Gentoo. They've build a lot
of security tools into (actualy almost everything that I know and use
daily).
One more suggestion. Try to scan the FW from the internal network or
dial-in with VPN and scan internal interfaces and try to use the nmap
option -T in polite or other mode. If you have still any questions,
feel free to post.



Kind regards,

Arturas Zalenekas
Network Security Engineer and Analyst



Hello,

thanks for Your answer.

So here are some more information:

I'am trying to scan the firewall (Watchguard X700) of my company
from home for securityreasons. So I know which ports are open,
because I'am administering the firewall.

I use the BackTrack 3.0 (remote-exploit.org) live linux cd. This is
based on slackware. Kernel 2.6.156. with Nmap 4.03.

On the Watchguard X700 all intrusion prevention features are
disabled. So "Block SYN Flod Attacks" is also disabled. The firewall
is not blocking me because I can do normal Connect() scans after a
SYN-Scan and with the
Connect() scan the open ports 80 and 443 are correctly found.

Maybe VM-Ware (Windows) is the reason? I've run BackTrack in a vm
(direckt access to nic) under Windows. What I will try this evening
is to boot the notebook directly with the BackTrack-CD and
connecting directly with my ISP. Then performing a SYN-Scan again.
Maybe then I will get better results.

I will then post my result here.

--------------------------------------------------------------------
------- This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA
has designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec
management education and the case study affords you unmatched
consulting experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------------
-------





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFF4w1RNnenGjQKnsRAg9kAJ40iog5G+DhjAhMEVbxJCNdLix4KACeIkCw
OEDafJpTLK1oFW9lzB5AOs0=
=InXK
-----END PGP SIGNATURE-----


----------------------------------------------------------------------
----- This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec
management education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------
-----




--




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFGe3iRNnenGjQKnsRAkvRAJ9AaErOkcrxpbvwhUzZWim1BQ0A7wCfWTyk
t9rQBD13UcWV3P1kLOyf6Mk=
=ECbP
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • Re: IPTables F*&%-up part 3
    ... A simple way is to run tcpdump for a while ... Install nmap on an internal machine AND an external ... go through the firewall script and comment out the lines ... nmap will list the open ports on the firewall. ...
    (comp.os.linux.security)
  • Re: Returned vulnerabilities, Messenger Spam, pls. HELP
    ... You should not enable XP's firewall if you are also running ... check for verification I achieved stealth status for all ports it can check. ... As a result for one or two days there was no Messenger Spam on my screen. ... But the messenger spam returned in a series and rechecked security did find ...
    (microsoft.public.windowsxp.security_admin)
  • Re: P2P and Firewall
    ... > wireless network use. ... First off, firewalls are for security. ... them specific ports to use and configuring the firewall to allow them to use ... Bottom line, it's my opinion that the two, firewall and p2p, tend to be ...
    (comp.security.firewalls)
  • Re: Tool to find hidden web proxy server
    ... >> This problem is strictly with in company internet access firewall and in the ... policy for Internet access says it is through IP ... >> default ports and distributed the internet access to their friends. ... admin & senior security consultant: ...
    (Pen-Test)
  • Re: network auditing
    ... You could have all the security holes under the sun and a firewall riddled wit holes, but if the hacker can get a valid user/pass combo they won't even bother to 'hack' away and maybe flag themselves up. ... Also, don't just look at what ports are open, look at what kinds of access you have from outside. ... I was just reading the thread on the "NASA security Audit" ...
    (Security-Basics)