Re: Very strange nmap scan results

---

• From: Brian Laing <brian@xxxxxxxxxxx>
• Date: Fri, 21 Sep 2007 10:20:50 -0700

---

Interesting, If I had to hazard a guess I would almost think you have some dynamic port translation going on. Would you be willing to share the configuration file of the firewall?
--------------------------------------------------------------------
Brian Laing
Chief Security Officer
Cellphone: +1 650.280.2389
Office: +1 (888) 845-8169 Ext. 805
Email: brian@xxxxxxxxxxx

Redseal Systems – http://www.redseal.net

Instant Visibility. Threats Averted.
-------------------------------------------------------------------




On Sep 21, 2007, at 10:14 AM, Juan B wrote:

Yes I did.

for example fort 25 and its opened.

Juan
--- Brian Laing <brian@xxxxxxxxxxx> wrote:

Also have you tried to telnet into some of these
ports to verify they
are or are not listening?

--------------------------------------------------------------------

Brian Laing
Chief Security Officer
Cellphone: +1 650.280.2389
Office: +1 (888) 845-8169 Ext. 805
Email: brian@xxxxxxxxxxx

Redseal Systems – http://www.redseal.net

Instant Visibility. Threats Averted.

-------------------------------------------------------------------

On Sep 20, 2007, at 9:22 PM, infos3c@xxxxxxxxx
wrote:

Hi Juan,

Here you have used TCP connect scan [nmap -sT].Are

you getting same

list of open ports for Syn scan [nmap -sS] also?

if you are getting the same ports for Syn scan

then put a sniffer

to see whether you are receiving SynAck from the

IP you are

scanning. If there are no replies coming the

problem is local o

your machine from where you are doing scanning.

However if there

are replies (SynAck) coming, then you know some

one is responding

to your scanning.

At the end of this if you conclude that the host

being scanned

(PIX) is really replying for all these connection

attempts then you

can try "Firewalking" on random ports to pass

through the

firewall.....

Hope this helps

______________________________________________________________________ ______________
Check out the hottest 2008 models today at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html

---

• References:
  • Re: Very strange nmap scan results
    • From: Juan B

• Prev by Date: Re: Very strange nmap scan results
• Next by Date: Re: Firewall rulebase audit
• Previous by thread: Re: Very strange nmap scan results
• Next by thread: Windows XP anti mac spoofing protection ?
• Index(es):
  • Date
  • Thread

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > security-basics  > 2007-09