Re: nmap inconsistent results - via intermedite router?

On 25 Feb 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1140922538.962667.115330@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, ads wrote:

I have the situation where I have 2 linux machines. Both are sarge and
both have nmap 3.81. One machine is on my home network, the other on
the internet.

When I run an nmap from my home machine to the internet machine, it
reports the 5190 (aol) port as open amongst the usual ssh etc. If I run
nmap from the internet machine itself (on its IP address, not loopback
etc), it does not have 5190 as open!

Multiple answers.

1. Using nmap against the loopback won't detect ports that are ONLY open
on the Ethernet interfaces. Try 'netstat -tupan' on that internet system.

2. 5190... which protocol? If UDP, re-read the nmap man page.

3. From the internet system, run tcpdump which looks lower in the stack
than your firewall. What's there?

4. From your home system, run tcpdump, and attempt to connect to that port
on the remote system (nmap will do, but restrict the range scanned so as
to not be overwhelmed with data). Who is responding with the 'SYN/ACK'?
Do you get a banner?

Having looked into this as much as I can, I think that nmap is picking
up a port from the home firewall (a DG834G, which is reported as having
this port specifically left open - amongst others).

Depends on what other "tools" you have available. tcpdump may not be easy
to understand, but it should provide the answer.

But why does an outgoing request, targetted at a remote server then
come back with information from another source? How can I test the
server remotely if it doesn't bring back the right details?

You need to spend more time reading the documentation that comes with
nmap. It can do a whole lot of things, but some things may get
misinterpreted at some point in the game.

Anyone any ideas? Apologies if this is not sufficient info. I need to
sleep and thought someone might be able to answer off the top of their
head.

The description of the network isn't that clear.

Old guy
.

Relevant Pages

  • Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
    ... When Nmap (or many ... > other applications, such as Telnet) does a connectcall, the OS is ... > supposed to choose a good souce port to bind to for the connection. ... I saw a familiar "Connection reset by peer" every time the random port ...
    (Incidents)
  • Re: Yes, trying to hack a remote control
    ... I attempted a telnet into that port, and it asked for a username/pass, ... and then upload a modified firmware to the remote. ... The latest versions of nmap have a feature whereby you can run scans ...
    (Security-Basics)
  • Re: how nmap can know my firewalled servers ?
    ... UDP or ICMP protocol), it will mark the port as closed. ... descrition, how NMAP determins, if the UDP port is open or closed. ... Try Webroot's Spy Sweeper Enterprisefor 30 days for FREE with no ...
    (Security-Basics)
  • Re: FW: baby pen-test question
    ... I ALWAYS do an nmap sweep of varying degrees. ... As for testing a large network, I primarily base my efforts on the mission ... My first question is about port scanning. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Help understanding NMAP results
    ... >to do with IT) but I have been playing with old computers and Linux in my ... and is set to default DROP any packets ... Went over to a friend's house, and ran an NMAP scan against myself ... You could listen on that port and see what traffic is passing when you ...
    (Security-Basics)