Port scanner questions

Printable View

June 12th, 2004, 04:08 AM
Phonedog911

Port scanner questions

I was messing around, scanning my ip with nmap 2day and i have a couple questions about some things that i dont understand:

1. when i scan my ip or my friend's ip(he knew about it) with -sS it doesnt return anything, but if i use -sT, it finds open ports. why is that? we're both comcast users.

2. when i scanned my ip it found port 80, 1080, 119, etc. open. my setup is modem---> router---> mycomp, othercomps. why does it think these ports are open? is it showing that my router has these ports open or is it possible that its scanning the gateway im connect thru at my isp?

3. what exactly happens when u scan a network thats behind a router? does it scan the router or what?

4. when i do an ipconfig, it says this at the top:

Code:

Connection-specific DNS Suffix . : ce1.client2.attbi.com

. what is that and what does it mean?

thx for answering my questions
:D
June 12th, 2004, 04:45 AM
Propaganda

-sS = SYN

You are sending him or yourself, a syncronization packet which initiates a three way handshake. He in return sends an ackowledgement packet , then your node creates a virtual circuit with his node.

When I scan using TCP+ICMP (under the discover tab) I dont get very far because my router doenst accept ICMP(ping) request.

Your router shouldnt show any ports open. It shouldnt accept ping request for that matter.

See what other port scanners bring up.......

Now on another note I have recently dl Nscan. I wouldnt reccomend it to youl. It may be also I just didnt install an additional stand alone program to use in conjuction with it. Maybe someone who uses Nscan can comment. It seems to tell me that I have the same 3 open ports. When different progs say others are open too.
June 12th, 2004, 07:33 AM
therenegade

1.-sS is a stealth scan which can only be done if you have admin privileges.sure you have them?
-sT is a default TCP port scan(3way handshake)
tried -v along with it?(thats verbose in case you didnt know,gives you more info basically)
2.hmm,yes,your router shouldnt be showing these ports open,the ports're normal though,80's http,1080's the default proxy port for a lot of proxies
3.I'm not too sure myself,but I think it'd scan the router
4.I think thats your DNS server?I believe ISP's have a default one,and thats yours.Here's an article on how to play with your DNS options though:http://www.jsiinc.com/SUBI/tip4200/rh4229.htm
June 12th, 2004, 10:30 AM
slarty

Re: Port scanner questions

Quote:

Originally posted here by Phonedog911
1. when i scan my ip or my friend's ip(he knew about it) with -sS it doesnt return anything, but if i use -sT, it finds open ports. why is that? we're both comcast users.

Either your nmap setup is broken in that it can't send /receive raw packets correctly, or you are using some network configuration which is preventing -sS working. I suspect you are a Windows user, therefore I'm going for the former, as this often seems to happen on Winnmap (although when I've installed it following the instructions correctly, I've never had a problem)

Quote:

2. when i scanned my ip it found port 80, 1080, 119, etc. open. my setup is modem---> router---> mycomp, othercomps. why does it think these ports are open? is it showing that my router has these ports open or is it possible that its scanning the gateway im connect thru at my isp?

You scanned your own IP address? Depends via what mechanism. You have a router. If this router does NAT, expect ALL PORT SCANS to FAIL. You could even DoS yourself.

Never scan through a NAT router, it really won't make accurate results.

Bear in mind, that your ISP may have transparent proxying / their own NAT types (transparent proxying involves NAT at some level) - this will interfere with scans that go through that setup. Mine does this for port 80 only, so even an IP address which I know to be unroutable, will still show 80 open.

If you scan through NAT, expect inaccurate results, or trouble. Never scan through a NAT without permission from the NAT router's manager - it may cause problems.

If you know from experience that there is a specific type of NAT that you can avoid, use the scanner options to avoid the NAT - for instance, if you know your ISP transparently proxies TCP port 80, avoid ever scanning that port.

Quote:

3. what exactly happens when u scan a network thats behind a router? does it scan the router or what?

Depends if NAT is involved.

If the router is *JUST* a plain router, then it scans as normal. In a sense, every network is behind a router (unless it's a totally isolated LAN).

If it does NAT, then you typically CANNOT scan the hosts behind the router, because you can't route packets to their IPs, which are in private space.

Quote:

4. when i do an ipconfig, it says this at the top:

Code:

Connection-specific DNS Suffix . : ce1.client2.attbi.com

. what is that and what does it mean?

That's the DNS domain name you're in.

Slarty
June 12th, 2004, 01:40 PM
Phonedog911

yeah, im behind a router so i guess the nat is fudging my results. can anybody here verify that comcast isnt causing the problem?? i dunno why i cant stealth scan myself or my friend cuz i tried it on some sites and it seemed to return valid results(i checked them with telnet).

<edit>
???? i just went and telnetted to myself on port 80, 1080, 119, etc. and it seems that i really am open on those ports. I also telnetted to my router's internal ip address 192.168.0.1, and it is open on those ports(i guess it really does scan the router). so, why does my router have these ports open? a port open means that connections can come in on that port, it doesnt have to have the port open for outbound, right? how is it that a router can have ports open, i thought it was only supposed to route packets
June 12th, 2004, 04:49 PM
Nokia

Your router will have port 80 open as you will connect to the internet trough this port

Port 119 it typicaly used for Network News Transfer Protocol (UDP + TCP) There should be a setting in your router config screen to disable this!

1080 is used for socks,(im not quite sure about this but i think it is something to do with proxies, google it maybe)

You say you telneted to these ports from inside your network?
Did it actually connect?

As you are inside the network the results of any scan you do will be different that if you scanned from outside of the network!
June 13th, 2004, 03:54 AM
Phonedog911

i dont understand why the router has ports open. if i were connecting to a webserver, it would connect from my comptuer on some high port to the web server on port 80, but thats outbound so nothing on my side needs to have port 80 open, it just needs to know that any connection that a computer on our network initiates is allowed and any from an computer outside the network is disallowed, right? and i scanned from my internal and external ips and got the same results, and i got connections when i telnetted to those ports.
June 14th, 2004, 02:53 PM
Tom756

Most newer routers for home and small businesses allow you to access their control module through your browser. This means that they have to act as a simple http server. So if your router is capable of that, then it could explain port 80. Just in case make sure you have a strong password on it and you should be fine...you might want to check out if you can specify the IP's capable of accessing it.
June 15th, 2004, 04:21 AM
Phonedog911

you said:

Quote:

Just in case make sure you have a strong password on it and you should be fine...you might want to check out if you can specify the IP's capable of accessing it.

. but, when i go to my external ip in the web browser, it doesnt bring up the router configuration, it only does that if i go to its internal address(192.168.0.1). why is that?