Newbie Scan Challenge
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Newbie Scan Challenge

  1. #1
    Member
    Join Date
    Nov 2003
    Posts
    48

    Newbie Scan Challenge

    I am posting this as an exercise for Folks who are very new, and are just getting into ports, security, etc.

    Please Friends, I know there are some here who could write a thesis on the the scan log below, but please refrain.

    I offer this to our posters here who have asked about how to port scan, what does it mean, etc.

    The Challenge:

    Below is an actual nmap scan.

    The address has been removed as it matters not.

    You are given this scan and asked to assess it in terms of potential problems, as well as recommendations.

    Please post your observations in two parts:

    1. What are your initial observations? (i.e. "port xxxx is open and I don't think it should be")

    2. What are your recommendations? (i.e. close port xxxx, disable service xxxx, etc.)


    -------------------------------------------- SCAN LOG BELOW --------------------------------------------------


    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

    Interesting ports on xxxxxx.xxxx.xxx (xxx.xxx.xx.xxx):
    (The 1116 ports scanned but not shown below are in state: closed)
    Port State Service
    21/tcp open ftp
    75/tcp filtered priv-dial
    80/tcp open http
    135/tcp filtered loc-srv
    139/tcp open netbios-ssn
    147/tcp filtered iso-ip
    208/tcp filtered at-8
    443/tcp open https
    447/tcp filtered ddm-dfm
    487/tcp filtered saft
    528/tcp filtered custix
    535/tcp filtered iiop
    560/tcp filtered rmonitor
    582/tcp filtered scc-security
    596/tcp filtered smsd
    999/tcp filtered garcon
    1027/tcp open IIS
    1110/tcp filtered nfsd-status
    1380/tcp filtered telesis-licman
    1426/tcp filtered sas-1
    1433/tcp open ms-sql-s
    1989/tcp filtered tr-rsrb-p3
    2000/tcp open callbook
    2001/tcp open dc
    2025/tcp filtered ellpack
    2028/tcp filtered submitserver
    2034/tcp filtered scoremgr
    2232/tcp filtered ivs-video
    3999/tcp filtered remoteanything
    4132/tcp filtered nuts_dem
    5191/tcp filtered aol-1
    12345/tcp filtered NetBus
    13709/tcp filtered VeritasNetbackup
    32770/tcp filtered sometimes-rpc3
    Remote OS guesses: Baystack Instant Internet 400 SoHo Router, NetScreen-100, FreeBSD 4.0-20000208-CURRENT, Linux 1.3.20 (X86), Solaris 2.5, 2.5.1, Solaris 2.6 - 7 (SPARC), Solaris 2.6 - 7 X86, Solaris 2.6

    Nmap run completed -- 1 IP address (1 host up) scanned in 49 seconds

    ------------------------------------ END OF SCAN ---------------------------------------------------

    .: Aftiel

  2. #2
    Banned
    Join Date
    Apr 2003
    Posts
    298
    (1) Ports are open that should not be. (2) Close all ports that are not vital and get a firewall that will cloak these ports.

  3. #3
    Member
    Join Date
    Nov 2003
    Posts
    48
    Which ports are open that should not be?

    How can we tell that open ports are not already cloaked? (or can we?)

    .: Aftiel

  4. #4
    Member
    Join Date
    Nov 2003
    Posts
    48
    rotfl - Definitely true.

    Now that a Senior Member has weighed in, let's have some truly new Folks see if they can expand on this even farther.


    Another question for the Challenge:

    What is meant by a "filtered" port? What do you think that repesents?


    .: Aftiel

  5. #5
    Senior Member n01100110's Avatar
    Join Date
    Jan 2002
    Posts
    352
    If your using the services, and are staying up to date with updates and vulnerabilities for that particular daemon then you should decrease the worrying level a little bit..But I don't know your internal policies of that particular system, or if it is in a dmz or what the tcp wrapper settings look like..Plus I don't know what ftpd your using or what sql..So unless you have absolutely no use for ftp, then it should definetely be closed..Renaming the port won't work, however because skiddie tools now a days can pretty much find any server on any port... Correct me on the answer if you will, but I have never heard of dc or callbook..Some googling is in order..So what it somes down to is turn off ftp definetely if you don't need it, turn off sql unless you need it...IIS ?
    "Serenity is not the absence of conflict, but the ability to cope with it."

  6. #6
    Senior Member
    Join Date
    May 2003
    Posts
    747
    Filtered means there is probably a firewall dropping the packets to that port. You really don't know whether that port is closed/listening or not though.

    Correct?!

  7. #7
    Senior Member n01100110's Avatar
    Join Date
    Jan 2002
    Posts
    352
    Yes, filtered means that some kind of firewall is in place (iptables in this case) whether it be zone alarm or whatever...lol yea I did kind of give it a funny look when I saw netbus sitting there....
    "Serenity is not the absence of conflict, but the ability to cope with it."

  8. #8
    Member
    Join Date
    Nov 2003
    Posts
    48
    Excellent observations.

    IIS = has been exploited more times than I can count. Endless patches. That would be a prime target for a hacker.

    By the way, this is not one of my machines, nor is it on a network I am responsible for. This was a blind scan on an .edu (big surprise.)

    Bah! these Senior Members chiming in with the in-depth stuff -- no fair!! -

    Filtered as I have seen it means that yes, the packets are being dropped, OR the port is filtered to permit only a certain IP Block.

    BONUS QUESTION:

    Is there any way to tell if this server is behind a firewall from looking at the scan?

    .: Aftiel

  9. #9
    Senior Member
    Join Date
    May 2003
    Posts
    747
    BONUS QUESTION:

    Is there any way to tell if this server is behind a firewall from looking at the scan?
    Aren't the ports with the filtered state an indication that this is the case?

  10. #10
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Actually nmap returns 'filtered' when the packets are explicity 'rejected' by the server(or en route),while 'dropping' the packets will not return any reply and subsequently the port will not be logged by the scanner. It is more common to find 'filtered' ports on routers and other older network devices and OS's as it is becoming increasingly common for firewalls to simply 'drop' the packets because even rejects cause the server to process the packets as well as create unneccesary traffic which can result in a DoS. Although some times perimeter firewalls reject packets to many commonly exploited ports in an attempt to discourage kiddies from scanning their subnet (once the attacker sees the packets will all be rejected)

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •