Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: NMAP Question......

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    NMAP Question......

    Ok, maybe Brian the Braincell is having a bad day but.......

    As a result of an NMAP SYN stealth scan, (nmap -sS -P0 -vv -T XXX.XXX.XXX.XXX), against my bosses home PC protected by a Linksys Cable/DSL Router, (BEFSR41) I got some results that got me thinking - which is very dangerous...... . BTW, yes - it was perfectly legal for me to scan the box before someone yells "foul".......

    The results came back with a series of ports, mostly Windows ports but one that I would specifically expect to be open, as filtered..... I'll be looking more carefully at the machine tomorrow since the downloader.trojan was found on it...... I scanned a different box I know to have ports open and a linksys protecting it and the results came back as open on the ports expected and lumped together at the top as XXXX closed on the rest. On a third box protected by a linksys the results were numerous ports closed with the rest being lumped together as XXXX ports filtered.

    Aside from the obvious inconsistency in the results above the question is if there is a machine on the other side of a linksys that has say port 2222 open how is NMap deciding if it is "filtered". Surely the packet would be dropped or return a "closed" putting it into the list closed. It can't be just because the packet is being dropped, (no response), because it is selecting ports I know to be open on the other side of the linksys.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    So your actually finding open ports behind those Linksys routers? You must have got a hold of NMAP tutorial 5! Double -vv Im going to scan with that switch right now brb.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    This is what is bothering me..... and what I don't understand.

    Let's say, for the sake of the argument that I expected to see port 2222 open on both boxes allowing a service to be accessed remotely. The first box returned

    Port 2222 filtered

    while the second box came back with

    Port 2222 open, (as expected), but all other ports closed or filtered, (I forget))

    What bothers me was the fact that the first box also came back with

    port 135 filtered
    port 137 filtered
    port 139 filtered
    port 445 filtered
    etc for the remaining windows ports.

    All the while box 3 is sitting there with all the Windows ports open behind a linksys but no ports forwarded and the same scan produces a huge list of ports being closed and the others as being filtered.

    Since filtered means there is a firewall in the way, closed means it is accessible but is forced closed and open means... well.... open, what mechanism could a SYN stealth scan, (which is nothing more than a half open scan), use to determine that a port on the other side of a firewall is answering but my scanning box is not authorized to access the port?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Expect certain well known ports to return state 'filtered' when blocked by the ISP perimeter. (Like sub-seven etc), I have seen linksys routers with a certain rev. of the firmware return ALL closed ports in the 'filtered' state. This is an issue with the firmware and can be resolved by upgrading (or down grading if you have an extremely old BEFSR41) the firmware.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Maestro: I understand that..... But how come it reported port 2222 as filtered too.... it's not a standard port and it is open behind the firewall..... OK, let me rephrase.... It's _supposed_ to be open..... I think I might be getting it.... The port is forwarded on the firewall but it may no longer be open on the box. So NMap saw the forwarding and couldn't get a response from the box so it's "filtered".... It just reported the other common ports because that port is considered a windows OS port, (non-standard service), thus indicating a windows box.....

    Am I getting it yet?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    I would post an extremely informative and witty response, but you appear to have sorted it out already.

    -Maestr0

    P.S. If you are forwarding the packets to a blackhole inadvertently it may show up as filtered.....Let me know if you confirm this.



    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Maestro: You are too kind...... Brian, (the Brain Cell), thanks you too.......

    Thanks for helping me think harder and realize that boxes that have teenagers on them can do things that other boxes might not do and therefore a tool that usually doesn't lie... might....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Maestro: No, It's going to a valid service so it isn't blackholed.... It's quite possible that the teeneger has done something or the owner of the trojan has turned off the service to "protect his box".....

    But sorry, it's MY box.... It just happens to be owned by my boss..... It's disconnected from the world right now and at 9:00am EST I will be there in front of it..... Then _I_ get to look through it.....

    The problem I do have is that the teenager was only a normal user, (notice I said _was_), and one of the ways that this trojan has been spread is via a pornographic email that claims to have pictures attached..... But it makes registry changes..... Normal users shouldn't be able to do that..... But both the teenagers parents were admins....... I really hope I don't have to explain this to anyone that signs my paycheck.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I really hope I don't have to explain this to anyone that signs my paycheck.....
    I don't have anything too useful to add... but:

    Do you expect to NOT have to explain it to them? Thats why they've hired you...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If you send a SYN to a regular closed port you'll receive a RST packet back. These are noted as closed by nmap. If a SYN gets dropped (nothing gets send back) by a router,firewall etc. nmap will note these as filtered. If you get a SYN-ACK as a response it's open.

    Run tcpdump while you're scanning. You'll quickly see the difference.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •