RE: Strange open ports on windows machines

[Christoph Schneeberger <cschnee () telemedia ch>]

Hi All,

Thanks for all your help and more or less useful hints.
I want to thank especially:
-Michael H. Warfield for his explanation of how toasted the customer is.
-Russ Cooper for a) his superb explanation of ports 1027 and 1030 and b)
for his misunderstanding of what those results I posted really mean (Sorry
Russ you were so offroad with your harddisk destroying technique that I
have to conter, but that's not the topic of this list, offending people...).
-Rodney van den Oever and Thomas Lopatic for pointing out the real problem:

The ISP of the customer filters tcp 12345 and udp 31337 on his border
routers however other ports which I think should be filtered instead of
those like i.e. udp/tcp 135-137 are permitted. That's why nmap returns i.e.
12345 as listening. Who would expect one of the largest swiss ISPs to be so
shortsighted ? Netbus and BO2K can be run on any port, and I guess that's
the approach an attacker takes.

I was able to reproduce this in my testing environment by setting up the
following acl and portscanning a machine behind that router which
definitely hasn't netbus running or 12345 open:

    deny   tcp any any eq 12345 
    permit ip any any 

To qoute Thomas Lopatic with his fine explanation of what was going on:

> 12345   filtered    tcp       NetBus
> 31337   open        udp       BackOrifice

> "filtered" means that there was a timeout when nmap tried to connect to
> port 12345. Hence, this port is probably filtered at some firewall
> between you and the computer you scanned.

> The same is probably true for port 31337. UDP scanning works as follows.
> nmap sends a UDP packet to a port and then waits for an ICMP port
> unreachable message, which indicates, that there is not service
> listening at that particular port. If it does not get an ICMP port
> unreachable message, nmap will tell you that there is a service that
> listens at the port.

> If the UDP message is filtered at an intermediate firewall, then the
> computer will never see that UDP packet and you will never get an ICMP
> port unreachable - and nmap thinks that there is some listening service.

> I think that this is the most plausible explanation. A packet filter
> that protects the network that you have scanned.


Thanks for all your help and I hope somebody else can profit from this
information too.

Cheers,
Christoph


     ---------------------------------------------------+
    / Christoph Schneeberger    /   SCS TeleMedia       |
   / cschnee () telemedia ch      / Liestalerstrasse 47    |
  / 4419 Lupsingen            / http://www.telemedia.ch |
 / tel +41 61 915 9155       / fax +41 61 911 0714      |
/ PGP-Key http://www.telemedia.ch/pgpkeys/cschnee.asc   |
--------------------------------------------------------+ 

This e-mail is confidential and may be privileged. It may 
be read, copied and used only by the addressee. If you 
have received it in error, please contact us immediately.