Nmap Development mailing list archives
False positive 21/tcp open on Windows?
From: "Rob Nicholls" <robert () refreshdaily com>
Date: Wed, 26 Jul 2006 13:37:34 +0100 (BST)
Forgive me if I'm doing something silly and haven't realised it, but I'm getting inconsistent results when performing -sS and -sT scans against port 21/tcp when using win32 versions of nmap. When performing a Connect() Scan it will return 21/tcp open, even when I know nothing is listening. Running a Connect() Scan using the linux client (or doing -sS on Windows) gives me the correct result. I used Ethereal to see what was going on, and I can't see anything being sent on port 21. nmap states "The Connect() Scan took 0.00s to scan 1 total ports." which worries me, as it shouldn't be that quick (scanning just port 20 or 22 takes 0.98s and these show up in Ethereal). I first noticed it against a VMWare virtual machine, but it seems to also happen when scanning any other host too (either systems on the same subnet at work or over the internet to a router at home - and even from a machine at home against machines at work), including hosts that I know do not exist (obviously using -P0). I've managed to reproduce this with different versions of nmap (4.01, 4.03, 4.10, 4.11, 4.20Alpha4) on three different Windows hosts (two running XP SP2, one running 2003 SP1), but the two Linux hosts (Backtrack under VMWare with a bridged network connection on one of the Windows hosts, and a proper installation of Fedora Core 3 on a standalone machine) correctly identify the port as closed. I don't think it makes any difference, but I've been using WinPcap 3.2 alpha, briefly dropped down to 3.1 and I'm now using 4.0alpha1. I scanned (from home, hence using 4.01, but the same thing happens in 4.11) my machine at work. I had Windows Firewall (XP SP2) turned on, with no exceptions allowed, so it should silently drop everything:
nmap xxx.xxx.xx.xx -p 20-22 -sT -P0
Starting Nmap 4.01 ( http://www.insecure.org/nmap ) at 2006-07-26 13:21 GMT Daylight Time Interesting ports on xxx.xxx.xx.xx: PORT STATE SERVICE 20/tcp filtered ftp-data 21/tcp open ftp 22/tcp filtered ssh Nmap finished: 1 IP address (1 host up) scanned in 11.390 seconds
nmap xxx.xxx.xx.xx -p 20-22 -sS -P0
Starting Nmap 4.01 ( http://www.insecure.org/nmap ) at 2006-07-26 13:21 GMT Daylight Time Interesting ports on xxx.xxx.xx.xx: PORT STATE SERVICE 20/tcp filtered ftp-data 21/tcp filtered ftp 22/tcp filtered ssh Nmap finished: 1 IP address (1 host up) scanned in 3.610 seconds When running scans against the current version of BackTrack (running under VMWare), I get the following:
nmap -sS xxx.xxx.xx.xx -p 20-22
Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 13:27 GMT Standard Time Interesting ports on xxx.xxx.xx.xx: PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp closed ftp 22/tcp closed ssh MAC Address: 00:0C:29:97:FA:9C (VMware) Nmap finished: 1 IP address (1 host up) scanned in 0.771 seconds
nmap -sT xxx.xxx.xx.xx -p 20-22
Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 13:27 GMT Standard Time Interesting ports on xxx.xxx.xx.xx: PORT STATE SERVICE 20/tcp filtered ftp-data 21/tcp open ftp 22/tcp filtered ssh MAC Address: 00:0C:29:97:FA:9C (VMware) Nmap finished: 1 IP address (1 host up) scanned in 12.137 seconds Doing a quick netstat on BackTrack reveals nothing is listening. I hope that's enough info for you to work with, but this seems fairly reproducible here, and I was surprised I couldn't see anything mentioned in the mailing list archives. Which makes me think maybe it's my mistake. I hope someone else can confirm this behaviour, or let me know how I can fix this. Rob Nicholls _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- False positive 21/tcp open on Windows? Rob Nicholls (Jul 26)
- Re: False positive 21/tcp open on Windows? kx (Jul 26)
- Re: False positive 21/tcp open on Windows? Professor Messer (Jul 26)
- Re: False positive 21/tcp open on Windows? Rob Nicholls (Jul 27)
- <Possible follow-ups>
- Re: False positive 21/tcp open on Windows? 4N9e Gutek (Jul 28)