Nmap Development mailing list archives
Re: False positive 21/tcp open on Windows?
From: "Rob Nicholls" <robert () refreshdaily com>
Date: Thu, 27 Jul 2006 11:07:50 +0100 (BST)
Thanks for confirming what I've seen. Kurt Grutzmacher emailed me directly, suggesting that a quirk in the Windows Firewall is to blame ("it's been my experience that it will always return 21/open no matter what IP address you scan"). I did a test with 4.20 alpha 4 with Windows Firewall on and then the same scan with it off. With the firewall off, nmap behaved as expected when scanning against a host that isn't up, so it looks like the Windows Firewall is the culprit, although I couldn't tell you why it affects 21/tcp and nothing else. Windows Firewall on ------------------- Winpcap present, dynamic linked to: WinPcap version 3.1 (packet.dll version 3, 1 , 0, 27), based on libpcap version 0.9[.x] Warning: File ./nmap-os-db exists, but Nmap is using C:\tools\win32\nmap-4.20ALP HA4/nmap-os-db for security and consistency reasons. set NMAPDIR=. to give prio rity to files in your local directory (may affect the other data files too). Starting Nmap 4.20ALPHA4 ( http://www.insecure.org/nmap ) at 2006-07-27 10:38 GM T Standard Time --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 scan-delay: TCP 1000, UDP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 --------------------------------------------- mass_rdns: Using DNS server xxx.xx.xxx.xx mass_rdns: Using DNS server xxx.xx.xxx.xx NSOCK (0.0800s) UDP connection requested to xxx.xx.xxx.xx:53 (IOD #1) EID 8 NSOCK (0.0800s) Read request from IOD #1 [xxx.xx.xxx.xx:53] (timeout: -1ms) EID 18 NSOCK (0.0800s) UDP connection requested to xxx.xx.xxx.xx:53 (IOD #2) EID 24 NSOCK (0.0800s) Read request from IOD #2 [xxx.xx.xxx.xx:53] (timeout: -1ms) EID 34 Initiating Parallel DNS resolution at 10:38 NSOCK (0.0800s) Write request for 44 bytes to IOD #1 EID 43 [xxx.xx.xxx.xx:53]: n............36.86.153.195.in-addr.arpa..... NSOCK (0.0900s) nsock_loop() started (timeout=500ms). 5 events pending NSOCK (0.0900s) Callback: CONNECT SUCCESS for EID 24 [xxx.xx.xxx.xx:53] NSOCK (0.0900s) Callback: CONNECT SUCCESS for EID 8 [xxx.xx.xxx.xx:53] NSOCK (0.0900s) Callback: WRITE SUCCESS for EID 43 [xxx.xx.xxx.xx:53] NSOCK (0.1100s) Callback: READ SUCCESS for EID 18 [xxx.xx.xxx.xx:53] (120 bytes) NSOCK (0.1100s) Read request from IOD #1 [xxx.xx.xxx.xx:53] (timeout: -1ms) EID 50 mass_rdns: 0.04s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution at 10:38, 0.03s elapsed Initiating System CNAME DNS resolution at 10:38 Completed System CNAME DNS resolution at 10:38, 0.00s elapsed DNS resolution of 1 IPs took 0.05s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect() Scan at 10:38 Scanning xxx.xxx.xx.xx [3 ports] CONN (0.1200s) TCP localhost > xxx.xxx.xx.xx:21 => Unknown error CONN (0.1200s) TCP localhost > xxx.xxx.xx.xx:22 => Unknown error CONN (0.1200s) TCP localhost > xxx.xxx.xx.xx:20 => Unknown error Discovered open port 21/tcp on xxx.xxx.xx.xx CONN (1.2310s) TCP localhost > xxx.xxx.xx.xx:20 => Unknown error CONN (1.2310s) TCP localhost > xxx.xxx.xx.xx:22 => Unknown error Completed Connect() Scan at 10:38, 11.22s elapsed (3 total ports) Host xxx.xxx.xx.xx appears to be up ... good. Interesting ports on xxx.xxx.xx.xx: PORT STATE SERVICE 20/tcp filtered ftp-data 21/tcp open ftp 22/tcp filtered ssh Final times for host: srtt: 0 rttvar: 5000 to: 100000 Nmap finished: 1 IP address (1 host up) scanned in 11.346 seconds Windows Firewall off -------------------- Winpcap present, dynamic linked to: WinPcap version 3.1 (packet.dll version 3, 1 , 0, 27), based on libpcap version 0.9[.x] Warning: File ./nmap-os-db exists, but Nmap is using C:\tools\win32\nmap-4.20ALP HA4/nmap-os-db for security and consistency reasons. set NMAPDIR=. to give prio rity to files in your local directory (may affect the other data files too). Starting Nmap 4.20ALPHA4 ( http://www.insecure.org/nmap ) at 2006-07-27 10:37 GM T Standard Time --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 scan-delay: TCP 1000, UDP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 --------------------------------------------- mass_rdns: Using DNS server xxx.xx.xxx.xx mass_rdns: Using DNS server xxx.xx.xxx.xx NSOCK (0.0800s) UDP connection requested to xxx.xx.xxx.xx:53 (IOD #1) EID 8 NSOCK (0.0800s) Read request from IOD #1 [xxx.xx.xxx.xx:53] (timeout: -1ms) EID 18 NSOCK (0.0900s) UDP connection requested to xxx.xx.xxx.xx:53 (IOD #2) EID 24 NSOCK (0.0900s) Read request from IOD #2 [xxx.xx.xxx.xx:53] (timeout: -1ms) EID 34 Initiating Parallel DNS resolution at 10:37 NSOCK (0.0900s) Write request for 44 bytes to IOD #1 EID 43 [xxx.xx.xxx.xx:53]: 9n...........36.86.153.195.in-addr.arpa..... NSOCK (0.1000s) nsock_loop() started (timeout=500ms). 5 events pending NSOCK (0.1000s) Callback: CONNECT SUCCESS for EID 24 [xxx.xx.xxx.xx:53] NSOCK (0.1000s) Callback: CONNECT SUCCESS for EID 8 [xxx.xx.xxx.xx:53] NSOCK (0.1000s) Callback: WRITE SUCCESS for EID 43 [xxx.xx.xxx.xx:53] NSOCK (0.1300s) Callback: READ SUCCESS for EID 18 [xxx.xx.xxx.xx:53] (120 bytes) NSOCK (0.1300s) Read request from IOD #1 [xxx.xx.xxx.xx:53] (timeout: -1ms) EID 50 mass_rdns: 0.06s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution at 10:37, 0.03s elapsed Initiating System CNAME DNS resolution at 10:37 Completed System CNAME DNS resolution at 10:37, 0.00s elapsed DNS resolution of 1 IPs took 0.06s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect() Scan at 10:37 Scanning xxx.xxx.xx.xx [3 ports] CONN (0.1300s) TCP localhost > xxx.xxx.xx.xx:21 => Unknown error CONN (0.1300s) TCP localhost > xxx.xxx.xx.xx:22 => Unknown error CONN (0.1300s) TCP localhost > xxx.xxx.xx.xx:20 => Unknown error CONN (2.1330s) TCP localhost > xxx.xxx.xx.xx:20 => Unknown error CONN (2.1330s) TCP localhost > xxx.xxx.xx.xx:22 => Unknown error CONN (2.1330s) TCP localhost > xxx.xxx.xx.xx:21 => Unknown error Completed Connect() Scan at 10:37, 13.01s elapsed (3 total ports) Host xxx.xxx.xx.xx appears to be up ... good. Interesting ports on xxx.xxx.xx.xx: PORT STATE SERVICE 20/tcp filtered ftp-data 21/tcp filtered ftp 22/tcp filtered ssh Final times for host: srtt: -1 rttvar: -1 to: 1000000 Nmap finished: 1 IP address (1 host up) scanned in 13.149 seconds Thanks to everyone that replied! I'll stick to running most of my nmap scans under Linux, but it's nice to know how to get accurate results when I'm in Windows. Rob _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- False positive 21/tcp open on Windows? Rob Nicholls (Jul 26)
- Re: False positive 21/tcp open on Windows? kx (Jul 26)
- Re: False positive 21/tcp open on Windows? Professor Messer (Jul 26)
- Re: False positive 21/tcp open on Windows? Rob Nicholls (Jul 27)
- <Possible follow-ups>
- Re: False positive 21/tcp open on Windows? 4N9e Gutek (Jul 28)