Nmap Development mailing list archives
nmap -sT localhost showing ephemeral ports?
From: Jacek Wielemborek <d33tah () gmail com>
Date: Sat, 08 Feb 2014 23:09:58 +0100
Hi, Here's an excerpt from my #nmap IRC log, dates are as in Warsaw local time: ========================================= Day changed to Thu, 06 Feb 2014 00:16:05 < $ sophron (~sophron@199.19.117.60) has quit (Ping timeout: 252 seconds) 00:18:31 > $ Ardit (~ardit@unaffiliated/ard1t) has joined #Nmap 00:56:55 > $ Mike111 (~Mike@5.0.160.59) has joined #Nmap 00:56:59 < $ Mike111 (~Mike@5.0.160.59) has quit (Remote host closed the connection) 00:57:09 < $ Mike11 (~Mike@unaffiliated/mike11) has quit (Ping timeout: 245 seconds) 01:03:32 > $ Mike11 (~Mike@unaffiliated/mike11) has joined #Nmap 01:09:51 > $ ketilmore6 (~atlas () b049c studby ntnu no) has joined #Nmap 01:09:55 ketilmore6 $ i think my system is compromised. since neither netstat or lsof shows anything, despite nmap reporting randomly tcp ports in range 40k-60k being open. (STATE == open) h 01:10:13 ketilmore6 $ any ideas? 01:10:31 ketilmore6 $ the port seems to be open only a few hundred ms 01:11:05 d33tah $ ketilmore6: perhaps some program is spoofing IP packets? i don't think that would be visible in netstat. 01:13:34 ketilmore6 $ hmm 01:21:39 < $ Mike11 (~Mike@unaffiliated/mike11) has quit (Ping timeout: 265 seconds) 01:22:44 ketilmore6 $ d33tah: does nmap report listening ports such as when a tcp client is waiting for http reply packet? 01:25:48 d33tah $ ketilmore6: shouldn't, afaik. btw, try -sV. afk. 01:27:13 ketilmore6 $ does nmap report listening ports such as when a tcp client is waiting for http reply packet? i belive these are called ephermal port and it does not really matter what number they are. it's only for receiving server reply? 01:27:21 ketilmore6 $ i dont think so 01:27:32 ketilmore6 $ -sV yields unknown service 01:33:00 < $ Ardit (~ardit@unaffiliated/ard1t) has quit (Quit: Nettalk6 - www.ntalk.de) 01:39:44 d33tah $ ketilmore6: run with -v and show the fingerprint. 01:45:18 ketilmore6 $ d33tah: nmap did not print fingerprint 01:45:24 d33tah $ ketilmore6: -vv? 01:45:45 ketilmore6 $ nope 01:45:57 d33tah $ wth. no response? what does wireshark say? 01:46:07 ketilmore6 $ also, i have discovered that -sS does not show open ports, but -sT does 01:46:16 ketilmore6 $ -sT is using the connect os api 01:46:21 d33tah $ strange. 01:46:34 ketilmore6 $ lemme check wireshark. brb 01:46:38 d33tah $ sure. 01:49:40 ketilmore6 $ well 01:49:53 ketilmore6 $ im filtering on tcp.port == 49407 01:49:57 ketilmore6 $ which nmap reported as open 01:50:36 ketilmore6 $ im seeing four packets. first SYN, [TCP Out- oforder], [TCP window-update], RST 01:50:56 ketilmore6 $ both source and destination port == 49407. 01:51:07 ketilmore6 $ that's kinda strange isnt it 01:51:14 ketilmore6 $ that dest port == src port 01:51:32 d33tah $ sounds a bit odd. 01:51:59 d33tah $ but well, i don't have any experience with rootkits 01:52:05 d33tah $ yyzfp1: ping 01:54:00 ketilmore6 $ mhm, maybe this is a birthday paradox 01:54:39 ketilmore6 $ the nmap scan tries to connect, but in order to do so it must listen for replies right? and if src and dest port by accident is equal, it finds itself? 01:57:01 d33tah $ sounds unlikely, imho, as it would give lots of false positives 01:57:27 d33tah $ also, keep in mind that -sT uses connect(), which makes the source port controlled by the kernel 01:57:30 d33tah $ don't take my word though 02:08:26 < $ ketilmore6 (~atlas () b049c studby ntnu no) has quit (Ping timeout: 260 seconds) 02:23:58 > $ ketilmore6 (~atlas () b049c studby ntnu no) has joined #Nmap 02:26:01 > $ ketilmor16 (~atlas () b049c studby ntnu no) has joined #Nmap 02:27:08 > $ sophron_ (~sophron@199.19.117.60) has joined #Nmap 02:28:50 ketilmore6 $ turns out the nmap -p 1-65000 was finding open ports by accident because source port sometimes was equal to destination port. (birthday paradox) 02:29:15 ketilmore6 $ this is happening when scanning loopback interface and not over network interface ========================================= 20:17:03 bonsaiviking $ <ketilmore6> turns out the nmap -p 1-65000 was finding open ports by accident because source port sometimes was equal to destination port. (birthday paradox) 20:17:07 bonsaiviking $ wtf 20:18:58 bonsaiviking $ confirmed on svn r32703 20:19:31 bonsaiviking $ but only with -sT ========================================= What do you think about it? Yours, Jacek Wielemborek
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap -sT localhost showing ephemeral ports? Jacek Wielemborek (Feb 08)
- Re: nmap -sT localhost showing ephemeral ports? Kris Katterjohn (Feb 08)
- Re: nmap -sT localhost showing ephemeral ports? Daniel Miller (Feb 08)
- Re: nmap -sT localhost showing ephemeral ports? Daniel Miller (Feb 14)
- Re: nmap -sT localhost showing ephemeral ports? Daniel Miller (Feb 14)
- Re: nmap -sT localhost showing ephemeral ports? Daniel Miller (Feb 15)
- Re: nmap -sT localhost showing ephemeral ports? Kris Katterjohn (Feb 08)
- Re: nmap -sT localhost showing ephemeral ports? Fyodor (Feb 12)
- Re: nmap -sT localhost showing ephemeral ports? Robin Wood (Feb 12)
- Re: nmap -sT localhost showing ephemeral ports? Fyodor (Feb 13)
- Re: nmap -sT localhost showing ephemeral ports? Robin Wood (Feb 12)