Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

SV: Nmap Scan Output - PIX firewall shows ports open even when di sabled?

From: Thomas Westlund <thomas.westlund () prioritytelecom no>
Date: Mon, 27 Oct 2003 19:24:27 +0100
Hi,

I'm not very familiar with pix'es, but my first thought would be to check if
there's anything actually
listening at these ports or it it's just som odd bug in Nmap or the PIX
firmware....

But I would agree with you that if it were my pix'es I would be more than a
bit alarmed...

-- 
Thomas Westlund
Priority Telecom Norway AS 



-----Opprinnelig melding-----
Fra: erisk [mailto:erisk () iinet net au]
Sendt: 27.10.2003 03:20
Til: security-basics () securityfocus com
Emne: Nmap Scan Output - PIX firewall shows ports open even when
disabled?


Hi all,

I have had this on a few instances and I was wondring if anyone can verify
if this is something other people have found when scanning PIX's or web
servers in the DMZ..

Firstly I scanned using the normal sS routine and ports were found closed.
Following that I preceded to scan without pinging the host and the output is
below:

nmap -P0 XXX.XXX.XXX.XX

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on XXXX (X.X.X.X):
(The 1596 ports scanned but not shown below are in state: filtered)
Port       State       Service
389/tcp    open        ldap
1002/tcp   open        unknown
1720/tcp   open        H.323/Q.931

I have confirmed with the rulebase and the none of the ports that are open
are defined in the rule base and everything elese is still explictly denied
(even though PIX does it by default) by a deny IP rule. Also the majority of
fixup protocols have been disbaled (except HTTP, SMTP).

Also when I scan web servers behind the firewall with this option it still
has the same ports open + HTTP and HTTPS...

This is the third time I have had this output when using this no ping host
option, so has anyone found the similar outputs? Could this be a common way
to commonly identify PIX firewalls? Is there an advisory for this? And are
there any workarounds so these ports are not shown on the no ping scan?

Regards,
Trev



---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download
ClearSight Network's Analyzer and see a new network analysis tool that 
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_0310
21
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: