Re: Nmap Scan Output - PIX firewall shows ports open even when disabled?

["erisk" <erisk () iinet net au>]

Yes there is a cisco border router (12.x) in front of it PIX is a 6.2(x)
version...

Scanning this router there is still the same ports open, which is wierd
becuase it is more upstream then the PIX...

Telneting to them opens a connection as well... And your right internal
scans only show what "should" be open...

Thoughts? Although the nmap version wont fix anything or change the results
becasue you can still make a manul connection.

----- Original Message ----- 
From: "Dan Duplito" <danduplito () techie com>
To: <security-basics () securityfocus com>
Sent: Wednesday, October 29, 2003 9:52 AM
Subject: Re: Nmap Scan Output - PIX firewall shows ports open even when
disabled?


> were you scanning PIX directly from an L2 switch or from behind a router?
with the latter, i get a similar output when scanning a target system
(protected by PIX) behind a (Cisco) router that i believe was configured
weirdly. the scan show the exact same open ports for all systems behind that
"funny" router, in addition to the open ports of the target system.
> i get the "expected" scan results of the system when i internally scan PIX
directly.
> regards,
> dan
>
> PS
>
> i recommend you upgrade/recompile your nmap version to the latest V3.48 -- 
the database is much more extensive and Fyodor finally incorporated "service
scanning" feature (which i used to get only from THC's amap scanner).
> > erisk wrote:
> > > Hi all,
> > >
> > > I have had this on a few instances and I was wondring if anyone can
verify
> > > if this is something other people have found when scanning PIX's or
web
> > > servers in the DMZ..
> > >
> > > Firstly I scanned using the normal sS routine and ports were found
closed.
> > > Following that I preceded to scan without pinging the host and the
output is
> > > below:
> > >
> > > nmap -P0 XXX.XXX.XXX.XX
> > >
> > > Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> > > Interesting ports on XXXX (X.X.X.X):
> > > (The 1596 ports scanned but not shown below are in state: filtered)
> > > Port       State       Service
> > > 389/tcp    open        ldap
> > > 1002/tcp   open        unknown
> > > 1720/tcp   open        H.323/Q.931
> > >
> > > I have confirmed with the rulebase and the none of the ports that are
open
> > > are defined in the rule base and everything elese is still explictly
denied
> > > (even though PIX does it by default) by a deny IP rule. Also the
majority of
> > > fixup protocols have been disbaled (except HTTP, SMTP).
> > >
> > > Also when I scan web servers behind the firewall with this option it
still
> > > has the same ports open + HTTP and HTTPS...
> > >
> > > This is the third time I have had this output when using this no ping
host
> > > option, so has anyone found the similar outputs? Could this be a
common way
> > > to commonly identify PIX firewalls? Is there an advisory for this? And
are
> > > there any workarounds so these ports are not shown on the no ping
scan?
> > > Regards,
> > > Trev
> >
> > -- 
> > Francisco Andrades Grassi
> > www.nextj.com
> > Tlf: +58-414-125-7415
>
> --------------------------------------------------------------------------
-
> > Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
> > The Presidio integrates PGP data encryption and XML Web Services
security to
> > simplify the management and deployment of PGP and reduce overall PGP
costs
> > by up to 80%.
> > FREE WHITEPAPER & 30 Day Trial -
> > http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
>
> --------------------------------------------------------------------------
--
> >
>
>
> --------------------------------------------------------------------------
-
> Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
> The Presidio integrates PGP data encryption and XML Web Services security
to
> simplify the management and deployment of PGP and reduce overall PGP costs
> by up to 80%.
> FREE WHITEPAPER & 30 Day Trial -
> http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------