Security Basics mailing list archives

Re: Very strange nmap scan results

From: Steven Hollingsworth <steven () aznc com>
Date: Fri, 21 Sep 2007 09:13:00 -0700

On Thu, Sep 20, 2007 at 07:18:04PM -0700, Juan B wrote:

Hi all,

For a client in scaning his Dmz from the internet.
[snip]
nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA
cpsa.txt   

( I changed the ip's here...)

and the result for the mail relay for example are:


nteresting ports on mail.cpsa.com (200.61.44.50):
PORT     STATE    SERVICE
[snip]
31/tcp   open     msg-auth
32/tcp   open     unknown
33/tcp   open     dsp
34/tcp   open     unknown

this continues up to port 1024..

any ideas how to eliminate so many false positives?


Juan,

Look at a program called firewalk [0] I believe the results of the
nmap scan you did is common to firewall/gateway devices due to
behavior in the tcp/ip stack [1].

I believe it may also have to do with what type of scan you're doing
[2].

HTH,

~ stevo

[0] - http://www.packetfactory.net/firewalk/firewalk-final.pdf
[1] - http://en.wikipedia.org/wiki/Port_scanner
[2] - man 1 nmap

Current thread:

Very strange nmap scan results Juan B (Sep 20)
- Re: Very strange nmap scan results Steven Hollingsworth (Sep 21)
- <Possible follow-ups>
- Re: Very strange nmap scan results infos3c (Sep 21)
  - Re: Very strange nmap scan results Brian Laing (Sep 21)
    - Re: Very strange nmap scan results Juan B (Sep 21)
    - Re: Very strange nmap scan results Brian Laing (Sep 21)