RE: ambiguity about nmap results

["Rob Nicholls" <robert () everythingeverything co uk>]

Hi Sara,

I ran a connect scan earlier from http://nmap-online.com/ which appeared to
be faster and much more reliable, you may wish to give that a try instead.
It is still using Nmap 4.11 though.

Two of the ports you saw from nmapyourself that were allegedly filtered are
well known Windows ports. I suspect what you're seeing *might* be an ISP
(perhaps yours, perhaps at nmapyourself's end) filtering the network
traffic, possibly in an attempt to limit the infection/distribution of old
Windows-based attacks.

Because your netstat shows that you should be listening on TCP ports 8010
(jabber?), 37323, 6543 and 6544 (the last two are typically seen if you've
installed MythTV*, which also probably explains why you have mysql running
on localhost too), I suggest you perform a scan that includes those open
ports (e.g. -p 6540-6550) so you can verify that you're getting accurate
results (if you use my example above I'd expect you to see two ports that
are open, the rest should be closed [or filtered]).

I'm not sure why the other scan returned so many open ports, I would expect
you to see closed or filtered when scanning -p 1-1024 with your setup.
Without seeing something like the output of --packet-trace it's hard to say
what's going on.

I've been assuming that your laptop's IP and your external IP are the same
(i.e. you're sat directly on the internet). If you're using a NAT (or PAT)
router, for example, a scan of your external IP address might be returning
TCP resets from the router rather than your laptop (as the unexpected
incoming traffic never actually reaches your laptop on its private IP
address). 

* http://www.mythtv.org/docs/mythtv-HOWTO-3.html says: It is strongly
recommended that you do not expose the MythTV and MySQL ports to the
Internet or your "Outside" LAN.


Rob


> -----Original Message-----
> From: sara fink [mailto:sara.fink () gmail com]
> Sent: 30 May 2008 20:25
> To: DePriest, Jason R.
> Cc: Nmap Dev
> Subject: Re: ambiguity about nmap results
>
> If I run from my laptop nmap -sT my external ip it shows me all ports
> are closed.
>
>
>
> On Fri, May 30, 2008 at 10:22 PM, sara fink <sara.fink () gmail com>
> wrote:
> > on my laptop I have nmap version 4.60 from gentoo portage.
> > 4.62 appears as non stable in portage.
> >
> > How can I measure reliably what ports are open on my laptop. I don't
> > have root access to remote servers to run something else than nmap
> > -sT. and the version there appears to be old.
> >
> > On Fri, May 30, 2008 at 10:13 PM, DePriest, Jason R.
> > <jrdepriest () gmail com> wrote:
> > > On Fri, May 30, 2008 at 7:47 PM, sara fink <> wrote:
> > > > I tried to use nmap from this web site:
> http://www.nmapyourself.com/.
> > > > If I try to run nmap on my external ip say at range 1-1024 with
> flag -sT I get
> > > > Starting Nmap 4.20 ( http://insecure.org ) at 2008-05-30 14:42 EDT
> > > Old version:    ^^^^
> > > 4.62 is the latest you can download as released.
> > >
> > > > Interesting ports on some ip .:
> > > >
> > > >
> > > > Not shown: 1022 closed ports
> > > > PORT    STATE    SERVICE
> > > > 0/tcp   filtered unknown
> > > > 139/tcp filtered netbios-ssn
> > > > 445/tcp filtered microsoft-ds
> > > >
> > > > To check myself again, I connected via ssh to some other site and
> from
> > > > there ran nmap -sT -p 1-1024 ip
> > > >
> > > > > From there I got a completely different result. Almost all the
> 1025
> > > > ports are open except very few.
> > > >
> > > > Someone can explain me why I get such a difference?
> > > Also, nmapyourself.com isn't run by Fyodor, so you should probably
> ask
> > > the guy who runs the site to check it out.
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org