Re: ambiguity about nmap results

["sara fink" <sara.fink () gmail com>]

On Sat, May 31, 2008 at 12:04 AM, Rob Nicholls
<robert () everythingeverything co uk> wrote:
> Hi Sara,
>
> I ran a connect scan earlier from http://nmap-online.com/ which appeared to
> be faster and much more reliable, you may wish to give that a try instead.
> It is still using Nmap 4.11 though.

I tried it and it looks reliable and fast. No more nmapyourself.com ;-)

And for that thanks.
> Two of the ports you saw from nmapyourself that were allegedly filtered are
> well known Windows ports. I suspect what you're seeing *might* be an ISP
> (perhaps yours, perhaps at nmapyourself's end) filtering the network
> traffic, possibly in an attempt to limit the infection/distribution of old
> Windows-based attacks.

I don't have windows. ;-)

> Because your netstat shows that you should be listening on TCP ports 8010
> (jabber?), 37323, 6543 and 6544 (the last two are typically seen if you've
> installed MythTV*, which also probably explains why you have mysql running
> on localhost too), I suggest you perform a scan that includes those open
> ports (e.g. -p 6540-6550) so you can verify that you're getting accurate
> results (if you use my example above I'd expect you to see two ports that
> are open, the rest should be closed [or filtered]).

I use jabber for gtalk in kopete. mythtv you were right. Disabled
mysql after your suggestion. Will check now for mythtv issue as well.
Thanks.

> I'm not sure why the other scan returned so many open ports, I would expect
> you to see closed or filtered when scanning -p 1-1024 with your setup.
> Without seeing something like the output of --packet-trace it's hard to say
> what's going on.

I have few suspicions about that. The remote server belongs to
university. They block pings inside and outside. This might cause the
problem? Or just because it's an old version? I tried now
--packet-trace and it's so old that it doesn't even have this flag.
But I will check the nmap-online with this flag.

> I've been assuming that your laptop's IP and your external IP are the same
> (i.e. you're sat directly on the internet). If you're using a NAT (or PAT)
> router, for example, a scan of your external IP address might be returning
> TCP resets from the router rather than your laptop (as the unexpected
> incoming traffic never actually reaches your laptop on its private IP
> address).

You assumed correctly.

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org