Nmap Development mailing list archives
Weird nmap -sT behaviour on Windows 7
From: Andy Sheen <sheen.andy () googlemail com>
Date: Sat, 12 May 2012 07:22:53 +0100
Hi, I've spent the last day trying to get to the bottom of this with no avail and hope someone here can help. In the interests of security, I'm building a firewall and using nmap to test it. As part of my testing, I did a full portscan of the WAN side interface of the firewall using the TCP Connect mechanism (-sT) and found a number of ports were open. Looking at the logs on the firewall, I could find no trace of the connections in the logs (the firewall is a pfSense box that has the ability to packet log). Moving to an XP machine (and Linux - I have several systems here) and using exactly the same command shows the ports as filtered. Trying another Win 7 machine and the ports appear open. Digging further and setting up a machine with Wireshark on and port mirroring, I cannot see the packets coming out of the Win 7 machines at all. All other packets come out of the machines, just not the ones on those ports. If I use any of the other TCP methods, everything works as expected - including seeing the packets on the mirrored port. I'm using nmap version 5.51 with WinPCap 4.1.2 Here are some command line results (the ports are all the ones that reported as open except 81 which is there as a "control" as it shows (correctly) filtered).
From a Win 7 machine - I have tried both I have here with the same
results (I only see the probe on port 81 on the wireshark mirror): $ nmap -sT -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112 Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 06:45 ope Nmap scan report for 192.168.1.112 Host is up (0.0050s latency). PORT STATE SERVICE 80/tcp open http 81/tcp filtered hosts2-ns 3124/tcp open unknown 3127/tcp open unknown 3128/tcp open squid-http 8008/tcp open http 8080/tcp open http-proxy 8081/tcp open blackice-icecap 8888/tcp open sun-answerbook MAC Address: 00:22:4D:7C:31:06 (Mitac International) Nmap done: 1 IP address (1 host up) scanned in 12.37 seconds
From the same Windows 7 machine but using any of -sS/sA/sW (I see all
the probes on the wireshark mirror) $ nmap -sS -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112 Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 06:49 ope Nmap scan report for 192.168.1.112 Host is up (0.00s latency). PORT STATE SERVICE 80/tcp filtered http 81/tcp filtered hosts2-ns 3124/tcp filtered unknown 3127/tcp filtered unknown 3128/tcp filtered squid-http 8008/tcp filtered http 8080/tcp filtered http-proxy 8081/tcp filtered blackice-icecap 8888/tcp filtered sun-answerbook MAC Address: 00:22:4D:7C:31:06 (Mitac International) Nmap done: 1 IP address (1 host up) scanned in 12.36 seconds
From the same Windows 7 machine but using any of -sM/sN/sF/sX (I see
all the probes on the wireshark mirror) $ nmap -sM -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112 Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 07:15 ope Nmap scan report for 192.168.1.112 Host is up (0.00s latency). PORT STATE SERVICE 80/tcp open|filtered http 81/tcp open|filtered hosts2-ns 3124/tcp open|filtered unknown 3127/tcp open|filtered unknown 3128/tcp open|filtered squid-http 8008/tcp open|filtered http 8080/tcp open|filtered http-proxy 8081/tcp open|filtered blackice-icecap 8888/tcp open|filtered sun-answerbook MAC Address: 00:22:4D:7C:31:06 (Mitac International) Nmap done: 1 IP address (1 host up) scanned in 12.37 seconds
From a Linux (or Win XP machine):
$ sudo ./nmap -sT -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112 Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 06:51 BST Nmap scan report for 192.168.1.112 Host is up (0.000060s latency). PORT STATE SERVICE 80/tcp filtered http 81/tcp filtered hosts2-ns 3124/tcp filtered unknown 3127/tcp filtered unknown 3128/tcp filtered squid-http 8008/tcp filtered http 8080/tcp filtered http-proxy 8081/tcp filtered blackice-icecap 8888/tcp filtered sun-answerbook MAC Address: 00:22:4D:7C:31:06 (Mitac International) Nmap done: 1 IP address (1 host up) scanned in 12.32 seconds In checking my own machine (my thought may be a virus of some sort) none of these ports are open. So, in conclusion, as far as I can tell, if I try nmapping with -sT to ports 80,3124,3128,3127,8008,8080,8888,8081 from a Win 7 machine, to another machine, the packets just do not appear on the physical network connection (I've tried with two machines). I've tried searches and can't find anything relevant either. Any way of debugging this further? _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Weird nmap -sT behaviour on Windows 7 Andy Sheen (May 11)
- [Solved] Re: Weird nmap -sT behaviour on Windows 7 Andy Sheen (May 11)