Nmap Development mailing list archives
[Solved] Re: Weird nmap -sT behaviour on Windows 7
From: Andy Sheen <sheen.andy () googlemail com>
Date: Sat, 12 May 2012 07:31:07 +0100
Doh! I just this second thought to turn off my anti-virus (Avast) and it worked as expected. $ nmap -sT -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112 Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 07:27 ope Nmap scan report for 192.168.1.112 Host is up (0.00s latency). PORT STATE SERVICE 80/tcp filtered http 81/tcp filtered hosts2-ns 3124/tcp filtered unknown 3127/tcp filtered unknown 3128/tcp filtered squid-http 8008/tcp filtered http 8080/tcp filtered http-proxy 8081/tcp filtered blackice-icecap 8888/tcp filtered sun-answerbook MAC Address: 00:22:4D:7C:31:06 (Mitac International) Nmap done: 1 IP address (1 host up) scanned in 12.58 seconds Problem solved - I just wish I'd thought of that some 24 hours ago.... Andy Andy Sheen wrote on Sat 12 May at 7:22 UK time
Hi, I've spent the last day trying to get to the bottom of this with no avail and hope someone here can help. In the interests of security, I'm building a firewall and using nmap to test it. As part of my testing, I did a full portscan of the WAN side interface of the firewall using the TCP Connect mechanism (-sT) and found a number of ports were open. Looking at the logs on the firewall, I could find no trace of the connections in the logs (the firewall is a pfSense box that has the ability to packet log). Moving to an XP machine (and Linux - I have several systems here) and using exactly the same command shows the ports as filtered. Trying another Win 7 machine and the ports appear open. Digging further and setting up a machine with Wireshark on and port mirroring, I cannot see the packets coming out of the Win 7 machines at all. All other packets come out of the machines, just not the ones on those ports. If I use any of the other TCP methods, everything works as expected - including seeing the packets on the mirrored port. I'm using nmap version 5.51 with WinPCap 4.1.2 Here are some command line results (the ports are all the ones that reported as open except 81 which is there as a "control" as it shows (correctly) filtered).From a Win 7 machine - I have tried both I have here with the sameresults (I only see the probe on port 81 on the wireshark mirror): $ nmap -sT -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112 Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 06:45 ope Nmap scan report for 192.168.1.112 Host is up (0.0050s latency). PORT STATE SERVICE 80/tcp open http 81/tcp filtered hosts2-ns 3124/tcp open unknown 3127/tcp open unknown 3128/tcp open squid-http 8008/tcp open http 8080/tcp open http-proxy 8081/tcp open blackice-icecap 8888/tcp open sun-answerbook MAC Address: 00:22:4D:7C:31:06 (Mitac International) Nmap done: 1 IP address (1 host up) scanned in 12.37 secondsFrom the same Windows 7 machine but using any of -sS/sA/sW (I see allthe probes on the wireshark mirror) $ nmap -sS -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112 Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 06:49 ope Nmap scan report for 192.168.1.112 Host is up (0.00s latency). PORT STATE SERVICE 80/tcp filtered http 81/tcp filtered hosts2-ns 3124/tcp filtered unknown 3127/tcp filtered unknown 3128/tcp filtered squid-http 8008/tcp filtered http 8080/tcp filtered http-proxy 8081/tcp filtered blackice-icecap 8888/tcp filtered sun-answerbook MAC Address: 00:22:4D:7C:31:06 (Mitac International) Nmap done: 1 IP address (1 host up) scanned in 12.36 secondsFrom the same Windows 7 machine but using any of -sM/sN/sF/sX (I seeall the probes on the wireshark mirror) $ nmap -sM -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112 Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 07:15 ope Nmap scan report for 192.168.1.112 Host is up (0.00s latency). PORT STATE SERVICE 80/tcp open|filtered http 81/tcp open|filtered hosts2-ns 3124/tcp open|filtered unknown 3127/tcp open|filtered unknown 3128/tcp open|filtered squid-http 8008/tcp open|filtered http 8080/tcp open|filtered http-proxy 8081/tcp open|filtered blackice-icecap 8888/tcp open|filtered sun-answerbook MAC Address: 00:22:4D:7C:31:06 (Mitac International) Nmap done: 1 IP address (1 host up) scanned in 12.37 secondsFrom a Linux (or Win XP machine):$ sudo ./nmap -sT -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112 Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 06:51 BST Nmap scan report for 192.168.1.112 Host is up (0.000060s latency). PORT STATE SERVICE 80/tcp filtered http 81/tcp filtered hosts2-ns 3124/tcp filtered unknown 3127/tcp filtered unknown 3128/tcp filtered squid-http 8008/tcp filtered http 8080/tcp filtered http-proxy 8081/tcp filtered blackice-icecap 8888/tcp filtered sun-answerbook MAC Address: 00:22:4D:7C:31:06 (Mitac International) Nmap done: 1 IP address (1 host up) scanned in 12.32 seconds In checking my own machine (my thought may be a virus of some sort) none of these ports are open. So, in conclusion, as far as I can tell, if I try nmapping with -sT to ports 80,3124,3128,3127,8008,8080,8888,8081 from a Win 7 machine, to another machine, the packets just do not appear on the physical network connection (I've tried with two machines). I've tried searches and can't find anything relevant either. Any way of debugging this further?
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Weird nmap -sT behaviour on Windows 7 Andy Sheen (May 11)
- [Solved] Re: Weird nmap -sT behaviour on Windows 7 Andy Sheen (May 11)