[Solved] Re: Weird nmap -sT behaviour on Windows 7

[Andy Sheen <sheen.andy () googlemail com>]

Doh!

I just this second thought to turn off my anti-virus (Avast) and it
worked as expected.

$ nmap -sT -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112

Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 07:27 ope
Nmap scan report for 192.168.1.112
Host is up (0.00s latency).
PORT     STATE    SERVICE
80/tcp   filtered http
81/tcp   filtered hosts2-ns
3124/tcp filtered unknown
3127/tcp filtered unknown
3128/tcp filtered squid-http
8008/tcp filtered http
8080/tcp filtered http-proxy
8081/tcp filtered blackice-icecap
8888/tcp filtered sun-answerbook
MAC Address: 00:22:4D:7C:31:06 (Mitac International)

Nmap done: 1 IP address (1 host up) scanned in 12.58 seconds

Problem solved - I just wish I'd thought of that some 24 hours ago....

Andy
Andy Sheen wrote on Sat 12 May at 7:22 UK time
> Hi,
>
> I've spent the last day trying to get to the bottom of this with no
> avail and hope someone here can help.
>
> In the interests of security, I'm building a firewall and using nmap to
> test it. As part of my testing, I did a full portscan of the WAN side
> interface of the firewall using the TCP Connect mechanism (-sT) and
> found a number of ports were open. Looking at the logs on the firewall,
> I could find no trace of the connections in the logs (the firewall is a
> pfSense box that has the ability to packet log). Moving to an XP machine
> (and Linux - I have several systems here) and using exactly the same
> command shows the ports as filtered. Trying another Win 7 machine and
> the ports appear open.
>
> Digging further and setting up a machine with Wireshark on and port
> mirroring, I cannot see the packets coming out of the Win 7 machines at
> all. All other packets come out of the machines, just not the ones on
> those ports. If I use any of the other TCP methods, everything works as
> expected - including seeing the packets on the mirrored port.
>
> I'm using nmap version 5.51 with WinPCap 4.1.2
>
> Here are some command line results (the ports are all the ones that
> reported as open except 81 which is there as a "control" as it shows
> (correctly) filtered).
>
> > From a Win 7 machine - I have tried both I have here with the same
> results (I only see the probe on port 81 on the wireshark mirror):
> $ nmap -sT -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112
>
> Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 06:45 ope
> Nmap scan report for 192.168.1.112
> Host is up (0.0050s latency).
> PORT     STATE    SERVICE
> 80/tcp   open     http
> 81/tcp   filtered hosts2-ns
> 3124/tcp open     unknown
> 3127/tcp open     unknown
> 3128/tcp open     squid-http
> 8008/tcp open     http
> 8080/tcp open     http-proxy
> 8081/tcp open     blackice-icecap
> 8888/tcp open     sun-answerbook
> MAC Address: 00:22:4D:7C:31:06 (Mitac International)
>
> Nmap done: 1 IP address (1 host up) scanned in 12.37 seconds
>
> > From the same Windows 7 machine but using any of  -sS/sA/sW (I see all
> the probes on the wireshark mirror)
> $ nmap -sS -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112
>
> Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 06:49 ope
> Nmap scan report for 192.168.1.112
> Host is up (0.00s latency).
> PORT     STATE    SERVICE
> 80/tcp   filtered http
> 81/tcp   filtered hosts2-ns
> 3124/tcp filtered unknown
> 3127/tcp filtered unknown
> 3128/tcp filtered squid-http
> 8008/tcp filtered http
> 8080/tcp filtered http-proxy
> 8081/tcp filtered blackice-icecap
> 8888/tcp filtered sun-answerbook
> MAC Address: 00:22:4D:7C:31:06 (Mitac International)
>
> Nmap done: 1 IP address (1 host up) scanned in 12.36 seconds
>
> > From the same Windows 7 machine but using any of  -sM/sN/sF/sX (I see
> all the probes on the wireshark mirror)
> $ nmap -sM -p T:80,81,3124,3128,3127,8008,8080,8888,8081 192.168.1.112
>
> Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 07:15 ope
> Nmap scan report for 192.168.1.112
> Host is up (0.00s latency).
> PORT     STATE         SERVICE
> 80/tcp   open|filtered http
> 81/tcp   open|filtered hosts2-ns
> 3124/tcp open|filtered unknown
> 3127/tcp open|filtered unknown
> 3128/tcp open|filtered squid-http
> 8008/tcp open|filtered http
> 8080/tcp open|filtered http-proxy
> 8081/tcp open|filtered blackice-icecap
> 8888/tcp open|filtered sun-answerbook
> MAC Address: 00:22:4D:7C:31:06 (Mitac International)
>
> Nmap done: 1 IP address (1 host up) scanned in 12.37 seconds
>
>
> > From a Linux (or Win XP machine):
> $ sudo  ./nmap -sT -p T:80,81,3124,3128,3127,8008,8080,8888,8081
> 192.168.1.112
>
> Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-12 06:51 BST
> Nmap scan report for 192.168.1.112
> Host is up (0.000060s latency).
> PORT     STATE    SERVICE
> 80/tcp   filtered http
> 81/tcp   filtered hosts2-ns
> 3124/tcp filtered unknown
> 3127/tcp filtered unknown
> 3128/tcp filtered squid-http
> 8008/tcp filtered http
> 8080/tcp filtered http-proxy
> 8081/tcp filtered blackice-icecap
> 8888/tcp filtered sun-answerbook
> MAC Address: 00:22:4D:7C:31:06 (Mitac International)
>
> Nmap done: 1 IP address (1 host up) scanned in 12.32 seconds
>
> In checking my own machine (my thought may be a virus of some sort) none
> of these ports are open.
>
> So, in conclusion, as far as I can tell, if I try nmapping with -sT to
> ports 80,3124,3128,3127,8008,8080,8888,8081 from a Win 7 machine, to
> another machine, the packets just do not appear on the physical network
> connection (I've tried with two machines). I've tried searches and can't
> find anything relevant either.
>
> Any way of debugging this further?
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/