Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: scan shows open ports as tcpwrapped

From: "Fahad A. Saeed" <fneyaz () gmail com>
Date: Fri, 2 Nov 2012 00:49:10 +0300
Thank you Dan for your response.
My colleague posted thebquestion there.
The point is, and for example, one of the scanned machine is a MS Exchange
configured as OWA. The scan result was tcpwrapped for all ports even for
SMTP and SSL.
This doesn't make scenes. BTW we are sure MS Exchange is working fine.
When I used the same scan syntax posted before but with --packet-trace I
got all ports "closed". And I got all responses from the machine itself not
from LB\FW.
Another thing, in both syntax it shows the OS as F5 Big-IP but again it
should be Windows.

I tried also to review all packets using tcpdump and nothing there.
When traceroute is performed the traffic is as following:
Internet --> Core Router --> LB\FW --> the target (i.e MS Exchange).

Thanks again for your response.
 On Nov 2, 2012 12:30 AM, "Daniel Miller" <bonsaiviking () gmail com> wrote:


On 10/30/2012 09:28 PM, Fahad A. Saeed wrote:


I'd a scan task and I faced following result (appro. for all ports except
for really used ones i.e. ssl and smtp):

Host is up (0.032s latency).
Scanned at 2012-10-25 16:06:38 AST for 856s
PORT      STATE SERVICE    VERSION
1/tcp     open  tcpwrapped
3/tcp     open  tcpwrapped
4/tcp     open  tcpwrapped
.
.
19/tcp    open  tcpwrapped
20/tcp    open  tcpwrapped
21/tcp    open  tcpwrapped
22/tcp    open  tcpwrapped
23/tcp    open  tcpwrapped
.
.
64623/tcp open  tcpwrapped
64680/tcp open  tcpwrapped
65000/tcp open  tcpwrapped
65129/tcp open  tcpwrapped
65389/tcp open  tcpwrapped

Scan methodology was:

nmap -n -vv -A x.x.x.x --min-parallelism=50 --max-parallelism=150 -PN
-T2 -oA x.x.x.x

I'm sure that this is a firewall's or loadbalancer's game. I tried many
way
such as change source port, source IP , fragmentation, etc..

    - Do you have any idea/suggestion to bypass this case and to identify
    real services behind open ports?
    - on another hand, Do you know how to do that on firewall policy(on
any
    firewall)?

Thanks in advance.
______________________________**_________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev>
Archived at http://seclists.org/nmap-dev/

 Fahad,


I and several others answered you on security.stackexchange.com [1].
There is nothing to bypass here.

Dan

[1] http://security.stackexchange.**com/questions/23407/how-to-**
bypass-tcpwrapped-with-nmap-**scan<http://security.stackexchange.com/questions/23407/how-to-bypass-tcpwrapped-with-nmap-scan>


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: