Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scan of a Fortigate FW - false positives

From: David Fifield <david () bamsoftware com>
Date: Wed, 10 Oct 2012 10:55:20 -0700
On Wed, Oct 10, 2012 at 05:46:56PM +0000, Luke, Jason wrote:

You're right, I didn't show results from one of the ports that show as
OPEN.  Let's try this again.
Here is the scan command, results still show many open ports
sudo nmap -r -p1-2850 -PS541 --packet-trace -d Y.Y.Y.Y

Interesting Notes:
Not shown: 2679 filtered ports
Reason: 2679 no-responses
PORT     STATE SERVICE         REASON
541/tcp  open  uucp-rlogin     syn-ack
2562/tcp open  unknown         syn-ack
2563/tcp open  unknown         syn-ack
2564/tcp open  hp-3000-telnet  syn-ack

...
****If they are FILTERED, why then show up as OPEN?


You are misunderstanding the output. There were 2,679 ports that didn't
respond and so are marked filtered; they are not shown in the table.
That leaves one genuinely open port (541/tcp) and there must be 170
other "open" ports in the table.


Port 2652 is the first illegitimate port to show as open. I attached the
full tcpdump. Looking at what is different between the responses for some
port before 2562 and then 2562 shows:

13:16:32.401036 IP (tos 0x0, ttl 236, id 63101, offset 0, flags [none], proto TCP (6), length 40) Y.Y.Y.Y.2561 > 
X.X.X.X.36248: Flags [R], cksum 0xb173 (correct), seq 0, win 0, length 0

13:16:22.069935 IP (tos 0x0, ttl 11, id 55249, offset 0, flags [none], proto TCP (6), length 44) Y.Y.Y.Y.2562 > 
X.X.X.X.36249: Flags [S.], cksum 0x9fd9 (correct), seq 160929885, ack 2243717371, win 2048, options [mss 1460], 
length 0

Differences are: non-open ports prior to 2561 show a RESET. Non-open ports
after 2561 show SYN-ACK's.


The more important difference is the TTL. The spoofed SYN/ACK has a TTL
of 11, so it is definitely not coming from the target. If we guess an
initial TTL of 16, you are looking for a host 5 hops towards the target.
The next most likely initial TTL, 32, is 21 hops, which is farther than
the target itself.

So if you're trying to get an admin to find the source of the spoofed
SYN/ACKs, this is the information you need. If you just want your scan
to work, use -sT.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: