Nmap Development mailing list archives
Re: Scan of a Fortigate FW - false positives
From: David Fifield <david () bamsoftware com>
Date: Wed, 10 Oct 2012 10:55:20 -0700
On Wed, Oct 10, 2012 at 05:46:56PM +0000, Luke, Jason wrote:
You're right, I didn't show results from one of the ports that show as OPEN. Let's try this again. Here is the scan command, results still show many open ports sudo nmap -r -p1-2850 -PS541 --packet-trace -d Y.Y.Y.Y Interesting Notes: Not shown: 2679 filtered ports Reason: 2679 no-responses PORT STATE SERVICE REASON 541/tcp open uucp-rlogin syn-ack 2562/tcp open unknown syn-ack 2563/tcp open unknown syn-ack 2564/tcp open hp-3000-telnet syn-ack ... ****If they are FILTERED, why then show up as OPEN?
You are misunderstanding the output. There were 2,679 ports that didn't respond and so are marked filtered; they are not shown in the table. That leaves one genuinely open port (541/tcp) and there must be 170 other "open" ports in the table.
Port 2652 is the first illegitimate port to show as open. I attached the full tcpdump. Looking at what is different between the responses for some port before 2562 and then 2562 shows: 13:16:32.401036 IP (tos 0x0, ttl 236, id 63101, offset 0, flags [none], proto TCP (6), length 40) Y.Y.Y.Y.2561 > X.X.X.X.36248: Flags [R], cksum 0xb173 (correct), seq 0, win 0, length 0 13:16:22.069935 IP (tos 0x0, ttl 11, id 55249, offset 0, flags [none], proto TCP (6), length 44) Y.Y.Y.Y.2562 > X.X.X.X.36249: Flags [S.], cksum 0x9fd9 (correct), seq 160929885, ack 2243717371, win 2048, options [mss 1460], length 0 Differences are: non-open ports prior to 2561 show a RESET. Non-open ports after 2561 show SYN-ACK's.
The more important difference is the TTL. The spoofed SYN/ACK has a TTL of 11, so it is definitely not coming from the target. If we guess an initial TTL of 16, you are looking for a host 5 hops towards the target. The next most likely initial TTL, 32, is 21 hops, which is farther than the target itself. So if you're trying to get an admin to find the source of the spoofed SYN/ACKs, this is the information you need. If you just want your scan to work, use -sT. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Scan of a Fortigate FW - false positives Luke, Jason (Oct 09)
- Re: Scan of a Fortigate FW - false positives David Fifield (Oct 09)
- Re: Scan of a Fortigate FW - false positives Luke, Jason (Oct 10)
- <Possible follow-ups>
- Re: Scan of a Fortigate FW - false positives David Fifield (Oct 10)
- Re: Scan of a Fortigate FW - false positives David Fifield (Oct 09)