Penetration Testing mailing list archives

Re: Very strange nmap scan results

From: "Adrian Sanabria" <adrian.sanabria () gmail com>
Date: Mon, 24 Sep 2007 17:20:26 -0400

Perhaps a different kind of scan will filter those out? I've seen this
happen long, long ago, but never tested different types of scans (for
example, since you tried a connect scan, try a SYN scan, etc...).

--Adrian

On 9/22/07, Hans-J. Ullrich <hans.ullrich () loop de> wrote:

Am Freitag 21 September 2007 schrieb Juan B:

Hi all,

For a client in scaning his Dmz from the internet.

I know the servers are behind a pix 515 without any
add security features ( they dont have any ips or
the
didnt enabled the ips feature of the pix). they also


dont have any honeypot etc..

the strange is that two I receive too many open
ports!
for example I scan the mail relay and although just
port 25 is open it report lots of more open ports!
this is the nmap scan I issued:

nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA
cpsa.txt

( I changed the ip's here...)

and the result for the mail relay for example are:


nteresting ports on mail.cpsa.com (200.61.44.50):
PORT     STATE    SERVICE
1/tcp    open     tcpmux
2/tcp    open     compressnet
3/tcp    open     compressnet
4/tcp    open     unknown
5/tcp    open     rje
6/tcp    open     unknown
7/tcp    open     echo
8/tcp    filtered unknown
9/tcp    open     discard
10/tcp   open     unknown
11/tcp   open     systat
12/tcp   open     unknown
13/tcp   open     daytime
14/tcp   open     unknown
15/tcp   open     netstat
16/tcp   open     unknown
17/tcp   open     qotd
18/tcp   filtered msp
19/tcp   open     chargen
20/tcp   open     ftp-data
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
24/tcp   open     priv-mail
25/tcp   open     smtp
26/tcp   open     unknown
27/tcp   open     nsw-fe
28/tcp   open     unknown
29/tcp   open     msg-icp
30/tcp   open     unknown
31/tcp   open     msg-auth
32/tcp   open     unknown
33/tcp   open     dsp
34/tcp   open     unknown

this continues up to port 1024..

any ideas how to eliminate so many false positives?

thanks a lot,

Juan


___________________________________________________________________________
_________

Catch up on fall's hot new shows on Yahoo! TV. Watch
previews, get listings, and more!
http://tv.yahoo.com/collections/3658



___________________________________________________________________________
_________ Don't let your dream ride pass you by. Make it a reality with
Yahoo! Autos. http://autos.yahoo.com/index.html




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


Hi Juan !

Yes, this happnes, when there is a "firewall" running. I have portsentry
running, and when I do a portscan, it seems, every ports are available.
Indeed, they are not ! And if someone is scanning me, portsentry has already
detected it and is executing the preconfigurated task (i.e. logging,
diconnecting, putting IP into /etc/hosts.deny or whatever I told it)

Best regards

Hans


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Very strange nmap scan results Juan B (Sep 22)
- Re: Very strange nmap scan results Hans-J. Ullrich (Sep 22)
  - Re: Very strange nmap scan results Adrian Sanabria (Sep 24)
    - RE: Very strange nmap scan results Mohr, James (Sep 25)
- RE: Very strange nmap scan results Rodrigo Dutra Salvalagio (Sep 24)
- <Possible follow-ups>
- Re: Very strange nmap scan results jason_jones98 (Sep 25)