Penetration Testing mailing list archives

RE: Very strange nmap scan results

From: "Mohr, James" <James.Mohr () ParkNicollet com>
Date: Tue, 25 Sep 2007 08:09:09 -0500

I've seen similar output when I happened upon an old hub.  Perhaps you
can ask your client is he has any old network devices still residing in
his DMZ, (assuming your client has an up to date inventory)?

Cheers,
Jim

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Adrian Sanabria
Sent: Monday, September 24, 2007 4:20 PM
To: pen-test () securityfocus com
Subject: Re: Very strange nmap scan results

Perhaps a different kind of scan will filter those out? I've seen this
happen long, long ago, but never tested different types of scans (for
example, since you tried a connect scan, try a SYN scan, etc...).

--Adrian

On 9/22/07, Hans-J. Ullrich <hans.ullrich () loop de> wrote:

Am Freitag 21 September 2007 schrieb Juan B:

Hi all,

For a client in scaning his Dmz from the internet.

I know the servers are behind a pix 515 without any add security 
features ( they dont have any ips or the didnt enabled the ips 
feature of the pix). they also


dont have any honeypot etc..

the strange is that two I receive too many open ports!
for example I scan the mail relay and although just port 25 is 
open it report lots of more open ports!
this is the nmap scan I issued:

nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA cpsa.txt

( I changed the ip's here...)

and the result for the mail relay for example are:


nteresting ports on mail.cpsa.com (200.61.44.50):
PORT     STATE    SERVICE
1/tcp    open     tcpmux
2/tcp    open     compressnet
3/tcp    open     compressnet
4/tcp    open     unknown
5/tcp    open     rje
6/tcp    open     unknown
7/tcp    open     echo
8/tcp    filtered unknown
9/tcp    open     discard
10/tcp   open     unknown
11/tcp   open     systat
12/tcp   open     unknown
13/tcp   open     daytime
14/tcp   open     unknown
15/tcp   open     netstat
16/tcp   open     unknown
17/tcp   open     qotd
18/tcp   filtered msp
19/tcp   open     chargen
20/tcp   open     ftp-data
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
24/tcp   open     priv-mail
25/tcp   open     smtp
26/tcp   open     unknown
27/tcp   open     nsw-fe
28/tcp   open     unknown
29/tcp   open     msg-icp
30/tcp   open     unknown
31/tcp   open     msg-auth
32/tcp   open     unknown
33/tcp   open     dsp
34/tcp   open     unknown

this continues up to port 1024..

any ideas how to eliminate so many false positives?

thanks a lot,

Juan



_____________________________________________________________________
______
_________

Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get

listings, and more!
http://tv.yahoo.com/collections/3658




_____________________________________________________________________
______ _________ Don't let your dream ride pass you by. Make it a 
reality with  Yahoo! Autos. http://autos.yahoo.com/index.html




--------------------------------------------------------------------
----
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
--------------------------------------------------------------------
----


Hi Juan !

Yes, this happnes, when there is a "firewall" running. I have 
portsentry running, and when I do a portscan, it seems, every ports

are available.

Indeed, they are not ! And if someone is scanning me, portsentry has 
already detected it and is executing the preconfigurated task (i.e. 
logging, diconnecting, putting IP into /etc/hosts.deny or whatever I 
told it)

Best regards

Hans


----------------------------------------------------------------------
--
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
----------------------------------------------------------------------
--


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Very strange nmap scan results Juan B (Sep 22)
- Re: Very strange nmap scan results Hans-J. Ullrich (Sep 22)
  - Re: Very strange nmap scan results Adrian Sanabria (Sep 24)
    - RE: Very strange nmap scan results Mohr, James (Sep 25)
- RE: Very strange nmap scan results Rodrigo Dutra Salvalagio (Sep 24)
- <Possible follow-ups>
- Re: Very strange nmap scan results jason_jones98 (Sep 25)