Penetration Testing mailing list archives
RE: Very strange nmap scan results
From: "Mohr, James" <James.Mohr () ParkNicollet com>
Date: Tue, 25 Sep 2007 08:09:09 -0500
I've seen similar output when I happened upon an old hub. Perhaps you can ask your client is he has any old network devices still residing in his DMZ, (assuming your client has an up to date inventory)? Cheers, Jim -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Adrian Sanabria Sent: Monday, September 24, 2007 4:20 PM To: pen-test () securityfocus com Subject: Re: Very strange nmap scan results Perhaps a different kind of scan will filter those out? I've seen this happen long, long ago, but never tested different types of scans (for example, since you tried a connect scan, try a SYN scan, etc...). --Adrian On 9/22/07, Hans-J. Ullrich <hans.ullrich () loop de> wrote:
Am Freitag 21 September 2007 schrieb Juan B:Hi all, For a client in scaning his Dmz from the internet. I know the servers are behind a pix 515 without any add security features ( they dont have any ips or the didnt enabled the ips feature of the pix). they alsodont have any honeypot etc..the strange is that two I receive too many open ports! for example I scan the mail relay and although just port 25 is open it report lots of more open ports! this is the nmap scan I issued: nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA cpsa.txt ( I changed the ip's here...) and the result for the mail relay for example are: nteresting ports on mail.cpsa.com (200.61.44.50): PORT STATE SERVICE 1/tcp open tcpmux 2/tcp open compressnet 3/tcp open compressnet 4/tcp open unknown 5/tcp open rje 6/tcp open unknown 7/tcp open echo 8/tcp filtered unknown 9/tcp open discard 10/tcp open unknown 11/tcp open systat 12/tcp open unknown 13/tcp open daytime 14/tcp open unknown 15/tcp open netstat 16/tcp open unknown 17/tcp open qotd 18/tcp filtered msp 19/tcp open chargen 20/tcp open ftp-data 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 24/tcp open priv-mail 25/tcp open smtp 26/tcp open unknown 27/tcp open nsw-fe 28/tcp open unknown 29/tcp open msg-icp 30/tcp open unknown 31/tcp open msg-auth 32/tcp open unknown 33/tcp open dsp 34/tcp open unknown this continues up to port 1024.. any ideas how to eliminate so many false positives? thanks a lot, Juan_____________________________________________________________________ ______ _________Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get
listings, and more! http://tv.yahoo.com/collections/3658_____________________________________________________________________ ______ _________ Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos. http://autos.yahoo.com/index.html -------------------------------------------------------------------- ---- This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads -------------------------------------------------------------------- ----Hi Juan ! Yes, this happnes, when there is a "firewall" running. I have portsentry running, and when I do a portscan, it seems, every ports
are available.
Indeed, they are not ! And if someone is scanning me, portsentry has already detected it and is executing the preconfigurated task (i.e. logging, diconnecting, putting IP into /etc/hosts.deny or whatever I told it) Best regards Hans ---------------------------------------------------------------------- -- This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ---------------------------------------------------------------------- --
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Very strange nmap scan results Juan B (Sep 22)
- Re: Very strange nmap scan results Hans-J. Ullrich (Sep 22)
- Re: Very strange nmap scan results Adrian Sanabria (Sep 24)
- RE: Very strange nmap scan results Mohr, James (Sep 25)
- Re: Very strange nmap scan results Adrian Sanabria (Sep 24)
- RE: Very strange nmap scan results Rodrigo Dutra Salvalagio (Sep 24)
- <Possible follow-ups>
- Re: Very strange nmap scan results jason_jones98 (Sep 25)
- Re: Very strange nmap scan results Hans-J. Ullrich (Sep 22)