Penetration Testing mailing list archives
Re: Firewall Scan
From: Todd Haverkos <infosec () haverkos com>
Date: Fri, 26 Jun 2009 09:23:27 -0500
IPv7 <listas.internet () gmail com> writes:
Hello Guys, I was doing a normal TCP Scan on port 5900, when I found a strange result: 1st I did a normal TCP scan with Nmap Onix:~# nmap -p 5900 x.x.x.x Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:52 ART Interesting ports on x.x.x.x: PORT STATE SERVICE 5900/tcp closed vnc Nmap done: 1 IP address (1 host up) scanned in 0.361 seconds But.. if I use telnet/nc with this port, they can connect: Onix:~# telnet x.x.x.x 5900 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. RFB 003.003
nmap's a pretty well known entity by teh IPS vendors, and does do things that get picked up as a port scan that normal telnet or other means won't. I'd guess that's the most likely reason you're seeing a single port default scan coming back closed. Try a -T2 or -T1 for grins to gather some more comparative data. See how a -sS or -sV compares (though since sS is created with the nmap raw packet driver, it seems to stick out like a sore thumb even more than a default scan which I believe uses the more generic OS level connect() call). The telnet you're doing is happening from the same host you're doing nmap from, right? If so, then that eliminates a notion that maybe your IP is getting blocked. Running a sniffer on your connection might be useful and you can compare in detail what's going on in various connect methods and maybe divine what's going on. --packet-trace in nmap is something you may wanna turn on for more details, but isn't useful in comparing to a telnet or actual vnc client handshake. When all else fails, there's idle scan. Finding a host that can forge packets without getting blocked by an upstream router becomes the big trick though (and finding sufficient numbers of idle hosts). Best Regards, -- Todd Haverkos, LPT MsCompE Chicago, IL http://haverkos.com/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Firewall Scan IPv7 (Jun 26)
- Re: Firewall Scan SD List (Jun 26)
- RE: Firewall Scan Shenk, Jerry A (Jun 26)
- RE: Firewall Scan Erin Carroll (Jun 26)
- Re: Firewall Scan Todd Haverkos (Jun 26)
- Re: Firewall Scan Guilherme Alves (Jun 29)
- Re: Firewall Scan Chris Brenton (Jun 30)