Penetration Testing mailing list archives

Re: Firewall Scan

From: Todd Haverkos <infosec () haverkos com>
Date: Fri, 26 Jun 2009 09:23:27 -0500

IPv7 <listas.internet () gmail com> writes:

Hello Guys,

I was doing a normal TCP Scan on port 5900, when I found a strange result:

1st I did a normal TCP scan with Nmap

Onix:~# nmap -p 5900 x.x.x.x

Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:52 ART
Interesting ports on x.x.x.x:
PORT     STATE  SERVICE
5900/tcp closed vnc

Nmap done: 1 IP address (1 host up) scanned in 0.361 seconds

But.. if I use telnet/nc with this port, they can connect:
Onix:~# telnet x.x.x.x 5900
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
RFB 003.003

nmap's a pretty well known entity by teh IPS vendors, and does do
things that get picked up as a port scan that normal telnet or other
means won't. I'd guess that's the most likely reason you're seeing a
single port default scan coming back closed.

Try a -T2 or -T1 for grins to gather some more comparative data. See
how a -sS or -sV compares (though since sS is created with the nmap
raw packet driver, it seems to stick out like a sore thumb even more
than a default scan which I believe uses the more generic OS level
connect() call).

The telnet you're doing is happening from the same host you're doing
nmap from, right? If so, then that eliminates a notion that maybe
your IP is getting blocked.

Running a sniffer on your connection might be useful and you can
compare in detail what's going on in various connect methods and maybe
divine what's going on. --packet-trace in nmap is something you may
wanna turn on for more details, but isn't useful in comparing to a
telnet or actual vnc client handshake.

When all else fails, there's idle scan. Finding a host that can forge
packets without getting blocked by an upstream router becomes the big
trick though (and finding sufficient numbers of idle hosts).

Best Regards,
--
Todd Haverkos, LPT MsCompE Chicago, IL
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Firewall Scan IPv7 (Jun 26)
- Re: Firewall Scan SD List (Jun 26)
- RE: Firewall Scan Shenk, Jerry A (Jun 26)
  - RE: Firewall Scan Erin Carroll (Jun 26)
- Re: Firewall Scan Todd Haverkos (Jun 26)
- Re: Firewall Scan Guilherme Alves (Jun 29)
  - Re: Firewall Scan Chris Brenton (Jun 30)