RE: Very strange nmap scan results

From: Mohr, James (James.Mohr@ParkNicollet.com)
Date: Tue Sep 25 2007 - 09:09:09 EDT

• Next message: Andrew Blyth: "Re: CREST Information"
• Previous message: Toby Shelswell: "Re: CREST Information"
• In reply to: Adrian Sanabria: "Re: Very strange nmap scan results"
• Next in thread: Rodrigo Dutra Salvalagio: "RE: Very strange nmap scan results"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've seen similar output when I happened upon an old hub. Perhaps you
can ask your client is he has any old network devices still residing in
his DMZ, (assuming your client has an up to date inventory)?

Cheers,
Jim

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Adrian Sanabria
Sent: Monday, September 24, 2007 4:20 PM
To: pen-test@securityfocus.com
Subject: Re: Very strange nmap scan results

Perhaps a different kind of scan will filter those out? I've seen this
happen long, long ago, but never tested different types of scans (for
example, since you tried a connect scan, try a SYN scan, etc...).

--Adrian

On 9/22/07, Hans-J. Ullrich <hans.ullrich@loop.de> wrote:
> Am Freitag 21 September 2007 schrieb Juan B:
> > > Hi all,
> > >
> > > For a client in scaning his Dmz from the internet.
> > >
> > > I know the servers are behind a pix 515 without any add security
> > > features ( they dont have any ips or the didnt enabled the ips
> > > feature of the pix). they also
> >
> > dont have any honeypot etc..
> >
> > > the strange is that two I receive too many open ports!
> > > for example I scan the mail relay and although just port 25 is
> > > open it report lots of more open ports!
> > > this is the nmap scan I issued:
> > >
> > > nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA cpsa.txt
> > >
> > > ( I changed the ip's here...)
> > >
> > > and the result for the mail relay for example are:
> > >
> > >
> > > nteresting ports on mail.cpsa.com (200.61.44.50):
> > > PORT STATE SERVICE
> > > 1/tcp open tcpmux
> > > 2/tcp open compressnet
> > > 3/tcp open compressnet
> > > 4/tcp open unknown
> > > 5/tcp open rje
> > > 6/tcp open unknown
> > > 7/tcp open echo
> > > 8/tcp filtered unknown
> > > 9/tcp open discard
> > > 10/tcp open unknown
> > > 11/tcp open systat
> > > 12/tcp open unknown
> > > 13/tcp open daytime
> > > 14/tcp open unknown
> > > 15/tcp open netstat
> > > 16/tcp open unknown
> > > 17/tcp open qotd
> > > 18/tcp filtered msp
> > > 19/tcp open chargen
> > > 20/tcp open ftp-data
> > > 21/tcp open ftp
> > > 22/tcp open ssh
> > > 23/tcp open telnet
> > > 24/tcp open priv-mail
> > > 25/tcp open smtp
> > > 26/tcp open unknown
> > > 27/tcp open nsw-fe
> > > 28/tcp open unknown
> > > 29/tcp open msg-icp
> > > 30/tcp open unknown
> > > 31/tcp open msg-auth
> > > 32/tcp open unknown
> > > 33/tcp open dsp
> > > 34/tcp open unknown
> > >
> > > this continues up to port 1024..
> > >
> > > any ideas how to eliminate so many false positives?
> > >
> > > thanks a lot,
> > >
> > > Juan
> >
> >
> >_____________________________________________________________________
> >______
> >_________
> >
> > > Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get

> > > listings, and more!
> > > http://tv.yahoo.com/collections/3658
> >
> >
> >
> >_____________________________________________________________________
> >______ _________ Don't let your dream ride pass you by. Make it a
> >reality with Yahoo! Autos. http://autos.yahoo.com/index.html
> >
> >
> >
> >
> > --------------------------------------------------------------------
> > ----
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > --------------------------------------------------------------------
> > ----
>
> Hi Juan !
>
> Yes, this happnes, when there is a "firewall" running. I have
> portsentry running, and when I do a portscan, it seems, every ports
are available.
> Indeed, they are not ! And if someone is scanning me, portsentry has
> already detected it and is executing the preconfigurated task (i.e.
> logging, diconnecting, putting IP into /etc/hosts.deny or whatever I
> told it)
>
> Best regards
>
> Hans
>
>
> ----------------------------------------------------------------------
> --
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ----------------------------------------------------------------------
> --
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Andrew Blyth: "Re: CREST Information"
• Previous message: Toby Shelswell: "Re: CREST Information"
• In reply to: Adrian Sanabria: "Re: Very strange nmap scan results"
• Next in thread: Rodrigo Dutra Salvalagio: "RE: Very strange nmap scan results"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:08 EDT