Security Basics mailing list archives
Re: Nmap Scan Output - PIX firewall shows ports open even when disabled?
From: "erisk" <erisk () iinet net au>
Date: Wed, 29 Oct 2003 09:44:34 +0800
It opens connection then drops after 30 seconds.. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Documents and Settings\Administrator>netstat Active Connections Proto Local Address Foreign Address State TCP BI-ACH:1029 XXX.XXX.XXX.:ldap ESTABLISHED ----- Original Message ----- From: "Francisco Andrades" <fandrades () nextj com> To: <security-basics () securityfocus com> Sent: Tuesday, October 28, 2003 5:09 AM Subject: Re: Nmap Scan Output - PIX firewall shows ports open even when disabled?
What does telnet to those ports report? erisk wrote:Hi all, I have had this on a few instances and I was wondring if anyone can
verify
if this is something other people have found when scanning PIX's or web servers in the DMZ.. Firstly I scanned using the normal sS routine and ports were found
closed.
Following that I preceded to scan without pinging the host and the
output is
below: nmap -P0 XXX.XXX.XXX.XX Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on XXXX (X.X.X.X): (The 1596 ports scanned but not shown below are in state: filtered) Port State Service 389/tcp open ldap 1002/tcp open unknown 1720/tcp open H.323/Q.931 I have confirmed with the rulebase and the none of the ports that are
open
are defined in the rule base and everything elese is still explictly
denied
(even though PIX does it by default) by a deny IP rule. Also the
majority of
fixup protocols have been disbaled (except HTTP, SMTP). Also when I scan web servers behind the firewall with this option it
still
has the same ports open + HTTP and HTTPS... This is the third time I have had this output when using this no ping
host
option, so has anyone found the similar outputs? Could this be a common
way
to commonly identify PIX firewalls? Is there an advisory for this? And
are
there any workarounds so these ports are not shown on the no ping scan? Regards, Trev-- Francisco Andrades Grassi www.nextj.com Tlf: +58-414-125-7415 --------------------------------------------------------------------------
-
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security
to
simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Re: The answer is, "you cant" Xphox (Oct 24)
- Nmap Scan Output - PIX firewall shows ports open even when disabled? erisk (Oct 27)
- Re: Nmap Scan Output - PIX firewall shows ports open even when disabled? Francisco Andrades (Oct 28)
- Re: Nmap Scan Output - PIX firewall shows ports open even when disabled? erisk (Oct 29)
- RE: Nmap Scan Output - PIX firewall shows ports open even when disabled? wbradd (Oct 29)
- Re: Nmap Scan Output - PIX firewall shows ports open even when disabled? Francisco Andrades (Oct 28)
- Nmap Scan Output - PIX firewall shows ports open even when disabled? erisk (Oct 27)