Security Basics mailing list archives
Re: Help understanding NMAP results
From: "forums () kentane net" <forums () kentane net>
Date: Tue, 12 Jul 2005 09:12:09 +0200 (SAST)
Theo I have experienced something similar here. I am in South Africa, and we have a serious shortage of bandwidth here. Actually, it's just damn expensive. So what a lot of ISPs do is to have a transparent proxy. What I have seen from the ISP my previous company was using is that for every port scan that I did to my clients, port 80 was always open. It turns out that it was caused by a transparent proxy. This could be what you're experiencing My 2c Ciao ------------------------- Original Message: From: Theodore Wynnychenko <t-wynnychenko () northwestern edu> To: security-basics () securityfocus com Date: Thursday, July 7 2005 00:05 Subject: Help understanding NMAP results Hello: Well, hopefully this isn't too "stupid" a question to ask, but I have to ask anyway. I am nothing like a "computer security expert," (my job has nothing to do with IT) but I have been playing with old computers and Linux in my spare time (always learning). Anyway, I have an old computer that runs LEAF LRP (linux kernel 2.4.27 or so) as an external firewall to my home network. This system basically uses Shorewall to administer IPTABLES, and is set to default DROP any packets comming in on the exernal NIC. In the past, I did some basic port scans against myself using "online scanners", and always got back information indicating that no ports were responding (everything was "Stealth" - everything silently dropped). So, while looking around, I came across NMAP, and decided to use it to scan myself. Went over to a friend's house, and ran an NMAP scan against myself (nmap -sS -v -P0 -O xx.xx.xx.xx), and it says "Discovered open port 5190/tcp". Now, this really confuses me. When I scan myself using "online" scanners (directed specifically at 5190), I get back that packets were dropped/"stealthed," but NMAP says its open. I added a specific rule (in addition to the default drop policy) to drop anything to tcp 5190, but this made no difference. The "online" scanners still say nothing there, NMAP still says its open. NMAPs OS identification gives me several possibilities including "Linux 2.4.x|2.5.x," so NMAP does seem to be getting some imformation from the firewall. TCP 5190 is apparently related to AOL IM, but this is not something I have ever used, and I can't think of any reason why the LEAF Firewall would have it open. What am I missing? Thanks in advance for any help. bye - ted
Current thread:
- Help understanding NMAP results Theodore Wynnychenko (Jul 11)
- Re: Help understanding NMAP results Nikolai Alexandrov (Jul 12)
- Re: Help understanding NMAP results Emmanuel Goldstein (Jul 12)
- Re: Help understanding NMAP results forums () kentane net (Jul 12)
- Re: Help understanding NMAP results cygnuz1979 (Jul 12)
- Re: Help understanding NMAP results Sander (Jul 26)
- <Possible follow-ups>
- Re: Help understanding NMAP results mike king (Jul 12)