Firewall Wizards mailing list archives
RE: Strange open ports on windows machines
From: Christoph Schneeberger <cschnee () telemedia ch>
Date: Mon, 25 Oct 1999 10:06:59 +0100
Hi All, Thanks for all your help and more or less useful hints. I want to thank especially: -Michael H. Warfield for his explanation of how toasted the customer is. -Russ Cooper for a) his superb explanation of ports 1027 and 1030 and b) for his misunderstanding of what those results I posted really mean (Sorry Russ you were so offroad with your harddisk destroying technique that I have to conter, but that's not the topic of this list, offending people...). -Rodney van den Oever and Thomas Lopatic for pointing out the real problem: The ISP of the customer filters tcp 12345 and udp 31337 on his border routers however other ports which I think should be filtered instead of those like i.e. udp/tcp 135-137 are permitted. That's why nmap returns i.e. 12345 as listening. Who would expect one of the largest swiss ISPs to be so shortsighted ? Netbus and BO2K can be run on any port, and I guess that's the approach an attacker takes. I was able to reproduce this in my testing environment by setting up the following acl and portscanning a machine behind that router which definitely hasn't netbus running or 12345 open: deny tcp any any eq 12345 permit ip any any To qoute Thomas Lopatic with his fine explanation of what was going on:
12345 filtered tcp NetBus 31337 open udp BackOrifice
"filtered" means that there was a timeout when nmap tried to connect to port 12345. Hence, this port is probably filtered at some firewall between you and the computer you scanned.
The same is probably true for port 31337. UDP scanning works as follows. nmap sends a UDP packet to a port and then waits for an ICMP port unreachable message, which indicates, that there is not service listening at that particular port. If it does not get an ICMP port unreachable message, nmap will tell you that there is a service that listens at the port.
If the UDP message is filtered at an intermediate firewall, then the computer will never see that UDP packet and you will never get an ICMP port unreachable - and nmap thinks that there is some listening service.
I think that this is the most plausible explanation. A packet filter that protects the network that you have scanned.
Thanks for all your help and I hope somebody else can profit from this information too. Cheers, Christoph ---------------------------------------------------+ / Christoph Schneeberger / SCS TeleMedia | / cschnee () telemedia ch / Liestalerstrasse 47 | / 4419 Lupsingen / http://www.telemedia.ch | / tel +41 61 915 9155 / fax +41 61 911 0714 | / PGP-Key http://www.telemedia.ch/pgpkeys/cschnee.asc | --------------------------------------------------------+ This e-mail is confidential and may be privileged. It may be read, copied and used only by the addressee. If you have received it in error, please contact us immediately.
Current thread:
- Re: Strange open ports on windows machines, (continued)
- Re: Strange open ports on windows machines Michael H. Warfield (Oct 23)
- Re: Strange open ports on windows machines Kaptain (Oct 25)
- Re: Strange open ports on windows machines Michael H. Warfield (Oct 25)
- Re: Strange open ports on windows machines David LeBlanc (Oct 26)
- whoops David LeBlanc (Oct 27)
- Re: Strange open ports on windows machines Kaptain (Oct 25)
- Re: Strange open ports on windows machines Arnd Vehling (Oct 28)
- Re: Strange open ports on windows machines Michael H. Warfield (Oct 23)
- RE: Strange open ports on windows machines Christoph Schneeberger (Oct 25)
- RE: Strange open ports on windows machines Lance Spitzner (Oct 27)