Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second

["Pavel Kankovsky" <peak () argo troja mff cuni cz>]

On Mon, 23 Dec 2002, alfaentomega wrote:

> First I thought that they may be some ports, which are
> kind-of open, but they never finish TCP handshake, but
> they are detected only with basic nmap scan -sT, a TCP
> connect() scan, and never by any other kind of scan,
> like -sS SYN half-open scan (if they never finish the
> handshake, then it would make more sense if -sS
> detects them, while -sT thinks they're closed, not the
> other way around - but I may be wrong here).
>
> Here are other of my observations:
> I ran nmap in a loop scanning TCP ports 1-10000 every
> time (first it scanned 1-65535 but higher ports were
> never open), and for 1000 ports found, there was 875
> unique ones, with lowest 1036 and highest 4989, so
> they look quite randomly distributed in this range.

Your local port range (/proc/sys/net/ipv4/ip_local_port_range)
is 1024-5000, right? You are probably seeing some autobound
sockets.

Hypothesis: one of the services listening on your machine opens a
short-lived listening sockets on an automatically assigned port (ie.
in 1024-5000 range) when it accepts a connection. This would explain
why SYN scan does not trigger it but connect() scan does.

Try this:
  for each port p in 1-1023
     perform a connect() scan of p and 1024-5000

Only a small set of p, perhaps a single value of p--the hypothetic
offending service (see above)--should make the mysterious listening port
appear.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com