Nmap Development mailing list archives

Re: False positive 21/tcp open on Windows?

From: kx <kxmail () gmail com>
Date: Wed, 26 Jul 2006 21:44:41 -0400

I can't duplicate the behavior with nmap 4.20ALPHA3 - would you mind
trying to duplicate it with the newest version, 4.20ALPHA4?

http://www.insecure.org/nmap/dist/nmap-4.20ALPHA4-win32.zip

-kx

nmap -sT -p79-81 192.168.1.1


Starting Nmap 4.20ALPHA3 ( http://www.insecure.org/nmap ) at
2006-07-26 21:36 Ea stern Daylight Time
Interesting ports on 192.168.1.1:
PORT   STATE    SERVICE
79/tcp filtered finger
80/tcp open     http
81/tcp filtered hosts2-ns
MAC Address: 00:04:5A:EF:AE:13 (The Linksys Group)

Nmap finished: 1 IP address (1 host up) scanned in 12.156 seconds

nmap -sS -p79-81 192.168.1.1


Starting Nmap 4.20ALPHA3 ( http://www.insecure.org/nmap ) at 2006-07-26 21:39 Ea
stern Daylight Time
Interesting ports on 192.168.1.1:
PORT   STATE  SERVICE
79/tcp closed finger
80/tcp open   http
81/tcp closed hosts2-ns
MAC Address: 00:04:5A:EF:AE:13 (The Linksys Group)

Nmap finished: 1 IP address (1 host up) scanned in 1.062 seconds

On 7/26/06, Rob Nicholls <robert () refreshdaily com> wrote:

Forgive me if I'm doing something silly and haven't realised it, but I'm
getting inconsistent results when performing -sS and -sT scans against
port 21/tcp when using win32 versions of nmap. When performing a Connect()
Scan it will return 21/tcp open, even when I know nothing is listening.
Running a Connect() Scan using the linux client (or doing -sS on Windows)
gives me the correct result.

I used Ethereal to see what was going on, and I can't see anything being
sent on port 21. nmap states "The Connect() Scan took 0.00s to scan 1
total ports." which worries me, as it shouldn't be that quick (scanning
just port 20 or 22 takes 0.98s and these show up in Ethereal).

I first noticed it against a VMWare virtual machine, but it seems to also
happen when scanning any other host too (either systems on the same subnet
at work or over the internet to a router at home - and even from a machine
at home against machines at work), including hosts that I know do not
exist (obviously using -P0).

I've managed to reproduce this with different versions of nmap (4.01,
4.03, 4.10, 4.11, 4.20Alpha4) on three different Windows hosts (two
running XP SP2, one running 2003 SP1), but the two Linux hosts (Backtrack
under VMWare with a bridged network connection on one of the Windows
hosts, and a proper installation of Fedora Core 3 on a standalone machine)
correctly identify the port as closed.

I don't think it makes any difference, but I've been using WinPcap 3.2
alpha, briefly dropped down to 3.1 and I'm now using 4.0alpha1.

I scanned (from home, hence using 4.01, but the same thing happens in
4.11) my machine at work. I had Windows Firewall (XP SP2) turned on, with
no exceptions allowed, so it should silently drop everything:

nmap xxx.xxx.xx.xx -p 20-22 -sT -P0


Starting Nmap 4.01 ( http://www.insecure.org/nmap ) at 2006-07-26 13:21
GMT Daylight Time
Interesting ports on xxx.xxx.xx.xx:
PORT   STATE    SERVICE
20/tcp filtered ftp-data
21/tcp open     ftp
22/tcp filtered ssh

Nmap finished: 1 IP address (1 host up) scanned in 11.390 seconds

nmap xxx.xxx.xx.xx -p 20-22 -sS -P0


Starting Nmap 4.01 ( http://www.insecure.org/nmap ) at 2006-07-26 13:21
GMT Daylight Time
Interesting ports on xxx.xxx.xx.xx:
PORT   STATE    SERVICE
20/tcp filtered ftp-data
21/tcp filtered ftp
22/tcp filtered ssh

Nmap finished: 1 IP address (1 host up) scanned in 3.610 seconds

When running scans against the current version of BackTrack (running under
VMWare), I get the following:

nmap -sS xxx.xxx.xx.xx -p 20-22


Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 13:27
GMT Standard Time
Interesting ports on xxx.xxx.xx.xx:
PORT   STATE  SERVICE
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp closed ssh
MAC Address: 00:0C:29:97:FA:9C (VMware)

Nmap finished: 1 IP address (1 host up) scanned in 0.771 seconds

nmap -sT xxx.xxx.xx.xx -p 20-22


Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 13:27
GMT Standard Time
Interesting ports on xxx.xxx.xx.xx:
PORT   STATE    SERVICE
20/tcp filtered ftp-data
21/tcp open     ftp
22/tcp filtered ssh
MAC Address: 00:0C:29:97:FA:9C (VMware)

Nmap finished: 1 IP address (1 host up) scanned in 12.137 seconds

Doing a quick netstat on BackTrack reveals nothing is listening.

I hope that's enough info for you to work with, but this seems fairly
reproducible here, and I was surprised I couldn't see anything mentioned
in the mailing list archives. Which makes me think maybe it's my mistake.
I hope someone else can confirm this behaviour, or let me know how I can
fix this.


Rob Nicholls



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev

Current thread:

False positive 21/tcp open on Windows? Rob Nicholls (Jul 26)
- Re: False positive 21/tcp open on Windows? kx (Jul 26)
- Re: False positive 21/tcp open on Windows? Professor Messer (Jul 26)
  - Re: False positive 21/tcp open on Windows? Rob Nicholls (Jul 27)
- <Possible follow-ups>
- Re: False positive 21/tcp open on Windows? 4N9e Gutek (Jul 28)