Nmap Development mailing list archives
Re: False positive 21/tcp open on Windows?
From: kx <kxmail () gmail com>
Date: Wed, 26 Jul 2006 21:44:41 -0400
I can't duplicate the behavior with nmap 4.20ALPHA3 - would you mind trying to duplicate it with the newest version, 4.20ALPHA4? http://www.insecure.org/nmap/dist/nmap-4.20ALPHA4-win32.zip -kx
nmap -sT -p79-81 192.168.1.1
Starting Nmap 4.20ALPHA3 ( http://www.insecure.org/nmap ) at 2006-07-26 21:36 Ea stern Daylight Time Interesting ports on 192.168.1.1: PORT STATE SERVICE 79/tcp filtered finger 80/tcp open http 81/tcp filtered hosts2-ns MAC Address: 00:04:5A:EF:AE:13 (The Linksys Group) Nmap finished: 1 IP address (1 host up) scanned in 12.156 seconds
nmap -sS -p79-81 192.168.1.1
Starting Nmap 4.20ALPHA3 ( http://www.insecure.org/nmap ) at 2006-07-26 21:39 Ea stern Daylight Time Interesting ports on 192.168.1.1: PORT STATE SERVICE 79/tcp closed finger 80/tcp open http 81/tcp closed hosts2-ns MAC Address: 00:04:5A:EF:AE:13 (The Linksys Group) Nmap finished: 1 IP address (1 host up) scanned in 1.062 seconds On 7/26/06, Rob Nicholls <robert () refreshdaily com> wrote:
Forgive me if I'm doing something silly and haven't realised it, but I'm getting inconsistent results when performing -sS and -sT scans against port 21/tcp when using win32 versions of nmap. When performing a Connect() Scan it will return 21/tcp open, even when I know nothing is listening. Running a Connect() Scan using the linux client (or doing -sS on Windows) gives me the correct result. I used Ethereal to see what was going on, and I can't see anything being sent on port 21. nmap states "The Connect() Scan took 0.00s to scan 1 total ports." which worries me, as it shouldn't be that quick (scanning just port 20 or 22 takes 0.98s and these show up in Ethereal). I first noticed it against a VMWare virtual machine, but it seems to also happen when scanning any other host too (either systems on the same subnet at work or over the internet to a router at home - and even from a machine at home against machines at work), including hosts that I know do not exist (obviously using -P0). I've managed to reproduce this with different versions of nmap (4.01, 4.03, 4.10, 4.11, 4.20Alpha4) on three different Windows hosts (two running XP SP2, one running 2003 SP1), but the two Linux hosts (Backtrack under VMWare with a bridged network connection on one of the Windows hosts, and a proper installation of Fedora Core 3 on a standalone machine) correctly identify the port as closed. I don't think it makes any difference, but I've been using WinPcap 3.2 alpha, briefly dropped down to 3.1 and I'm now using 4.0alpha1. I scanned (from home, hence using 4.01, but the same thing happens in 4.11) my machine at work. I had Windows Firewall (XP SP2) turned on, with no exceptions allowed, so it should silently drop everything:nmap xxx.xxx.xx.xx -p 20-22 -sT -P0Starting Nmap 4.01 ( http://www.insecure.org/nmap ) at 2006-07-26 13:21 GMT Daylight Time Interesting ports on xxx.xxx.xx.xx: PORT STATE SERVICE 20/tcp filtered ftp-data 21/tcp open ftp 22/tcp filtered ssh Nmap finished: 1 IP address (1 host up) scanned in 11.390 secondsnmap xxx.xxx.xx.xx -p 20-22 -sS -P0Starting Nmap 4.01 ( http://www.insecure.org/nmap ) at 2006-07-26 13:21 GMT Daylight Time Interesting ports on xxx.xxx.xx.xx: PORT STATE SERVICE 20/tcp filtered ftp-data 21/tcp filtered ftp 22/tcp filtered ssh Nmap finished: 1 IP address (1 host up) scanned in 3.610 seconds When running scans against the current version of BackTrack (running under VMWare), I get the following:nmap -sS xxx.xxx.xx.xx -p 20-22Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 13:27 GMT Standard Time Interesting ports on xxx.xxx.xx.xx: PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp closed ftp 22/tcp closed ssh MAC Address: 00:0C:29:97:FA:9C (VMware) Nmap finished: 1 IP address (1 host up) scanned in 0.771 secondsnmap -sT xxx.xxx.xx.xx -p 20-22Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 13:27 GMT Standard Time Interesting ports on xxx.xxx.xx.xx: PORT STATE SERVICE 20/tcp filtered ftp-data 21/tcp open ftp 22/tcp filtered ssh MAC Address: 00:0C:29:97:FA:9C (VMware) Nmap finished: 1 IP address (1 host up) scanned in 12.137 seconds Doing a quick netstat on BackTrack reveals nothing is listening. I hope that's enough info for you to work with, but this seems fairly reproducible here, and I was surprised I couldn't see anything mentioned in the mailing list archives. Which makes me think maybe it's my mistake. I hope someone else can confirm this behaviour, or let me know how I can fix this. Rob Nicholls _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- False positive 21/tcp open on Windows? Rob Nicholls (Jul 26)
- Re: False positive 21/tcp open on Windows? kx (Jul 26)
- Re: False positive 21/tcp open on Windows? Professor Messer (Jul 26)
- Re: False positive 21/tcp open on Windows? Rob Nicholls (Jul 27)
- <Possible follow-ups>
- Re: False positive 21/tcp open on Windows? 4N9e Gutek (Jul 28)