Nmap Development mailing list archives

Re: False positive 21/tcp open on Windows?

From: "Rob Nicholls" <robert () refreshdaily com>
Date: Thu, 27 Jul 2006 11:07:50 +0100 (BST)
Thanks for confirming what I've seen.

Kurt Grutzmacher emailed me directly, suggesting that a quirk in the
Windows Firewall is to blame ("it's been my experience that it will always
return 21/open no matter what IP address you scan"). I did a test with
4.20 alpha 4 with Windows Firewall on and then the same scan with it off.
With the firewall off, nmap behaved as expected when scanning against a
host that isn't up, so it looks like the Windows Firewall is the culprit,
although I couldn't tell you why it affects 21/tcp and nothing else.


Windows Firewall on
-------------------

Winpcap present, dynamic linked to: WinPcap version 3.1 (packet.dll
version 3, 1
, 0, 27), based on libpcap version 0.9[.x]
Warning: File ./nmap-os-db exists, but Nmap is using
C:\tools\win32\nmap-4.20ALP
HA4/nmap-os-db for security and consistency reasons.  set NMAPDIR=. to
give prio
rity to files in your local directory (may affect the other data files too).

Starting Nmap 4.20ALPHA4 ( http://www.insecure.org/nmap ) at 2006-07-27
10:38 GM
T Standard Time
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  scan-delay: TCP 1000, UDP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
---------------------------------------------
mass_rdns: Using DNS server xxx.xx.xxx.xx
mass_rdns: Using DNS server xxx.xx.xxx.xx
NSOCK (0.0800s) UDP connection requested to xxx.xx.xxx.xx:53 (IOD #1) EID 8
NSOCK (0.0800s) Read request from IOD #1 [xxx.xx.xxx.xx:53] (timeout:
-1ms) EID
18
NSOCK (0.0800s) UDP connection requested to xxx.xx.xxx.xx:53 (IOD #2) EID 24
NSOCK (0.0800s) Read request from IOD #2 [xxx.xx.xxx.xx:53] (timeout:
-1ms) EID
34
Initiating Parallel DNS resolution at 10:38
NSOCK (0.0800s) Write request for 44 bytes to IOD #1 EID 43
[xxx.xx.xxx.xx:53]:
n............36.86.153.195.in-addr.arpa.....
NSOCK (0.0900s) nsock_loop() started (timeout=500ms). 5 events pending
NSOCK (0.0900s) Callback: CONNECT SUCCESS for EID 24 [xxx.xx.xxx.xx:53]
NSOCK (0.0900s) Callback: CONNECT SUCCESS for EID 8 [xxx.xx.xxx.xx:53]
NSOCK (0.0900s) Callback: WRITE SUCCESS for EID 43 [xxx.xx.xxx.xx:53]
NSOCK (0.1100s) Callback: READ SUCCESS for EID 18 [xxx.xx.xxx.xx:53] (120
bytes)

NSOCK (0.1100s) Read request from IOD #1 [xxx.xx.xxx.xx:53] (timeout:
-1ms) EID
50
mass_rdns: 0.04s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution at 10:38, 0.03s elapsed
Initiating System CNAME DNS resolution at 10:38
Completed System CNAME DNS resolution at 10:38, 0.00s elapsed
DNS resolution of 1 IPs took 0.05s. Mode: Async [#: 2, OK: 0, NX: 1, DR:
0, SF:
0, TR: 1, CN: 0]
Initiating Connect() Scan at 10:38
Scanning xxx.xxx.xx.xx [3 ports]
CONN (0.1200s) TCP localhost > xxx.xxx.xx.xx:21 => Unknown error
CONN (0.1200s) TCP localhost > xxx.xxx.xx.xx:22 => Unknown error
CONN (0.1200s) TCP localhost > xxx.xxx.xx.xx:20 => Unknown error
Discovered open port 21/tcp on xxx.xxx.xx.xx
CONN (1.2310s) TCP localhost > xxx.xxx.xx.xx:20 => Unknown error
CONN (1.2310s) TCP localhost > xxx.xxx.xx.xx:22 => Unknown error
Completed Connect() Scan at 10:38, 11.22s elapsed (3 total ports)
Host xxx.xxx.xx.xx appears to be up ... good.
Interesting ports on xxx.xxx.xx.xx:
PORT   STATE    SERVICE
20/tcp filtered ftp-data
21/tcp open     ftp
22/tcp filtered ssh
Final times for host: srtt: 0 rttvar: 5000  to: 100000

Nmap finished: 1 IP address (1 host up) scanned in 11.346 seconds


Windows Firewall off
--------------------

Winpcap present, dynamic linked to: WinPcap version 3.1 (packet.dll
version 3, 1
, 0, 27), based on libpcap version 0.9[.x]
Warning: File ./nmap-os-db exists, but Nmap is using
C:\tools\win32\nmap-4.20ALP
HA4/nmap-os-db for security and consistency reasons.  set NMAPDIR=. to
give prio
rity to files in your local directory (may affect the other data files too).

Starting Nmap 4.20ALPHA4 ( http://www.insecure.org/nmap ) at 2006-07-27
10:37 GM
T Standard Time
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  scan-delay: TCP 1000, UDP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
---------------------------------------------
mass_rdns: Using DNS server xxx.xx.xxx.xx
mass_rdns: Using DNS server xxx.xx.xxx.xx
NSOCK (0.0800s) UDP connection requested to xxx.xx.xxx.xx:53 (IOD #1) EID 8
NSOCK (0.0800s) Read request from IOD #1 [xxx.xx.xxx.xx:53] (timeout:
-1ms) EID
18
NSOCK (0.0900s) UDP connection requested to xxx.xx.xxx.xx:53 (IOD #2) EID 24
NSOCK (0.0900s) Read request from IOD #2 [xxx.xx.xxx.xx:53] (timeout:
-1ms) EID
34
Initiating Parallel DNS resolution at 10:37
NSOCK (0.0900s) Write request for 44 bytes to IOD #1 EID 43
[xxx.xx.xxx.xx:53]:
9n...........36.86.153.195.in-addr.arpa.....
NSOCK (0.1000s) nsock_loop() started (timeout=500ms). 5 events pending
NSOCK (0.1000s) Callback: CONNECT SUCCESS for EID 24 [xxx.xx.xxx.xx:53]
NSOCK (0.1000s) Callback: CONNECT SUCCESS for EID 8 [xxx.xx.xxx.xx:53]
NSOCK (0.1000s) Callback: WRITE SUCCESS for EID 43 [xxx.xx.xxx.xx:53]
NSOCK (0.1300s) Callback: READ SUCCESS for EID 18 [xxx.xx.xxx.xx:53] (120
bytes)

NSOCK (0.1300s) Read request from IOD #1 [xxx.xx.xxx.xx:53] (timeout:
-1ms) EID
50
mass_rdns: 0.06s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution at 10:37, 0.03s elapsed
Initiating System CNAME DNS resolution at 10:37
Completed System CNAME DNS resolution at 10:37, 0.00s elapsed
DNS resolution of 1 IPs took 0.06s. Mode: Async [#: 2, OK: 0, NX: 1, DR:
0, SF:
0, TR: 1, CN: 0]
Initiating Connect() Scan at 10:37
Scanning xxx.xxx.xx.xx [3 ports]
CONN (0.1300s) TCP localhost > xxx.xxx.xx.xx:21 => Unknown error
CONN (0.1300s) TCP localhost > xxx.xxx.xx.xx:22 => Unknown error
CONN (0.1300s) TCP localhost > xxx.xxx.xx.xx:20 => Unknown error
CONN (2.1330s) TCP localhost > xxx.xxx.xx.xx:20 => Unknown error
CONN (2.1330s) TCP localhost > xxx.xxx.xx.xx:22 => Unknown error
CONN (2.1330s) TCP localhost > xxx.xxx.xx.xx:21 => Unknown error
Completed Connect() Scan at 10:37, 13.01s elapsed (3 total ports)
Host xxx.xxx.xx.xx appears to be up ... good.
Interesting ports on xxx.xxx.xx.xx:
PORT   STATE    SERVICE
20/tcp filtered ftp-data
21/tcp filtered ftp
22/tcp filtered ssh
Final times for host: srtt: -1 rttvar: -1  to: 1000000

Nmap finished: 1 IP address (1 host up) scanned in 13.149 seconds


Thanks to everyone that replied! I'll stick to running most of my nmap
scans under Linux, but it's nice to know how to get accurate results when
I'm in Windows.


Rob



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:

False positive 21/tcp open on Windows? Rob Nicholls (Jul 26)
- Re: False positive 21/tcp open on Windows? kx (Jul 26)
- Re: False positive 21/tcp open on Windows? Professor Messer (Jul 26)
  - Re: False positive 21/tcp open on Windows? Rob Nicholls (Jul 27)
- <Possible follow-ups>
- Re: False positive 21/tcp open on Windows? 4N9e Gutek (Jul 28)