Nmap Development mailing list archives
Re: Scan of a Fortigate FW - false positives
From: David Fifield <david () bamsoftware com>
Date: Tue, 9 Oct 2012 16:42:31 -0700
On Tue, Oct 09, 2012 at 07:33:49PM +0000, Luke, Jason wrote:
Originally found this issue from running a Rapid7 Nexpose scan, which uses NMAP for host discovery. Repeatable on my own local version, 5.5 and 6.0. sudo nmap --privileged -n -PS21-23,25,53,80,110-111,135,139,143,443,445,541,993,995,1723,3306,3389,3475,5900,8080,8200,9300,27249 -sS -O --osscan-guess --max-os-tries 1 -p1-2850--max-retries 4 --max-rtt-timeout 1000ms --initial-rtt-timeout 100ms --defeat-rst-ratelimit --min-rate 200 --max-rate 3000 -r X.X.X.X IF I set the # of ports to scan anything higher than about 2850, I get many false "open" ports shown. I had started with all ports and have narrowed it down to around that 2850 number. It seems obvious that their is some IDS/IPS functionality somewhere causing the interference but I have seen the firewall config and see nothing untoward. I have gone round and round with the ISP and they vehemently claim no such interference.
We have seen some problems related to false SYN/ACKs recently:
http://seclists.org/nmap-dev/2012/q3/864
http://seclists.org/nmap-dev/2012/q3/872
http://seclists.org/nmap-dev/2012/q3/949
The assertion failures have been fixed in Subversion, but it is still a
problem when scanning something that sends SYN/ACK for ports that are no
open. I suspect the same as you: that there is some middlebox that
starts speculatively sending SYN/ACKs when the load gets high enough.
You can try -sT scan instead of the default -sS. That will do a full TCP
handshake and weed out the ports that aren't really open.
You can also try checking the TTLs of the spoofed SYN/ACKs. They will
likely be different from the genuine SYN/ACKs, and can give you a clue
as to where in the network path the spoofing is happening.
David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- Scan of a Fortigate FW - false positives Luke, Jason (Oct 09)
- Re: Scan of a Fortigate FW - false positives David Fifield (Oct 09)
- Re: Scan of a Fortigate FW - false positives Luke, Jason (Oct 10)
- <Possible follow-ups>
- Re: Scan of a Fortigate FW - false positives David Fifield (Oct 10)
- Re: Scan of a Fortigate FW - false positives David Fifield (Oct 09)