Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: Open Ports on Cisco Router

Re: Open Ports on Cisco Router

From: Vladamir <wireless.insecurity_at_gmail.com>
Date: Mon, 28 Mar 2005 13:53:59 -0500

Just as a safety precaution, you should issue:

no ip tcp-small-servers
no ip udp-small-servers

It'll get rid of Time, Echo, Chargen, etc.

bob bob wrote:
> I have a Cisco 1720 router that showed telnet open
> after a recent audit. I closed down telnet by
> applying an acl to the vty lines and then nmap'ed from
> the outside to verify. Telnet is indeed closed, but
> other ports appeared open now! What's more, different
> ports appear open when scanning at different times.
> It showed tcp ports 21, 25 and 80 open at one time,
> but in another scan showed 143 in addition to the
> above. Late in the evening, it showed none of the
> above open, but a range of ports starting around 8000.
> No UDP ports show open.
>
> I ran nmap with the following command:
>
> nmap -sT -P0 -sV -v -p 1-65535 A.B.C.D
>
> Here is a portion of the router config:
>
> version 12.3
>
> . . .
> ip subnet-zero
> no ip source-route
>
> . . .
> interface FastEthernet0
> ip address 10.0.0.1 255.255.255.0
> ip nat outside
> speed auto
> half-duplex
> !
> interface Serial0
> ip address A.B.C.D 255.255.255.252
> ip access-group filter_outside_in in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no nat outside
> no fair-queue
> no cdp enable
> !
> ip nat inside source list 10 interface Serial0
> overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0
> no ip http server
>
> . . .
>
> ip access-list extended filter_outside_in
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 127.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 224.0.0.0 15.255.255.255 any
> deny ip host 0.0.0.0 any
> deny icmp any timestamp-request
> deny icmp any redirect
> deny icmp any mask-request
> deny icmp any traceroute
> deny icmp any echo
> permit ip any any
> access-list 10 permit 10.0.0.0 0.0.0.255
> ----------------------------------------
>
> So, the router is NAT'ing, and, btw, it also has a
> firewall behind it. The ports that show up in the
> scans of the router match up very well with the ports
> used regularly at this location, so I thought it might
> have something to do with NAT dynamically openning
> ports. However, it still seems very strange to me and
> I wanted to know if anyone else has seen this behavior
> and what explains it. TIA!
>
> Bob
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business - Try our new resources site!
> http://smallbusiness.yahoo.com/resources/
>
Received on Mar 29 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]