Home page logo

nmap-dev logo Nmap Development mailing list archives

RE: ambiguity about nmap results
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Fri, 30 May 2008 22:04:28 +0100

Hi Sara,

I ran a connect scan earlier from http://nmap-online.com/ which appeared to
be faster and much more reliable, you may wish to give that a try instead.
It is still using Nmap 4.11 though.

Two of the ports you saw from nmapyourself that were allegedly filtered are
well known Windows ports. I suspect what you're seeing *might* be an ISP
(perhaps yours, perhaps at nmapyourself's end) filtering the network
traffic, possibly in an attempt to limit the infection/distribution of old
Windows-based attacks.

Because your netstat shows that you should be listening on TCP ports 8010
(jabber?), 37323, 6543 and 6544 (the last two are typically seen if you've
installed MythTV*, which also probably explains why you have mysql running
on localhost too), I suggest you perform a scan that includes those open
ports (e.g. -p 6540-6550) so you can verify that you're getting accurate
results (if you use my example above I'd expect you to see two ports that
are open, the rest should be closed [or filtered]).

I'm not sure why the other scan returned so many open ports, I would expect
you to see closed or filtered when scanning -p 1-1024 with your setup.
Without seeing something like the output of --packet-trace it's hard to say
what's going on.

I've been assuming that your laptop's IP and your external IP are the same
(i.e. you're sat directly on the internet). If you're using a NAT (or PAT)
router, for example, a scan of your external IP address might be returning
TCP resets from the router rather than your laptop (as the unexpected
incoming traffic never actually reaches your laptop on its private IP

* http://www.mythtv.org/docs/mythtv-HOWTO-3.html says: It is strongly
recommended that you do not expose the MythTV and MySQL ports to the
Internet or your "Outside" LAN.


-----Original Message-----
From: sara fink [mailto:sara.fink () gmail com]
Sent: 30 May 2008 20:25
To: DePriest, Jason R.
Cc: Nmap Dev
Subject: Re: ambiguity about nmap results

If I run from my laptop nmap -sT my external ip it shows me all ports
are closed.

On Fri, May 30, 2008 at 10:22 PM, sara fink <sara.fink () gmail com>
on my laptop I have nmap version 4.60 from gentoo portage.
4.62 appears as non stable in portage.

How can I measure reliably what ports are open on my laptop. I don't
have root access to remote servers to run something else than nmap
-sT. and the version there appears to be old.

On Fri, May 30, 2008 at 10:13 PM, DePriest, Jason R.
<jrdepriest () gmail com> wrote:
On Fri, May 30, 2008 at 7:47 PM, sara fink <> wrote:
I tried to use nmap from this web site:

If I try to run nmap on my external ip say at range 1-1024 with
flag -sT I get
Starting Nmap 4.20 ( http://insecure.org ) at 2008-05-30 14:42 EDT
Old version:    ^^^^
4.62 is the latest you can download as released.

Interesting ports on some ip .:

Not shown: 1022 closed ports
0/tcp   filtered unknown
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

To check myself again, I connected via ssh to some other site and
there ran nmap -sT -p 1-1024 ip

From there I got a completely different result. Almost all the
ports are open except very few.

Someone can explain me why I get such a difference?

Also, nmapyourself.com isn't run by Fyodor, so you should probably
the guy who runs the site to check it out.

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]