Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: ambiguity about nmap results
From: "sara fink" <sara.fink () gmail com>
Date: Sat, 31 May 2008 01:34:51 +0300

On Sat, May 31, 2008 at 12:04 AM, Rob Nicholls
<robert () everythingeverything co uk> wrote:
Hi Sara,

I ran a connect scan earlier from http://nmap-online.com/ which appeared to
be faster and much more reliable, you may wish to give that a try instead.
It is still using Nmap 4.11 though.

I tried it and it looks reliable and fast. No more nmapyourself.com ;-)

And for that thanks.

Two of the ports you saw from nmapyourself that were allegedly filtered are
well known Windows ports. I suspect what you're seeing *might* be an ISP
(perhaps yours, perhaps at nmapyourself's end) filtering the network
traffic, possibly in an attempt to limit the infection/distribution of old
Windows-based attacks.

I don't have windows. ;-)

Because your netstat shows that you should be listening on TCP ports 8010
(jabber?), 37323, 6543 and 6544 (the last two are typically seen if you've
installed MythTV*, which also probably explains why you have mysql running
on localhost too), I suggest you perform a scan that includes those open
ports (e.g. -p 6540-6550) so you can verify that you're getting accurate
results (if you use my example above I'd expect you to see two ports that
are open, the rest should be closed [or filtered]).

I use jabber for gtalk in kopete. mythtv you were right. Disabled
mysql after your suggestion. Will check now for mythtv issue as well.
Thanks.

I'm not sure why the other scan returned so many open ports, I would expect
you to see closed or filtered when scanning -p 1-1024 with your setup.
Without seeing something like the output of --packet-trace it's hard to say
what's going on.

I have few suspicions about that. The remote server belongs to
university. They block pings inside and outside. This might cause the
problem? Or just because it's an old version? I tried now
--packet-trace and it's so old that it doesn't even have this flag.
But I will check the nmap-online with this flag.

I've been assuming that your laptop's IP and your external IP are the same
(i.e. you're sat directly on the internet). If you're using a NAT (or PAT)
router, for example, a scan of your external IP address might be returning
TCP resets from the router rather than your laptop (as the unexpected
incoming traffic never actually reaches your laptop on its private IP
address).

You assumed correctly.

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault