mailing list archives
nmap -sT localhost showing ephemeral ports?
From: Jacek Wielemborek <d33tah () gmail com>
Date: Sat, 08 Feb 2014 23:09:58 +0100
Here's an excerpt from my #nmap IRC log, dates are as in Warsaw local time:
Day changed to Thu, 06 Feb 2014
00:16:05 < $ sophron (~sophron () 199 19 117 60) has quit (Ping
timeout: 252 seconds)
00:18:31 > $ Ardit (~ardit () unaffiliated/ard1t) has joined #Nmap
00:56:55 > $ Mike111 (~Mike () 5 0 160 59) has joined #Nmap
00:56:59 < $ Mike111 (~Mike () 5 0 160 59) has quit (Remote host
closed the connection)
00:57:09 < $ Mike11 (~Mike () unaffiliated/mike11) has quit (Ping
timeout: 245 seconds)
01:03:32 > $ Mike11 (~Mike () unaffiliated/mike11) has joined #Nmap
01:09:51 > $ ketilmore6 (~atlas () b049c studby ntnu no) has joined
01:09:55 ketilmore6 $ i think my system is compromised. since neither
netstat or lsof shows anything, despite nmap reporting randomly tcp ports in
range 40k-60k being open. (STATE == open) h
01:10:13 ketilmore6 $ any ideas?
01:10:31 ketilmore6 $ the port seems to be open only a few hundred ms
01:11:05 d33tah $ ketilmore6: perhaps some program is spoofing IP
packets? i don't think that would be visible in netstat.
01:13:34 ketilmore6 $ hmm
01:21:39 < $ Mike11 (~Mike () unaffiliated/mike11) has quit (Ping
timeout: 265 seconds)
01:22:44 ketilmore6 $ d33tah: does nmap report listening ports such as
when a tcp client is waiting for http reply packet?
01:25:48 d33tah $ ketilmore6: shouldn't, afaik. btw, try -sV. afk.
01:27:13 ketilmore6 $ does nmap report listening ports such as when a tcp
client is waiting for http reply packet? i belive these are called ephermal
port and it does not really matter what number they are. it's only for
receiving server reply?
01:27:21 ketilmore6 $ i dont think so
01:27:32 ketilmore6 $ -sV yields unknown service
01:33:00 < $ Ardit (~ardit () unaffiliated/ard1t) has quit (Quit:
Nettalk6 - www.ntalk.de)
01:39:44 d33tah $ ketilmore6: run with -v and show the fingerprint.
01:45:18 ketilmore6 $ d33tah: nmap did not print fingerprint
01:45:24 d33tah $ ketilmore6: -vv?
01:45:45 ketilmore6 $ nope
01:45:57 d33tah $ wth. no response? what does wireshark say?
01:46:07 ketilmore6 $ also, i have discovered that -sS does not show open
ports, but -sT does
01:46:16 ketilmore6 $ -sT is using the connect os api
01:46:21 d33tah $ strange.
01:46:34 ketilmore6 $ lemme check wireshark. brb
01:46:38 d33tah $ sure.
01:49:40 ketilmore6 $ well
01:49:53 ketilmore6 $ im filtering on tcp.port == 49407
01:49:57 ketilmore6 $ which nmap reported as open
01:50:36 ketilmore6 $ im seeing four packets. first SYN, [TCP Out-
oforder], [TCP window-update], RST
01:50:56 ketilmore6 $ both source and destination port == 49407.
01:51:07 ketilmore6 $ that's kinda strange isnt it
01:51:14 ketilmore6 $ that dest port == src port
01:51:32 d33tah $ sounds a bit odd.
01:51:59 d33tah $ but well, i don't have any experience with rootkits
01:52:05 d33tah $ yyzfp1: ping
01:54:00 ketilmore6 $ mhm, maybe this is a birthday paradox
01:54:39 ketilmore6 $ the nmap scan tries to connect, but in order to do
so it must listen for replies right? and if src and dest port by accident is
equal, it finds itself?
01:57:01 d33tah $ sounds unlikely, imho, as it would give lots of
01:57:27 d33tah $ also, keep in mind that -sT uses connect(), which
makes the source port controlled by the kernel
01:57:30 d33tah $ don't take my word though
02:08:26 < $ ketilmore6 (~atlas () b049c studby ntnu no) has quit
(Ping timeout: 260 seconds)
02:23:58 > $ ketilmore6 (~atlas () b049c studby ntnu no) has joined
02:26:01 > $ ketilmor16 (~atlas () b049c studby ntnu no) has joined
02:27:08 > $ sophron_ (~sophron () 199 19 117 60) has joined #Nmap
02:28:50 ketilmore6 $ turns out the nmap -p 1-65000 was finding open
ports by accident because source port sometimes was equal to destination port.
02:29:15 ketilmore6 $ this is happening when scanning loopback interface
and not over network interface
20:17:03 bonsaiviking $ <ketilmore6> turns out the nmap -p 1-65000 was
finding open ports by accident because source port sometimes was equal to
destination port. (birthday paradox)
20:17:07 bonsaiviking $ wtf
20:18:58 bonsaiviking $ confirmed on svn r32703
20:19:31 bonsaiviking $ but only with -sT
What do you think about it?
Description: This is a digitally signed message part.
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/