Home page logo
/

nmap-dev logo Nmap Development mailing list archives

nmap -sT localhost showing ephemeral ports?
From: Jacek Wielemborek <d33tah () gmail com>
Date: Sat, 08 Feb 2014 23:09:58 +0100

Hi,

Here's an excerpt from my #nmap IRC log, dates are as in Warsaw local time:

=========================================

Day changed to Thu, 06 Feb 2014
00:16:05               < $ sophron (~sophron () 199 19 117 60) has quit (Ping 
timeout: 252 seconds)
00:18:31               > $ Ardit (~ardit () unaffiliated/ard1t) has joined #Nmap
00:56:55               > $ Mike111 (~Mike () 5 0 160 59) has joined #Nmap
00:56:59               < $ Mike111 (~Mike () 5 0 160 59) has quit (Remote host 
closed the connection)
00:57:09               < $ Mike11 (~Mike () unaffiliated/mike11) has quit (Ping 
timeout: 245 seconds)
01:03:32               > $ Mike11 (~Mike () unaffiliated/mike11) has joined #Nmap
01:09:51               > $ ketilmore6 (~atlas () b049c studby ntnu no) has joined 
#Nmap
01:09:55      ketilmore6 $ i think my system is compromised. since neither 
netstat or lsof shows anything, despite nmap reporting randomly tcp ports in 
range 40k-60k being open. (STATE == open) h
01:10:13      ketilmore6 $ any ideas?
01:10:31      ketilmore6 $ the port seems to be open only a few hundred ms
01:11:05          d33tah $ ketilmore6: perhaps some program is spoofing IP 
packets? i don't think that would be visible in netstat.
01:13:34      ketilmore6 $ hmm
01:21:39               < $ Mike11 (~Mike () unaffiliated/mike11) has quit (Ping 
timeout: 265 seconds)
01:22:44      ketilmore6 $ d33tah: does nmap report listening ports such as 
when a tcp client is waiting for http reply packet?
01:25:48          d33tah $ ketilmore6: shouldn't, afaik. btw, try -sV. afk.
01:27:13      ketilmore6 $ does nmap report listening ports such as when a tcp 
client is waiting for http reply packet? i belive these are called ephermal 
port and it does not really matter what number they are. it's only for 
receiving server reply?
01:27:21      ketilmore6 $ i dont think so
01:27:32      ketilmore6 $ -sV yields unknown service
01:33:00               < $ Ardit (~ardit () unaffiliated/ard1t) has quit (Quit: 
Nettalk6 - www.ntalk.de)
01:39:44          d33tah $ ketilmore6: run with -v and show the fingerprint.
01:45:18      ketilmore6 $ d33tah: nmap did not print fingerprint
01:45:24          d33tah $ ketilmore6: -vv?
01:45:45      ketilmore6 $ nope
01:45:57          d33tah $ wth. no response? what does wireshark say?
01:46:07      ketilmore6 $ also, i have discovered that -sS does not show open 
ports, but -sT does
01:46:16      ketilmore6 $ -sT is using the connect os api
01:46:21          d33tah $ strange.
01:46:34      ketilmore6 $ lemme check wireshark. brb
01:46:38          d33tah $ sure.
01:49:40      ketilmore6 $ well
01:49:53      ketilmore6 $ im filtering on tcp.port == 49407
01:49:57      ketilmore6 $ which nmap reported as open
01:50:36      ketilmore6 $ im seeing four packets. first SYN, [TCP Out-
oforder], [TCP window-update], RST
01:50:56      ketilmore6 $ both source and destination port == 49407.
01:51:07      ketilmore6 $ that's kinda strange isnt it
01:51:14      ketilmore6 $ that dest port == src port
01:51:32          d33tah $ sounds a bit odd.
01:51:59          d33tah $ but well, i don't have any experience with rootkits
01:52:05          d33tah $ yyzfp1: ping
01:54:00      ketilmore6 $ mhm, maybe this is a birthday paradox
01:54:39      ketilmore6 $ the nmap scan tries to connect, but in order to do 
so it must listen for replies right? and if src and dest port by accident is 
equal, it finds itself?
01:57:01          d33tah $ sounds unlikely, imho, as it would give lots of 
false positives
01:57:27          d33tah $ also, keep in mind that -sT uses connect(), which 
makes the source port controlled by the kernel
01:57:30          d33tah $ don't take my word though
02:08:26               < $ ketilmore6 (~atlas () b049c studby ntnu no) has quit 
(Ping timeout: 260 seconds)
02:23:58               > $ ketilmore6 (~atlas () b049c studby ntnu no) has joined 
#Nmap
02:26:01               > $ ketilmor16 (~atlas () b049c studby ntnu no) has joined 
#Nmap
02:27:08               > $ sophron_ (~sophron () 199 19 117 60) has joined #Nmap
02:28:50      ketilmore6 $  turns out the nmap -p 1-65000 was finding open 
ports by accident because source port sometimes was equal to destination port. 
(birthday paradox)
02:29:15      ketilmore6 $ this is happening when scanning loopback interface 
and not over network interface

=========================================

20:17:03    bonsaiviking $ <ketilmore6>  turns out the nmap -p 1-65000 was 
finding open ports by accident because source port sometimes was equal to 
destination port. (birthday paradox)
20:17:07    bonsaiviking $ wtf
20:18:58    bonsaiviking $ confirmed on svn r32703
20:19:31    bonsaiviking $ but only with -sT

=========================================

What do you think about it?

Yours,
Jacek Wielemborek

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]