Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: nmap showing port 21 (ftp) open, but port is actually closed
From: Andres Riancho <andres.riancho () gmail com>
Date: Sun, 11 Sep 2005 18:42:25 -0300

Mike,

   This could be a transparent proxy server that your ISP installed.

   A way to test if you are proxyed is:

gauss:~# tcptraceroute www.google.com 80
Selected device eth1, address 24.232.100.167, port 3539 for outgoing packets
Tracing the path to www.google.com (64.233.161.99) on TCP port 80 (www), 30 hops max
1  * 10.17.1.1 7.865 ms *
2  10.101.1.25  10.882 ms  13.205 ms  7.474 ms
3  publica1.fibertel.com.ar (24.232.1.1)  7.483 ms  5.732 ms  8.831 ms
4  64.233.161.99 [open]  7.639 ms  32.874 ms  13.350 ms

Only 4 hops for port 80. Strange ...
Lets see what happends for real...

gauss:~#traceroute 64.233.161.99
traceroute to 64.233.161.99 (64.233.161.99), 30 hops max, 38 byte packets
1  * * *
2  10.101.1.25 (10.101.1.25)  10.071 ms  8.694 ms  28.814 ms
3  publica1.fibertel.com.ar (24.232.1.1)  7.851 ms  26.046 ms  11.893 ms
4  10.101.21.85 (10.101.21.85)  11.420 ms  21.271 ms  8.380 ms
5 bai1-cablevision-1-ar.bai.seabone.net (195.22.220.45) 7.919 ms 9.622 ms 20.910 ms 6 ash1-new1-racc1.new.seabone.net (195.22.216.169) 188.225 ms 198.841 ms 183.207 ms 7 eqixva-google-gige.google.com (206.223.115.21) 184.185 ms 183.390 ms 201.727 ms 8 216.239.47.120 (216.239.47.120) 186.700 ms 183.013 ms 216.239.49.248 (216.239.49.248) 183.718 ms 9 216.239.48.190 (216.239.48.190) 186.032 ms 184.994 ms 216.239.48.198 (216.239.48.198) 183.713 ms
10  64.233.161.99 (64.233.161.99)  183.273 ms  184.863 ms  186.683 ms

Well, this makes more sense to me :) . You could do the same test but changing port 80 to 21.

Mike Jones wrote:

Has anyone ever seen this before, nmap is showing port 21 to be open on a machine on the internet, but 21 is not listening on that machine. It happens to all machines I scan outside the local area network.

Thanks in advance


--
Andrés Riancho

http://www.securearg.net/
Secure from the Source


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]