Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

Re: Firewall Scan
From: Todd Haverkos <infosec () haverkos com>
Date: Fri, 26 Jun 2009 09:23:27 -0500
IPv7 <listas.internet () gmail com> writes:


Hello Guys,

I was doing a normal TCP Scan on port 5900, when I found a strange result:

1st I did a normal TCP scan with Nmap

Onix:~# nmap -p 5900 x.x.x.x

Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:52 ART
Interesting ports on x.x.x.x:
PORT     STATE  SERVICE
5900/tcp closed vnc

Nmap done: 1 IP address (1 host up) scanned in 0.361 seconds

But.. if I use telnet/nc with this port, they can connect:
Onix:~# telnet x.x.x.x 5900
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
RFB 003.003


nmap's a pretty well known entity by teh IPS vendors, and does do
things that get picked up as a port scan that normal telnet or other
means won't.  I'd guess that's the most likely reason you're seeing a
single port default scan coming back closed.  

Try a -T2 or -T1 for grins to gather some more comparative data.  See
how a -sS or -sV compares (though since sS is created with the nmap
raw packet driver, it seems to stick out like a sore thumb even more
than a default scan which I believe uses the more generic OS level
connect() call).

The telnet you're doing is happening from the same host you're doing
nmap from, right?  If so, then that eliminates a notion that maybe
your IP is getting blocked.

Running a sniffer on your connection might be useful and you can
compare in detail what's going on in various connect methods and maybe
divine what's going on.  --packet-trace  in nmap is something you may
wanna turn on for more details, but isn't useful in comparing to a
telnet or actual vnc client handshake. 

When all else fails, there's idle scan.  Finding a host that can forge
packets without getting blocked by an upstream router becomes the big
trick though (and finding sufficient numbers of idle hosts). 

Best Regards,
--
Todd Haverkos, LPT MsCompE   Chicago, IL 
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]