Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: scan shows open ports as tcpwrapped

From: David Fifield <david () bamsoftware com>
Date: Thu, 1 Nov 2012 16:03:22 -0700
On Wed, Oct 31, 2012 at 05:28:35AM +0300, Fahad A. Saeed wrote:

I'd a scan task and I faced following result (appro. for all ports except
for really used ones i.e. ssl and smtp):

Host is up (0.032s latency).
Scanned at 2012-10-25 16:06:38 AST for 856s
PORT      STATE SERVICE    VERSION
1/tcp     open  tcpwrapped
3/tcp     open  tcpwrapped
4/tcp     open  tcpwrapped
.
.
19/tcp    open  tcpwrapped
20/tcp    open  tcpwrapped
21/tcp    open  tcpwrapped
22/tcp    open  tcpwrapped
23/tcp    open  tcpwrapped
.
.
64623/tcp open  tcpwrapped
64680/tcp open  tcpwrapped
65000/tcp open  tcpwrapped
65129/tcp open  tcpwrapped
65389/tcp open  tcpwrapped

Scan methodology was:

nmap -n -vv -A x.x.x.x --min-parallelism=50 --max-parallelism=150 -PN
-T2 -oA x.x.x.x

I'm sure that this is a firewall's or loadbalancer's game. I tried many way
such as change source port, source IP , fragmentation, etc..

   - Do you have any idea/suggestion to bypass this case and to identify
   real services behind open ports?
   - on another hand, Do you know how to do that on firewall policy(on any
   firewall)?


My suggestion is to use -sT or --unprivileged. There appears to be
something spoofing the first part of the three-way handshake, but -sT
will require a full handshake to be completed before the port is
considered open.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: