Penetration Testing mailing list archives

RE: Very strange nmap scan results

From: "Rodrigo Dutra Salvalagio" <rsalvalagio () timbrasil com br>
Date: Mon, 24 Sep 2007 14:57:36 -0300

Hello Juan,
This Pix will do that...
You can reduce this false positive using -sV, this tell nmap to get
Version number, from running services.

Regards,
Salvalagio
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Juan B
Sent: sexta-feira, 21 de setembro de 2007 12:17
To: pen-test () securityfocus com
Subject: Very strange nmap scan results

Hi all,

For a client in scaning his Dmz from the internet.

I know the servers are behind a pix 515 without any
add security features ( they dont have any ips or
the
didnt enabled the ips feature of the pix). they also

dont have any honeypot etc..


the strange is that two I receive too many open
ports!
for example I scan the mail relay and although just
port 25 is open it report lots of more open ports!
this is the nmap scan I issued:

nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA
cpsa.txt   

( I changed the ip's here...)

and the result for the mail relay for example are:


nteresting ports on mail.cpsa.com (200.61.44.50):
PORT     STATE    SERVICE
1/tcp    open     tcpmux
2/tcp    open     compressnet
3/tcp    open     compressnet
4/tcp    open     unknown
5/tcp    open     rje
6/tcp    open     unknown
7/tcp    open     echo
8/tcp    filtered unknown
9/tcp    open     discard
10/tcp   open     unknown
11/tcp   open     systat
12/tcp   open     unknown
13/tcp   open     daytime
14/tcp   open     unknown
15/tcp   open     netstat
16/tcp   open     unknown
17/tcp   open     qotd
18/tcp   filtered msp
19/tcp   open     chargen
20/tcp   open     ftp-data
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
24/tcp   open     priv-mail
25/tcp   open     smtp
26/tcp   open     unknown
27/tcp   open     nsw-fe
28/tcp   open     unknown
29/tcp   open     msg-icp
30/tcp   open     unknown
31/tcp   open     msg-auth
32/tcp   open     unknown
33/tcp   open     dsp
34/tcp   open     unknown

this continues up to port 1024..

any ideas how to eliminate so many false positives?

thanks a lot,

Juan

________________________________________________________________________
____________

Catch up on fall's hot new shows on Yahoo! TV. Watch
previews, get listings, and more!
http://tv.yahoo.com/collections/3658




 
________________________________________________________________________
____________
Don't let your dream ride pass you by. Make it a reality with Yahoo!
Autos.
http://autos.yahoo.com/index.html
 



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Very strange nmap scan results Juan B (Sep 22)
- Re: Very strange nmap scan results Hans-J. Ullrich (Sep 22)
  - Re: Very strange nmap scan results Adrian Sanabria (Sep 24)
    - RE: Very strange nmap scan results Mohr, James (Sep 25)
- RE: Very strange nmap scan results Rodrigo Dutra Salvalagio (Sep 24)
- <Possible follow-ups>
- Re: Very strange nmap scan results jason_jones98 (Sep 25)