Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: nmap showing port 21 (ftp) open, but port is actually closed

from [Andres Riancho] Network Security [Permanent Link]
Subject: Re: nmap showing port 21 (ftp) open, but port is actually closed
Date: Sun, 11 Sep 2005 18:42:25 -0300 
Mike,

   This could be a transparent proxy server that your ISP installed.

   A way to test if you are proxyed is:

gauss:~# tcptraceroute www.google.com 80
Selected device eth1, address 24.232.100.167, port 3539 for outgoing packets
Tracing the path to www.google.com (64.233.161.99) on TCP port 80 (www), 30 hops max
1 * 10.17.1.1 7.865 ms *
2 10.101.1.25 10.882 ms 13.205 ms 7.474 ms
3 publica1.fibertel.com.ar (24.232.1.1) 7.483 ms 5.732 ms 8.831 ms
4 64.233.161.99 [open] 7.639 ms 32.874 ms 13.350 ms

Only 4 hops for port 80. Strange ...
Lets see what happends for real...

gauss:~#traceroute 64.233.161.99
traceroute to 64.233.161.99 (64.233.161.99), 30 hops max, 38 byte packets
1 * * *
2 10.101.1.25 (10.101.1.25) 10.071 ms 8.694 ms 28.814 ms
3 publica1.fibertel.com.ar (24.232.1.1) 7.851 ms 26.046 ms 11.893 ms
4 10.101.21.85 (10.101.21.85) 11.420 ms 21.271 ms 8.380 ms
5 bai1-cablevision-1-ar.bai.seabone.net (195.22.220.45) 7.919 ms 9.622 ms 20.910 ms
6 ash1-new1-racc1.new.seabone.net (195.22.216.169) 188.225 ms 198.841 ms 183.207 ms
7 eqixva-google-gige.google.com (206.223.115.21) 184.185 ms 183.390 ms 201.727 ms
8 216.239.47.120 (216.239.47.120) 186.700 ms 183.013 ms 216.239.49.248 (216.239.49.248) 183.718 ms
9 216.239.48.190 (216.239.48.190) 186.032 ms 184.994 ms 216.239.48.198 (216.239.48.198) 183.713 ms
10 64.233.161.99 (64.233.161.99) 183.273 ms 184.863 ms 186.683 ms

Well, this makes more sense to me :) . You could do the same test but changing port 80 to 21.

Mike Jones wrote:

Has anyone ever seen this before, nmap is showing port 21 to be open on a machine on the internet, but 21 is not listening on that machine. It happens to all machines I scan outside the local area network.

Thanks in advance


--
Andrés Riancho

http://www.securearg.net/
Secure from the Source


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: database server audit tools, Bénoni MARTIN
Next by Date:  Re: nmap results, King Fuddler
Previous by Thread:  Re: nmap showing port 21 (ftp) open, but port is actually closed, Josh Zlatin-Amishav
Next by Thread:  Re: nmap showing port 21 (ftp) open, but port is actually closed, Paul Day
Indexes:  [Date] [Thread] [Top] [All Lists]