Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Very strange nmap scan results

from [Mohr, James] Network Security [Permanent Link]
Subject: RE: Very strange nmap scan results
Date: Tue, 25 Sep 2007 08:09:09 -0500 
I've seen similar output when I happened upon an old hub.  Perhaps you
can ask your client is he has any old network devices still residing in
his DMZ, (assuming your client has an up to date inventory)?

Cheers,
Jim

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Adrian Sanabria
Sent: Monday, September 24, 2007 4:20 PM
To: pen-test@securityfocus.com
Subject: Re: Very strange nmap scan results

Perhaps a different kind of scan will filter those out? I've seen this
happen long, long ago, but never tested different types of scans (for
example, since you tried a connect scan, try a SYN scan, etc...).

--Adrian

On 9/22/07, Hans-J. Ullrich <hans.ullrich@loop.de> wrote:

Am Freitag 21 September 2007 schrieb Juan B:

Hi all,

For a client in scaning his Dmz from the internet.

I know the servers are behind a pix 515 without any add security 
features ( they dont have any ips or the didnt enabled the ips 
feature of the pix). they also


dont have any honeypot etc..


the strange is that two I receive too many open ports!
for example I scan the mail relay and although just port 25 is 
open it report lots of more open ports!
this is the nmap scan I issued:

nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA cpsa.txt

( I changed the ip's here...)

and the result for the mail relay for example are:


nteresting ports on mail.cpsa.com (200.61.44.50):
PORT     STATE    SERVICE
1/tcp    open     tcpmux
2/tcp    open     compressnet
3/tcp    open     compressnet
4/tcp    open     unknown
5/tcp    open     rje
6/tcp    open     unknown
7/tcp    open     echo
8/tcp    filtered unknown
9/tcp    open     discard
10/tcp   open     unknown
11/tcp   open     systat
12/tcp   open     unknown
13/tcp   open     daytime
14/tcp   open     unknown
15/tcp   open     netstat
16/tcp   open     unknown
17/tcp   open     qotd
18/tcp   filtered msp
19/tcp   open     chargen
20/tcp   open     ftp-data
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
24/tcp   open     priv-mail
25/tcp   open     smtp
26/tcp   open     unknown
27/tcp   open     nsw-fe
28/tcp   open     unknown
29/tcp   open     msg-icp
30/tcp   open     unknown
31/tcp   open     msg-auth
32/tcp   open     unknown
33/tcp   open     dsp
34/tcp   open     unknown

this continues up to port 1024..

any ideas how to eliminate so many false positives?

thanks a lot,

Juan



_____________________________________________________________________
______
_________


Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get



listings, and more!
http://tv.yahoo.com/collections/3658




_____________________________________________________________________
______ _________ Don't let your dream ride pass you by. Make it a 
reality with  Yahoo! Autos. http://autos.yahoo.com/index.html




--------------------------------------------------------------------
----
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
--------------------------------------------------------------------
----


Hi Juan !

Yes, this happnes, when there is a "firewall" running. I have 
portsentry running, and when I do a portscan, it seems, every ports

are available.

Indeed, they are not ! And if someone is scanning me, portsentry has 
already detected it and is executing the preconfigurated task (i.e. 
logging, diconnecting, putting IP into /etc/hosts.deny or whatever I 
told it)

Best regards

Hans


----------------------------------------------------------------------
--
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
----------------------------------------------------------------------
--




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: CREST Information, Toby Shelswell
Next by Date:  Re: CREST Information, Andrew Blyth
Previous by Thread:  Re: Very strange nmap scan results, Adrian Sanabria
Next by Thread:  RE: Very strange nmap scan results, Rodrigo Dutra Salvalagio
Indexes:  [Date] [Thread] [Top] [All Lists]