Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Help understanding NMAP results

from [Emmanuel Goldstein] Network Security [Permanent Link]
Subject: Re: Help understanding NMAP results
Date: Mon, 11 Jul 2005 23:47:20 +0200 
Sounds weird, usually nmap is very very accurate with its result.

Anyway you should post this question directly into the nmap-hackers
mailing list.
Check it out at http://www.insecure.com o http://seclists.org/#nmap-hackers

The list has been quite quiet lately so im sure someone will
inmediatly answer your question as we are terribly bored without new
messages.

Good luck.

On 7/7/05, Theodore Wynnychenko <t-wynnychenko@northwestern.edu> wrote:

Hello:

Well, hopefully this isn't too "stupid" a question to ask, but I have to ask
anyway.  I am nothing like a "computer security expert," (my job has nothing
to do with IT) but I have been playing with old computers and Linux in my
spare time (always learning).

Anyway, I have an old computer that runs LEAF LRP (linux kernel 2.4.27 or
so) as an external firewall to my home network.  This system basically uses
Shorewall to administer IPTABLES, and is set to default DROP any packets
comming in on the exernal NIC.

In the past, I did some basic port scans against myself using "online
scanners", and always got back information indicating that no ports were
responding (everything was "Stealth" - everything silently dropped).

So, while looking around, I came across NMAP, and decided to use it to scan
myself.  Went over to a friend's house, and ran an NMAP scan against myself
(nmap -sS -v -P0 -O xx.xx.xx.xx), and it says "Discovered open port
5190/tcp".

Now, this really confuses me.  When I scan myself using "online" scanners
(directed specifically at 5190), I get back that packets were
dropped/"stealthed," but NMAP says its open.  I added a specific rule (in
addition to the default drop policy) to drop anything to tcp 5190, but this
made no difference.  The "online" scanners still say nothing there, NMAP
still says its open.

NMAPs OS identification gives me several possibilities including "Linux
2.4.x|2.5.x," so NMAP does seem to be getting some imformation from the
firewall.

TCP 5190 is apparently related to AOL IM, but this is not something I have
ever used, and I can't think of any reason why the LEAF Firewall would have
it open.

What am I missing?

Thanks in advance for any help.

bye - ted







-- 
Emmanuel Goldstein.
Room 101, Ministry of Truth.
W2, London. Oceania.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Help understanding NMAP results, mike king
Next by Date:  RE: force https, Mike Tierney
Previous by Thread:  Re: Help understanding NMAP results, Nikolai Alexandrov
Next by Thread:  Re: Help understanding NMAP results, forums@kentane.net
Indexes:  [Date] [Thread] [Top] [All Lists]