Vista Confusion
Wednesday 26th July, 2006 11:12 Comments: 2
I\'m very confused now. There are two ways to do a TCP scan with nmap, either using the very quick -sS command or doing a full connect with -sT. Normally they give exactly the same results. Bear in mind that I had Vista's Windows Firewall allegedly blocking all incoming connections.
>nmap -sT xxx.xxx.xx.xx
Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 11:00 GMT Standard Time
Interesting ports on xxx.xxx.xx.xx:
Not shown: 1679 filtered ports
PORT STATE SERVICE
21/tcp open ftp
MAC Address: 00:0C:29:71:C5:D5 (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 104.250 seconds
>nmap -sS xxx.xxx.xx.xx
Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 11:05 GMT Standard Time
Interesting ports on xxx.xxx.xx.xx:
Not shown: 1674 closed ports
PORT STATE SERVICE
80/tcp filtered http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-term-serv
MAC Address: 00:0C:29:71:C5:D5 (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 3.826 seconds
I don\'t even have an FTP server installed on that box, just IIS 7 running a web server on 80 and 443. At least the -sS one returned what I expected to see. I don\'t like inconsistent things, especially when I don\'t know why they\'re inconsistent. I wonder what happens when the firewall is off...
>nmap -sT xxx.xxx.xx.xx
Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 11:00 GMT Standard Time
Interesting ports on xxx.xxx.xx.xx:
Not shown: 1679 filtered ports
PORT STATE SERVICE
21/tcp open ftp
MAC Address: 00:0C:29:71:C5:D5 (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 104.250 seconds
>nmap -sS xxx.xxx.xx.xx
Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 11:05 GMT Standard Time
Interesting ports on xxx.xxx.xx.xx:
Not shown: 1674 closed ports
PORT STATE SERVICE
80/tcp filtered http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-term-serv
MAC Address: 00:0C:29:71:C5:D5 (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 3.826 seconds
I don\'t even have an FTP server installed on that box, just IIS 7 running a web server on 80 and 443. At least the -sS one returned what I expected to see. I don\'t like inconsistent things, especially when I don\'t know why they\'re inconsistent. I wonder what happens when the firewall is off...
Robert - Wednesday 26th July, 2006 11:23
>nmap -sT xxx.xxx.xx.xx
Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 11:18 GMT Standard Time
Interesting ports on xxx.xxx.xx.xx:
Not shown: 1674 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
443/tcp open https
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
MAC Address: 00:0C:29:71:C5:D5 (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 107.925 seconds
>nmap -sS xxx.xxx.xx.xx
Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 11:20 GMT Standard Time
Interesting ports on xxx.xxx.xx.xx:
Not shown: 1674 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
MAC Address: 00:0C:29:71:C5:D5 (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 3.034 seconds
With the firewall off, I got what I expected from the second scan, and the first scan is (almost) identical, which is what I'd expect, but the first one still shows FTP is open, even though there isn't an FTP service running! How odd.
Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 11:18 GMT Standard Time
Interesting ports on xxx.xxx.xx.xx:
Not shown: 1674 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
443/tcp open https
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
MAC Address: 00:0C:29:71:C5:D5 (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 107.925 seconds
>nmap -sS xxx.xxx.xx.xx
Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2006-07-26 11:20 GMT Standard Time
Interesting ports on xxx.xxx.xx.xx:
Not shown: 1674 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
MAC Address: 00:0C:29:71:C5:D5 (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 3.034 seconds
With the firewall off, I got what I expected from the second scan, and the first scan is (almost) identical, which is what I'd expect, but the first one still shows FTP is open, even though there isn't an FTP service running! How odd.