.

Weird Firewall scan results

<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue Mar 20, 2007 2:16 pm

Weird Firewall scan results

Alright,

So I still haven't given up on getting this EnGarde Linux fully functional. I finally fixed my other issues and everything seems to be working correctly on the box itself. I decided to run an nmap scan on it from an external IP to see the results (expecting to see all ports closed). However, this is the list of open ports I received:

21, 25, 3389, 443, 80, 113, 22, 8080, 1720, 1352, 7070, and 139.

Now, my current firewall (iptables) rules are set to a drop policy on input, output and forward. The only accept rules I have in place are to allow me access from the IP doing the scan to SSH and the admin WebTool (1023) for the software. Why in the world is it reporting all of these other ports open? Anyone have any ideas?
<<

plik

Newbie
Newbie

Posts: 31

Joined: Tue Dec 19, 2006 9:32 am

Location: North - UK

Post Tue Mar 20, 2007 2:51 pm

Re: Weird Firewall scan results

What version of nmap, on what OS?

and what type of scan were you running?
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue Mar 20, 2007 3:39 pm

Re: Weird Firewall scan results

I'm running nmap v4, on XP Pro.

The ports I listed show open when doing both a stealth scan and a full connect scan.

I have a virtual EnGarde machine also. When I get home I'll try scanning that one to see what sort of results it produces. Just seems like strange results... or someone compromised my box pretty quick! :P
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue Mar 20, 2007 3:45 pm

Re: Weird Firewall scan results

Suppose I should also mention the results of netstat....

  Code:
[root@vapor venom]# netstat --inet -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0      0 *:webtool               *:*                     LISTEN
[root@vapor venom]#
<<

plik

Newbie
Newbie

Posts: 31

Joined: Tue Dec 19, 2006 9:32 am

Location: North - UK

Post Tue Mar 20, 2007 6:48 pm

Re: Weird Firewall scan results

I've not heard of nmap having false positive issues with connect scans before. So I think we can assume you scanned *something* the lack of 1023 returning makes me think the scan never reached your box. Are you sure you scanned the right IP :)
Traceroute turn up anything interesting?

Can you actually reach ssh and webtool?

-stab in dark-
Because *something* has responded on those ports I'd say it was a routing/NAT issue. Do you have any windows boxes running IIS and mail on site?
-/stab in dark-
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue Mar 20, 2007 7:03 pm

Re: Weird Firewall scan results

The connect scan did return port 1023. I'm not sure why the stealth scan did not. Haha, yeah, I'm sure I scanned the right IP.. and yes I can reach SSH and the WebTool with no problems.

A traceroute from outside goes from the gateway to my firewall and then the firewall reply continues. So that's what? A proxy? I wonder if those scan results are reflective from something my ISP has setup in front of my firewall.

The only box with services I have (which isn't even running at the moment, nor are the firewall rules setup for it) is an all-in-one linux web server. But those rules aren't active as I've only enabled the SSH/WebTool rules.
<<

plik

Newbie
Newbie

Posts: 31

Joined: Tue Dec 19, 2006 9:32 am

Location: North - UK

Post Tue Mar 20, 2007 7:10 pm

Re: Weird Firewall scan results

venom77 wrote:I wonder if those scan results are reflective from something my ISP has setup in front of my firewall.


I pondered this too, but couldn't work out why you'd want to do the full handshake for services that aren't there. And why those ports?



If you can connect that's my NAT idea down the drain!
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue Mar 20, 2007 7:34 pm

Re: Weird Firewall scan results

Yeah, that's the only thing that makes any sense of it  :-\
<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Wed Mar 21, 2007 8:52 am

Re: Weird Firewall scan results

Perhaps the ISP has put in proxies to prevent people from running servers out of their house.  It wouldn't be the first time that they have used dirty tricks to try and stop people from running a website or FTP site on their home connection.

I'm not sure what your set up is, but if you were to disconnect your firewall from your ISP and then use a crossover cable to connect your scanning machine to the external interface on your firewall then you could scan the firewall and be certain that no interference from your ISP is skewing your results. 

You could also try to telnet to some of those ports and see what server is answering, if it isn't your stuff then you know that there are shenanigans being pulled at the ISP level.
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Wed Mar 21, 2007 8:56 am

Re: Weird Firewall scan results

I doubt that its your ISP, because that would be just wrong. I've had both Time Warner Cable and AT&T DSL and have never seen that.

Try disconnecting your Engarde Linux box and doing the scan. If the results comeback the same, you've at least isolated it to a network issue and not your linux box. If it comes back with the same type of results, is it possible you have some port forwarding going on to other natted IPs?
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Wed Mar 21, 2007 9:43 am

Re: Weird Firewall scan results

Thanks for the suggestions guys.

I know that the ISP doesn't have anything in place to stop me from running servers. I specifically have static IP addresses so that I can do so. I have also been able to access the web server with no problems when the rules are in place.

I'll try the ideas though, probably starting with trying to telnet to those ports and see what happens. When I get home again tonight I'll try connecting via crossover to my external interface to scan the firewall.

There shouldn't be any other rules in place, as I have flushed everything, created drop all policies, and only added the 4 specific rules for inbound/outbound to allow SSH/WebTool access.

Thanks again for the ideas, I'll keep you guys updated as to what I find out.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software