how to use nmap or nc to find one true port amongst many false ports?




Posts: 4

Joined: Thu Jan 27, 2011 7:02 pm

Post Thu Jan 27, 2011 9:23 pm

how to use nmap or nc to find one true port amongst many false ports?

Hello. I am trying some things for security on my network and am trying to find out the correct way in which to use nmap or nc to locate one real port that is listening amongst a range of false ports. Right now I can scan my system with nmap and I have used nemesis and some scripts to make it look like I have several open ports when only one of them is truly accepting connections.

To clarify what I'm doing: say I do an nmap of my system, 'nmap -T polite -p 11500-12000' it shows a bunch of ports as open even though they are just strings as I have dropped all original port scan packets and replaced them with injected packets using nemesis... only one of the ports listed is really open.

Now I want to play the attacker and try to locate the real port using nmap or netcat. However, every command I have tried does not give me the answer. Is there a way to do this?

I've tried this command which I thought might locate it but it doenst seem to work:
nc -v -t 11500-12000

I used -t because in this case the real port is a telnet port. Shouldn't -t be used with netcat when scanning for telnet negotiations?

Any help is appreciated.


User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Jan 28, 2011 2:40 am

Re: how to use nmap or nc to find one true port amongst many false ports?

Welcome to the forum.

I'd guess it depends how intelligently Nemesis is mimicking then true open port.

For example, if it's just throwing a syn-ack packet in response to a syn then you should be able to just look for one port that doesn't behave like the rest, that will be the real service. With nmap I'd suggest trying the version detection flag (-sV) and look for different output.

Similarly you could easily script nc to connect to each open port, pass some arbitrary input, and look for differences in response. Again I'd expect all of the Nemesis ports to respond in the same manner, with the real port being unique.

Depending on how convincing the Nemesis responses are, you may need to craft some complex data/input before you identify a difference, but you will get there. If not, and Nemesis is responding exactly like the real service, then you've just opened the same service on multiple ports ;)

Hope this helps, let me know how you get on, would be interested to confirm how well the above works in practice....

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software