.

So you scanned a host, and found open ports!!

<<

ZeroOne

Jr. Member
Jr. Member

Posts: 59

Joined: Tue Apr 24, 2012 7:41 am

Post Sat May 26, 2012 7:02 am

So you scanned a host, and found open ports!!

Hi forum

I'm currently studying scanning techniques and information gathering in a pen testing course, and I have some few questions, you might be asking yourself why this noob "me ;D" isn't asking those questions to the leaders or the staff of that course he joined!!.. lets just say BECAUSE THIS FORUM ROCKS!!

moving on am actually trying to be more comfortable with scanning techniques before moving to the next level when it comes to pen testing,my questions are basic and could sound stupid, well what to say I'm just a beginner.

So I've connected two computers which I own to my LAN, started to scan host B, using host A, tool used:NMAP, few ports showed up after scanning host B, even tho my firewall is on, on host B.

The ports showed up are the most common ports, like FTP, SSH, HTTP...etc
Now I know what is the difference between open/close ports;

-close port means that the port is accessible, and it reacts with the packets sent threw the bus using host A, but the service on that port is not listening.

-open port simply means that the service on that port is currently listening, port is accessible

my question regarding the above topics:

1- when a port return open on the scanning tool, and knowing that the port is listening, does that means that the port is not protected by a firewall? Normally after scanning a port, with the result of "filtered" we could guess that there is a firewall behind it to protect it, so if the port is open does that mean that is it unsecured? and that it could be accessed easily? leading to high risks attacks!

2- what is the difference between a port listening to a service, and a port not listening to a service? I'll give you an example to simplify my question, I happen to own a website, I use FTP to transfer all my files from my PC to the website and vice-verse, I scanned my website IP just to study how the ports react, the FTP port 21 always appear to be "open port", i though that if i only connect to my website threw FTP then the port 21 will be open because at that time it is listening to the service "FTP", and once I disconnect the session between me and the website the port will appear as "close port", but the facts shows that the port 21 is always open on my web??!! Before you say "GOOGLE THAT YOU NOOB", I already did that, and would also like to hear some clarification from experts in this forum "which i respect a lot".

sorry if my questions were kinda messy.

Regards,  ::)  
Last edited by ZeroOne on Sat May 26, 2012 7:04 am, edited 1 time in total.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Sat May 26, 2012 7:55 am

Re: So you scanned a host, and found open ports!!

1. Just because the port says 'open' doesn't mean a firewall isn't present. A firewall is likely configured with a rule to allow traffic on that port. So, if by definition a firewall controls the flow of network traffic, it may very well be there and doing it's job but it's not "protecting" that port if it's allowing traffic to pass. Assuming you mean protecting as in blocking, in which case the port would be closed and traffic would not be allowed through.

Hopefully I understood what you were asking there.

2. Your FTP port will appear open until you stop the service. If you stop the service, and FTP is no longer running, then the service won't be listening and the port will be closed. You also won't be able to connect using your FTP client or upload files. You would need to start the service again, thus opening the port back up. Ports don't open and close dynamically with a session like you've described - unless maybe you're doing some weird port knocking stuff.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat May 26, 2012 7:56 am

Re: So you scanned a host, and found open ports!!

question to number 1. Maybe yes, maybe no. It just means that when you sent a syn to the port, it responded.

number 2, even after you disconnect from FTP, if you did another scan, the port will still be open, it is only your session that closed.

An open port means means that the service is listening. Which is really just a fancy way of saying the service is running / turned on. If it is closed then the service is turned of.

Not trying to sound condescending, but think of services like porch lights on Halloween. Where I live that means that the person that lives there is giving out candy. If you knock on the door, which the person is listening at, he opens you authenticate by saying trick or treat, and he gives you a bit of candy.

If the light is off, all the knocking in the world won't open the door if the person is not.
OSWP, Sec+
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon May 28, 2012 11:57 am

Re: So you scanned a host, and found open ports!!

And Filtered means yes the ports are most likely open but not to you.  They accepted the syn packet but denied any further communication.  Filtered ports are used when you only want to allow specific IP ranges through your firewall for particular services.  For instance, I have SMTP open but only to communicate with an email filtering company.  So my mail servers only send out through that host and only receive from that host.  All other incoming requests are tossed.
Certs: GCWN
(@)Dewser
<<

ZeroOne

Jr. Member
Jr. Member

Posts: 59

Joined: Tue Apr 24, 2012 7:41 am

Post Tue May 29, 2012 3:04 am

Re: So you scanned a host, and found open ports!!

BillV, chrisj, 3xban.. thanks all for your help  :), there is one more question, if there are 4 devices in a LAN, say 3 workstations, and 1 router, the router will hold the public ip address (NATing), if I scan that public ip.. like: nmap [public ip], what is it scanning here? the router? like the results will be the ports opened/closed only on the router? i mean how is it possible that ip scanners find hosts with open ports when only the router holds the public ip?

Thanks again ;D
Last edited by ZeroOne on Tue May 29, 2012 3:13 am, edited 1 time in total.
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Tue May 29, 2012 3:07 am

Re: So you scanned a host, and found open ports!!

my friend if a port is open it dosent mean there is no firewall. Firewall is designed to secure a network not to block all connections (Not to kill network lol) it maybe more secure if u close a ll services with firewall but if you do that no services can work and as you know a server with no services is useless lol

so let me tell you an example. a lot of servers has this port open 21 its an FTP port so if that port is open u cant gain access to it until u run a password cracking but if that password is complex u must exploit it in this case Maybe a good firewall can prevent you to do that
ICS Academy Network Security Certified
<<

ZeroOne

Jr. Member
Jr. Member

Posts: 59

Joined: Tue Apr 24, 2012 7:41 am

Post Tue May 29, 2012 3:11 am

Re: So you scanned a host, and found open ports!!

cyber.spirit wrote:my friend if a port is open it dosent mean there is no firewall. Firewall is designed to secure a network not to block all connections (Not to kill network lol) it maybe more secure if u close a ll services with firewall but if you do that no services can work and as you know a server with no services is useless lol

so let me tell you an example. a lot of servers has this port open 21 its an FTP port so if that port is open u cant gain access to it until u run a password cracking but if that password is complex u must exploit it in this case Maybe a good firewall can prevent you to do that



lol sorted it out already thx tho ;D, any help on my last question would be great bro  ;)
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Tue May 29, 2012 4:18 am

Re: So you scanned a host, and found open ports!!

lol your welcome brother
ICS Academy Network Security Certified
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Tue May 29, 2012 9:28 am

Re: So you scanned a host, and found open ports!!

ZeroOne wrote:BillV, chrisj, 3xban.. thanks all for your help  :), there is one more question, if there are 4 devices in a LAN, say 3 workstations, and 1 router, the router will hold the public ip address (NATing), if I scan that public ip.. like: nmap [public ip], what is it scanning here? the router? like the results will be the ports opened/closed only on the router? i mean how is it possible that ip scanners find hosts with open ports when only the router holds the public ip?

Thanks again ;D


It might help to simplify things: what is a router and what is its function?
If you are scanning the public IP Address of the router and you get a response that there are open ports, is it possible that the router is running that particular service?
Hint: Check out NAT and PAT  ;)
All men by nature desire knowledge.

Aristotle
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue May 29, 2012 12:21 pm

Re: So you scanned a host, and found open ports!!

As Data_Raid pointed out, it really depends on how the router / firewall are configured.

The best answer I have for you, is to try it from "outside your router", on the "public internet side" and see what happens. then map it out to what you know is running where.
OSWP, Sec+
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue May 29, 2012 1:03 pm

Re: So you scanned a host, and found open ports!!

So you typical Linksys "firewall" and I use the term very losely based on this fact, they only do port forwarding.  Meaning I have a device on my home/private LAN that I want to access from outside through some method (i.e. SSH or FTP).  So on my firewall I would create a rule to allow these services to be accessed from the internet.  It would be an incoming rule and would look something like this:
  Code:
Direction   Source IP   Source Port      Destination IP      Destination port   Rule
Incoming   ANY      TCP/22         192.168.0.100      TCP/22         Allow
Incoming   8.8.8.8      UDP/53         192.168.0.101      UDP/53         Allow
Incoming   ANY      ANY         ANY         ANY         Deny

Rough translation.  Now your Linksys Router/firewall is really more of a router than a firewall.  It does not provide statefull packet inspection as well as a number of other services your business class firewall will provide.  It simply routes traffic based on the rules you give it.  The last rule int he list is the cleanup rule.  Most home routers will probably not have the rule.  But that is out-of-scope of this discussion.

So your firewall may not have any rules allowing access to it, but will have rules to allow access to internal resources.
Certs: GCWN
(@)Dewser
<<

ZeroOne

Jr. Member
Jr. Member

Posts: 59

Joined: Tue Apr 24, 2012 7:41 am

Post Tue May 29, 2012 4:52 pm

Re: So you scanned a host, and found open ports!!

Data_Raid wrote:It might help to simplify things: what is a router and what is its function?
If you are scanning the public IP Address of the router and you get a response that there are open ports, is it possible that the router is running that particular service?
Hint: Check out NAT and PAT  ;)



I already know how NAT works, not very fimiliar with PAT, i'll check on it thanks for the hint.


chrisj wrote:As Data_Raid pointed out, it really depends on how the router / firewall are configured.

The best answer I have for you, is to try it from "outside your router", on the "public internet side" and see what happens. then map it out to what you know is running where.


I already scanned my public ip, on my workstation I've got 15 open ports, when I scanned the public ip it only showed two open ports, seems that there are firewall configuration.


3xban wrote:So you typical Linksys "firewall" and I use the term very losely based on this fact, they only do port forwarding.  Meaning I have a device on my home/private LAN that I want to access from outside through some method (i.e. SSH or FTP).  So on my firewall I would create a rule to allow these services to be accessed from the internet.  It would be an incoming rule and would look something like this:
  Code:
Direction   Source IP   Source Port      Destination IP      Destination port   Rule
Incoming   ANY      TCP/22         192.168.0.100      TCP/22         Allow
Incoming   8.8.8.8      UDP/53         192.168.0.101      UDP/53         Allow
Incoming   ANY      ANY         ANY         ANY         Deny

Rough translation.  Now your Linksys Router/firewall is really more of a router than a firewall.  It does not provide statefull packet inspection as well as a number of other services your business class firewall will provide.  It simply routes traffic based on the rules you give it.  The last rule int he list is the cleanup rule.  Most home routers will probably not have the rule.  But that is out-of-scope of this discussion.

So your firewall may not have any rules allowing access to it, but will have rules to allow access to internal resources.



impressive explanation  :),, thanks for sharing.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue May 29, 2012 10:06 pm

Re: So you scanned a host, and found open ports!!

I should of explained the rules.

First rule, I allow ANY outside IP to connect to SSH(TCP/22) on an internal server at address 192.168.0.100. Scan would show the port as open.

2nd rule, I allow Google's DNS server to send DNS traffic to my internal server 192.168.0.101, this could be my company's own DNS server.  You see that if you have a large web presence that is hosted internally, possibly on a DMZ.  The rules would be similar if this was a DMZ.  Any other outside IP would get rejected and any scan would show the port as filtered.

3 rule is cleanup, if the incoming traffic doesn't match any of the rules before it, it is dropped all together.  In most cases, you may not need the rule if you only specified separate allow rules.  The cleanup rule is mostly used for egress filtering.  So you would have some allow rules for outgoing SMTP, FTP, SSH, HTTP/HTTPS and whatever other protocols you want to allow out.  Then you put the cleanup DENY ALL rule at the end.  This could protect you from compromised systems sending data out through odd ball ports like 1022 or 69000.  Granted they could still try to send out through your allowed outgoing ports but if you lock those down to only sending data out to specific internet hosts, then that will help as well.
Certs: GCWN
(@)Dewser
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Wed May 30, 2012 10:30 am

Re: So you scanned a host, and found open ports!!

ZeroOne wrote:I already scanned my public ip, on my workstation I've got 15 open ports, when I scanned the public ip it only showed two open ports, seems that there are firewall configuration.


You should be able to match the open ports with the internal machines (assuming NAT/PAT is configured), if you access the router have a look at which services are forwarded internally. It is also possible that the router is blocking everything inbound and the 2 open ports are management services for the router, for example: HTTP and Telnet.
How about a verbose scan of those 2 open ports, what information can you gather?
All men by nature desire knowledge.

Aristotle
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Sun Jun 03, 2012 7:45 pm

Re: So you scanned a host, and found open ports!!

chrisj wrote:question to number 1. Maybe yes, maybe no. It just means that when you sent a syn to the port, it responded.

number 2, even after you disconnect from FTP, if you did another scan, the port will still be open, it is only your session that closed.

An open port means means that the service is listening. Which is really just a fancy way of saying the service is running / turned on. If it is closed then the service is turned of.

Not trying to sound condescending, but think of services like porch lights on Halloween. Where I live that means that the person that lives there is giving out candy. If you knock on the door, which the person is listening at, he opens you authenticate by saying trick or treat, and he gives you a bit of candy.

If the light is off, all the knocking in the world won't open the door if the person is not.


That is a beautiful analogy :-) Thanks!

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 4 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software