On Mon, 23 Dec 2002, alfaentomega wrote: > First I thought that they may be some ports, which are > kind-of open, but they never finish TCP handshake, but > they are detected only with basic nmap scan -sT, a TCP > connect() scan, and never by any other kind of scan, > like -sS SYN half-open scan (if they never finish the > handshake, then it would make more sense if -sS > detects them, while -sT thinks they're closed, not the > other way around - but I may be wrong here). > > Here are other of my observations: > I ran nmap in a loop scanning TCP ports 1-10000 every > time (first it scanned 1-65535 but higher ports were > never open), and for 1000 ports found, there was 875 > unique ones, with lowest 1036 and highest 4989, so > they look quite randomly distributed in this range. Your local port range (/proc/sys/net/ipv4/ip_local_port_range) is 1024-5000, right? You are probably seeing some autobound sockets. Hypothesis: one of the services listening on your machine opens a short-lived listening sockets on an automatically assigned port (ie. in 1024-5000 range) when it accepts a connection. This would explain why SYN scan does not trigger it but connect() scan does. Try this: for each port p in 1-1023 perform a connect() scan of p and 1024-5000 Only a small set of p, perhaps a single value of p--the hypothetic offending service (see above)--should make the mysterious listening port appear. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 09:52:07 PST