On Mon, 23 Dec 2002, alfaentomega wrote:
> First I thought that they may be some ports, which are
> kind-of open, but they never finish TCP handshake, but
> they are detected only with basic nmap scan -sT, a TCP
> connect() scan, and never by any other kind of scan,
> like -sS SYN half-open scan (if they never finish the
> handshake, then it would make more sense if -sS
> detects them, while -sT thinks they're closed, not the
> other way around - but I may be wrong here).
>
> Here are other of my observations:
> I ran nmap in a loop scanning TCP ports 1-10000 every
> time (first it scanned 1-65535 but higher ports were
> never open), and for 1000 ports found, there was 875
> unique ones, with lowest 1036 and highest 4989, so
> they look quite randomly distributed in this range.
Your local port range (/proc/sys/net/ipv4/ip_local_port_range)
is 1024-5000, right? You are probably seeing some autobound
sockets.
Hypothesis: one of the services listening on your machine opens a
short-lived listening sockets on an automatically assigned port (ie.
in 1024-5000 range) when it accepts a connection. This would explain
why SYN scan does not trigger it but connect() scan does.
Try this:
for each port p in 1-1023
perform a connect() scan of p and 1024-5000
Only a small set of p, perhaps a single value of p--the hypothetic
offending service (see above)--should make the mysterious listening port
appear.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 09:52:07 PST