On a server running Ubuntu 14.04.2 I was doing some basic security auditing when I ran the command nmap -p -d 1-65535 as a non-root user. Interestingly it reported a few (1-5 at a time, average, changes each scan) high ports open as "unknown". Taken aback I checked netstat and all the usual things, nothing seemed amiss and said unknown ports were not open. I ran the scan as root and the bogus ports NEVER showed up no matter how many times I repeated the scan.
As a test I spun up a virtual machine with a similar configuration of services from a fresh install from the ISO and it too showed the same thing, calming my fears.
I also did a packet capture of the "lo" interface and the only thing I could see on these "unknown" open ports were nmap probes as usual.
Just interested in why this happens. I suspect it's due to the different scanning methods that nmap uses running it as a non root user.
Relevant output of nmap
Non root scan
-snipped some output to cut down on length-
Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-03 23:41 PST
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 23:41
Scanning 127.0.0.1 [2 ports]
Completed Ping Scan at 23:41, 0.00s elapsed (1 total hosts)
Overall sending rates: 1986.10 packets / s.
mass_rdns: Using DNS server 8.8.8.8
mass_rdns: Using DNS server 8.8.4.4
Initiating Connect Scan at 23:41
Scanning localhost (127.0.0.1) [65535 ports]
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 35443/tcp on 127.0.0.1
Discovered open port 52296/tcp on 127.0.0.1
Discovered open port 9050/tcp on 127.0.0.1
Discovered open port 45478/tcp on 127.0.0.1
Completed Connect Scan at 23:41, 1.55s elapsed (65535 total ports)
Overall sending rates: 42381.38 packets / s.
Nmap scan report for localhost (127.0.0.1)
Host is up, received syn-ack (0.00034s latency).
Scanned at 2015-03-03 23:41:36 PST for 2s
Not shown: 65527 closed ports
Reason: 65527 conn-refused
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
25/tcp open smtp syn-ack
80/tcp open http syn-ack
3306/tcp open mysql syn-ack
9050/tcp open tor-socks syn-ack
35443/tcp open unknown syn-ack
45478/tcp open unknown syn-ack
52296/tcp open unknown syn-ack
Final times for host: srtt: 340 rttvar: 77 to: 100000
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds
Root scan
Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-03 23:43 PST
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server 8.8.8.8
mass_rdns: Using DNS server 8.8.4.4
Initiating SYN Stealth Scan at 23:43
Scanning localhost (127.0.0.1) [65535 ports]
Packet capture filter (device lo): dst host 127.0.0.1 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 127.0.0.1)))
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Discovered open port 9050/tcp on 127.0.0.1
Increased max_successful_tryno for 127.0.0.1 to 1 (packet drop)
Completed SYN Stealth Scan at 23:43, 6.86s elapsed (65535 total ports)
Overall sending rates: 9569.39 packets / s, 421053.03 bytes / s.
Nmap scan report for localhost (127.0.0.1)
Host is up, received localhost-response (0.000014s latency).
Scanned at 2015-03-03 23:43:43 PST for 7s
Not shown: 65530 closed ports
Reason: 65530 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
25/tcp open smtp syn-ack
80/tcp open http syn-ack
3306/tcp open mysql syn-ack
9050/tcp open tor-socks syn-ack
Final times for host: srtt: 14 rttvar: 2 to: 100000
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds
Raw packets sent: 65593 (2.886MB) | Rcvd: 131191 (5.510MB)
Aucun commentaire:
Enregistrer un commentaire