nmap accuracy

Joseph_sys · Posted: Sun Jan 08, 2006 4:30 am Post subject: nmap accuracy

I scan my IP address externally with "nmap + IP" and it only showed three ports opened 80, 443, 1024 (as it suppose to).
However, when I scan my IP address externally from some kind of Ethernet cafe (I was given some kind of bare-bone machine, without hard-drive) using Knoppix and nmap, I was surprised to see some additional ports opened: 389, 1002, 1072
In addition the scan took several minutes on slow DSL connection.

When I go back (I tried to investigate) so I did external scan again on my IP-address and these ports didn't whowed up as open.
Why did I see additional open ports when I scan my IP?

kadeux · Tux's lil' helper Joined: 21 Nov 2005 Posts: 103

If you are using a hardware dsl router to connect to the internet, it might be that the router had these ports open.

Ports 389 and 1002 are used by LDAP/OpenLDAP and/or NetMeeting, port 1072 is assigned to cardax (cardax offers hardware and software for access control and alarm monitoring management, I guess that you are not using their enterprise level hardware at home). But of course all ports could be used by any other application which ignores the port number assignments by the IANA.

Did you scan your machine at home from another machine ? If you try to scan the machine locally from the same machine given the external IP, the ethernet driver will send the packages to the "lo" interface, your router will not be "touched" by the scan. (That's a feature, not a bug. Really! Routing loops are bad!)

If you have a hardware DSL router with an integrated DSL modem, it's hard to test the external connection of your router in its final running configuration without connecting over the internet. If you have a DSL router that connects to the DSL modem over a pppoe interface, you can set up a pppoe server on a second machine and run penetration tests offline.

So if you are using a DSL router, I recommend first check (and change) the configuration of this router (and then repeat the scan over the internet).

Joseph_sys · Posted: Sun Jan 08, 2006 4:33 pm Post subject:

Thank you for explanation.
I have two Internet connection DSL and Cable and both are behind software type routers (old boxes running freesco).
So I scan externally from one connection to another and did not find any additional ports open (besides the ones I'm aware) The scan that I perform was from IP: 202.138.167.235 and "nmap -P0" showed no ports open. Though it seems to me they have a hardware type router.

kadeux · Tux's lil' helper Joined: 21 Nov 2005 Posts: 103

I don't know whoever you mean with "they" when you said " .. it seems to me they have a hardware type router". I assume the following situation: