Jump to content


Photo
- - - - -

NMAP filtered ports?


  • Please log in to reply
8 replies to this topic

#1 ZioMatrix

ZioMatrix

    elite

  • Members
  • 107 posts

Posted 29 March 2008 - 04:21 PM

Hello, another n00b question i dont care. Anyway, I have been exploring Nmap for a while now but there is 1 function i couldn't seem to find. My friend let me do a pen-test sorta deal to his computer. So i typed in the following


nmap -v -f -sV -PN XXX.XXX.XXX.XXX

so using the -f function of fragmenting my packets, the nmap client said it might not work (lol)
using the -sV function to find out what services were running ( recently discovered and passed to me in this forum)
Ans the -PN because the first attempt nmap stated that the computer or target host was rejecting my ping nodes.
So i tried it and got little to no results. Not 1 single port from the scan due to them being "filtered" as nmap put it. It did say however that the host was up and running (good) so what can i do to Un-filter if you will, the ports.

My guess was that the computer was behind a good firewall.


Thanks in advance

#2 hbp

hbp

    rekcah-rebÜ

  • Members
  • 709 posts

Posted 29 March 2008 - 04:36 PM

Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.


you have guessed correctly. Most home computers nowadays are behind routers or firewalls. Unless there are ports allowed through the router by the administrator of the router, you wont be able to see them in the output of your nmap scan.

#3 ZioMatrix

ZioMatrix

    elite

  • Members
  • 107 posts

Posted 29 March 2008 - 04:48 PM

I hence an Nmap update? hopefully, Well thanks for the help but is there anyway to scan for the ports without using nmap? i mean i know people get around this kinda stuff all the time it cant be the only thing that stumps hackers?

#4 LUCKY_FUCKIN_CHARMS

LUCKY_FUCKIN_CHARMS

    TCP/IP....PI/MP

  • Members
  • 1,493 posts
  • Gender:Male
  • Location:Las Vegas

Posted 29 March 2008 - 07:35 PM

i use essential nettools on windows for all of my port scannning needs. heres something that might help. In the conventional mode, a TCP connection is established between your computer and the computer you're scanning. In the stealth mode, the connection is initiated, but not finalized. This scanning technique is also know as half-open or SYN scanning: The program sends a SYN packet (as if you are going to open a connection) to the target host, and the target host responds with a SYN ACK (this indicates the port is listening) or RST ACK (this indicates the port is not listening) packet. Stealth scans cannot be logged by the target host on the TCP level, although they can be logged by the intrusions detection systems (IDS) working on the packet level. You may find this mode useful when testing the configuration and efficiency of you LAN's IDS

#5 mirrorshades

mirrorshades

    aviatorglasses

  • Agents of the Revolution
  • 951 posts
  • Gender:Male

Posted 29 March 2008 - 11:55 PM

I hence an Nmap update? hopefully, Well thanks for the help but is there anyway to scan for the ports without using nmap? i mean i know people get around this kinda stuff all the time it cant be the only thing that stumps hackers?

Nmap is a decent port scanner... what you're describing isn't a "bug" or problem with it; it's actually giving you more information than most other port scanners I've used. Here's why.

A port can be either open or closed. What nmap calls "filtered" is sometimes also called "STEALTH MODE LOL" (well, minus the LOL) by other firewalls. What this means is that if someone tries to connect to that port, instead of responding with either "Yes, come on in" or "No, get the hell away", the router just simply ignores the request, as if there were no computer there at all. Some security "experts" and folks who write firewall software for Grandma's computer will tell you that this makes your computer ULTRA SECURE, since it CANNOT EVEN BE DETECTED ON TEH INTERTUBES. It's like you are a GHOST NINJA SUPERCOMPUTER that nobody can HAX0R!

I've used a few port scanning programs besides nmap, and what they tend to do is only report a positive response (e.g. computer responded to a ping, port shows as open, etc...). What nmap does is it lets you know that, "Hey, I know there is a computer there, but there is some kind of firewalling going on for this port, since it didn't respond properly to my request." If you have a STEALTH HACKER MODE computer, but still have open ports or respond to pings, then the SUPER EXTREME STEALTH OPERATIONAL MODE is just kind of frivolous and may slow down some legitimate services.

There are enough other ways that someone can verify that your computer exists. If you're playing an online game, posting on web forums, using IM software, or doing any of a number of other things that use your IP address, then someone knows you're there. The trick is to make sure your own box/network is properly secured; that way, it won't matter whether or not someone knows you're there... they still won't be able to get in.

Free tip: when doing a port scan, include TCP port 113 (IDENT). This is a service that is still used by some legitimate programs, and many firewalls simply block (i.e. properly respond with a "No, nothing here") instead of ignoring a request on this port to avoid slowing down a server (waiting for the connect request to time out). One "closed" port is enough to verify a live IP address, even if other stuff doesn't respond. :)

#6 ZioMatrix

ZioMatrix

    elite

  • Members
  • 107 posts

Posted 30 March 2008 - 10:31 AM

Haha both helpful and humorous. Anyway, i like the feed back and to mirrorshades what you said about if the IP is active, thats not a real problem but thanks for bringing up. I looked more into nmap and how to get the so called "filtered ports" open. Im not sure how the process goes and im not sure if this is "new thread" worthy. Packet forging? This is only a theory so dont take it out of context because this is only from 2hrs of research on it. If there is a way using WinInject ( packet forging tool) to make a simple "legit" packet that a firewall would read as regular traffic, To maybe encode your own port scanning script or something that possibly connects itself through nmap or even email's you the results? This process would be far beyond my skill, just wondering if it's possible

Attached Files



#7 Alk3

Alk3

    "I Hack, therefore, I am"

  • Binrev Financier
  • 1,003 posts
  • Gender:Not Telling
  • Location:312 Chi-town

Posted 30 March 2008 - 10:37 AM

why not do some programming and forge your own packets?

ruby http://sylv1.tuxfami...cts/scruby.html

python http://www.secdev.org/projects/scapy/


Its much easier to make a tool that will consistently work with other existing tools. That way you aren't stuck doing what you are doing here. ;)

#8 ZioMatrix

ZioMatrix

    elite

  • Members
  • 107 posts

Posted 30 March 2008 - 10:39 AM

Is this Linux based?? because the tar.gz thing makes it seem that way

Edited by ZioMatrix, 30 March 2008 - 10:47 AM.


#9 Alk3

Alk3

    "I Hack, therefore, I am"

  • Binrev Financier
  • 1,003 posts
  • Gender:Not Telling
  • Location:312 Chi-town

Posted 30 March 2008 - 11:03 AM

Install python or ruby on your windows box. Then follow the directions in the archives on how to install. Both should work.

http://www.python.or...wnload/windows/

http://www.ruby-lang.org/en/downloads/




BinRev is hosted by the great people at Lunarpages!