nmap shows nothing on windows

master · 10-01-2005, 03:48 PM

Hello i run debian 3.1 at the moment and windows xp.from my linux box when i do nmap on windows it comes back with zero results.which is great but when i do it on linux it allways finds something open.My question is why all the jokes about windows.This is the feedback i got from nmap on my linux box.
Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-10-01 21:11 BST
Interesting ports on 192.168.1.100:
(The 1656 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
787/tcp open unknown
810/tcp open unknown
2049/tcp open nfs
5432/tcp open postgres

Nmap finished: 1 IP address (1 host up) scanned in 0.324 seconds
It seems to me i might have a few thing open i dont need.Can any one tell me why i need port 787 & 810 open,now i use ssh so i guess that needs to be open i use nfs so i figure that should be open also i dont understand what "auth" is for and "netbios-ssn"
thanks nige

Half_Elf · 10-01-2005, 05:26 PM

Well... Windoze XP now come with a (very crappy) firewall that block most traffic that want to get in (very buggy and gave me a lot of headache already!), so it is possible that you see nothing while scanning your windoze box. Same if you are running Norton, Zone alarm or any other firewalls.

For linux... well, on most "user-friendly" distro, you have a big bunch of services that come with the default installation. This ia a dumb behavior atmo, as most users never know about it and get rooted really fast. I recommend that you close everything but service you are acrtually using. Or you could at least make a very basic iptables firewall script to block certains ports.

"auth" is the "identh" daemon, some old utility, mainly used by IRC (and finger?) now. Total crap, full of security hole, you better close this unless you really need it.
"netbios-ssn" is samba (the windoze-like file sharing deamon). Since NT, windoze boxes use port 445, but port 139 is still open for backward compatibility.

787 and 810 are probably relative to RPC and NFS. Use "netstat -ap" to find out what process use these ports.

bulliver · 10-03-2005, 10:56 PM

Are you running a website? No? Then don't run a webserver either (port 80)
Is your box a nameserver? No? Then kill named (port 53)
Do you need a relational database server? No? Then kill postgresql (port 5432) or at least configure it not to listen on the network.

HalfElf explained the rest...

Also, consider where you are scanning from...if from within your trusted LAN, many more ports may be open then are available from the internet at large.