Q for Nmap users....

cbjhawks · 12-31-2007, 12:40 PM

I'm not sure what the below results are telling me...my router/gateway is 192.168.1.1 (of course)...my firewall (Guarddog) is supposedly blocking IPP but nmap says thats its port 631 is open.

I looked up rpcbind on Google but none of it made any sense...in layman's terms what is it and do I need it...if not, how do I close that port as well.

I'm running OpenSuSE 10.2 att.

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-12-31 12:33 CST
Interesting ports on localhost (127.0.0.1):
Not shown: 1677 closed ports
PORT STATE SERVICE
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp

Nmap finished: 1 IP address (1 host up) scanned in 0.201 seconds

win32sux · 12-31-2007, 02:36 PM

Quote:

Originally Posted by cbjhawks

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-12-31 12:33 CST
Interesting ports on localhost (127.0.0.1):
Not shown: 1677 closed ports
PORT STATE SERVICE
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp

Nmap finished: 1 IP address (1 host up) scanned in 0.201 seconds

You scanned localhost. It's normal to get results such as this even while being completely stealth-firewalled on the real network interface. You'll need to scan said interface to get some more meaningful results. One thing you can do also is have a look at the services, as you'll see on what addresses they are listening on. Check it:

Code:

win32sux@candystore:~$ netstat -an --inet | grep LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN

As you can see, I've got several services - but they are only listening on localhost.

Nmap will show ports open for localhost:

Code:

win32sux@candystore:~$ nmap localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2007-12-31 15:34 EST
Interesting ports on localhost (127.0.0.1):
Not shown: 1693 closed ports
PORT     STATE SERVICE
25/tcp   open  smtp
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql

Nmap finished: 1 IP address (1 host up) scanned in 0.174 seconds

But for my actual NIC IP it's a different story:

Code:

win32sux@candystore:~$ nmap 192.168.1.100

Starting Nmap 4.20 ( http://insecure.org ) at 2007-12-31 15:35 EST
All 1697 scanned ports on 192.168.1.100 are closed

Nmap finished: 1 IP address (1 host up) scanned in 0.182 seconds

That said, nothing beats an actual remote scan - you'll need to perform one if you want a real-world assessment. Do you have another GNU/Linux box available where you could scan from? Hopefully you'll get results like this:

Code:

win32sux@batcave:~$ nmap 192.168.1.100

Starting Nmap 4.20 ( http://insecure.org ) at 2007-12-31 15:54 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 4.046 seconds
win32sux@batcave:~$ nmap -P0 192.168.1.100

Starting Nmap 4.20 ( http://insecure.org ) at 2007-12-31 15:55 EST
All 1697 scanned ports on 192.168.1.100 are filtered

Nmap finished: 1 IP address (1 host up) scanned in 351.129 seconds

These remote scan results make sense, considering I have a stealth firewall config:

Code:

win32sux@candystore:~$ sudo iptables -nvL INPUT
Chain INPUT (policy DROP 2765 packets, 258K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 837K  779M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 8502  510K ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0

unixfool · 12-31-2007, 06:08 PM

win32sux,

Very, very nice explanation.

I've something similar on my blog @ http://slackfiles.blogspot.com/2007/...dened-box.html

Comparing them both, yours is more concise, IMO.

Again, kudos!

cbjhawks · 01-01-2008, 10:36 AM

excellent explanation...feeling alittle silly about my original post (ie...localhost)...when I scanned my router and nic ip, my result was the same as yours (ports closed)...the netstat command is noted and will use it in the future...again thanks for your time.