Results 1 to 5 of 5

Thread: nmap false positives on port 21?

  1. #1
    Junior Member IAMZOMBIE's Avatar
    Join Date
    Jan 2010
    Posts
    81

    Default nmap false positives on port 21?

    Has anyone else noticed nmap doing false positives on port 21?
    Just about every ip I scanned during my current job came up positive, but when I try to connect with an ftp client it's closed. Also OpenVas doesn't show it as open(although scanline from foundstone does).

    Anyone know if this is just me or not?

    Thanks

  2. #2
    Moderator
    Join Date
    Jan 2010
    Posts
    167

    Default

    Quote Originally Posted by IAMZOMBIE View Post
    Has anyone else noticed nmap doing false positives on port 21?
    Just about every ip I scanned during my current job came up positive, but when I try to connect with an ftp client it's closed. Also OpenVas doesn't show it as open(although scanline from foundstone does).

    Anyone know if this is just me or not?

    have you tried to verify it with netcat? I think you should also check it from a different source machine with a different firewall in front of you ...

    m-1-k-3

  3. #3
    Junior Member IAMZOMBIE's Avatar
    Join Date
    Jan 2010
    Posts
    81

    Default

    Quote Originally Posted by m-1-k-3 View Post
    have you tried to verify it with netcat? I think you should also check it from a different source machine with a different firewall in front of you ...

    m-1-k-3
    Yeah I verified with telnet and telnet didn't see it as open.
    Netcat seems to say everything has 21 open. Try to hit a server on your local domain that doesn't has 21 open, and watch what netcat responds with.
    I did scan from home, but in my sleep deprived state I didn't differentiate in my notes what scan was from what location. I *think* both locations gave the same results, but I'm not sure. The pentest is over, so I can't scan again now...

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by IAMZOMBIE View Post
    Try to hit a server on your local domain that doesn't has 21 open, and watch what netcat responds with.
    Closed, as it should. You either have a bad copy of nc, a dodgy firewall rule, some strange routing, or something is attempting to MiTM your FTP connections to snaffle passwords.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    Junior Member IAMZOMBIE's Avatar
    Join Date
    Jan 2010
    Posts
    81

    Default

    Quote Originally Posted by Gitsnik View Post
    Closed, as it should. You either have a bad copy of nc, a dodgy firewall rule, some strange routing, or something is attempting to MiTM your FTP connections to snaffle passwords.
    Interesting......
    I'm going to bed. I'll investigate and update this thread tomorrow.

    Thanks for youguys help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •