nmap scan and iPhone

[aryakangler]

Can anyone explain why there would be such a difference when both iPhones are running iOS10? One is a 6, other 6s, but each running 10.0.2

iPhone 6

668/tcp   filtered mecomm
1045/tcp  filtered fpitp
1087/tcp  filtered cplscrambler-in
1687/tcp  filtered nsjtp-ctrl
1900/tcp  filtered upnp
3261/tcp  filtered winshadow
3998/tcp  filtered dnx
4550/tcp  filtered gds-adppiw-db
5221/tcp  filtered 3exmp
5633/tcp  filtered beorl
8292/tcp  filtered blp3
9999/tcp  filtered abyss
10566/tcp filtered unknown
18101/tcp filtered unknown
19101/tcp filtered unknown
62078/tcp open     tcpwrapped
64623/tcp filtered unknown

iPhone 6s

62078/tcp open  tcpwrapped

Edited October 6, 2016 by aryakangler

[Rainman_34]

Do they both have the same apps running on them?

[pentestgeek]

There is no difference.  1 port is open on both devices.

 

 

[digip]

filtered is more than likely closed ports. Try using your nmap command with "--open" for only open ports. 

Edited October 6, 2016 by digip

[aryakangler]

They do not have the same apps.

Thank you for the replies. I don't know much about nmap, but have run numerous scans and this was the first time i've ran into an iPhone with all these "filtered" ports. A little googling of the ports didn't provide me with any reliable information, so I was a bit alarmed.

[0phoi5]

What nmap command did you use? (full line of code)

[aryakangler]

nmap -T4 -A -v

[0phoi5]

Have you scanned with -sS, -sU, -sA and -sT?

Try -P0 (zero) to stop PINGing the phone first.

Also, try slowing your scan (use T0, T1 or T2 instead of 4).

You can also try using --max-rate and --data-length.

A combination of some or all of the above may yield more port results, it may not. Give it a try :) Note that the scans will likely take much longer.

[pentestgeek]

I'm sorry to be blunt here but you are chasing ghosts.  There is nothing there.  You have two iPhones, both with the same port open "62078".  Thats it.  One of your iPhones has some additional firewall or IDS system which is blocking Nmap from probing some of the ports in its default range so therefore the result is "filtered"

Read this for additional understanding.  https://nmap.org/book/man.html

[0phoi5]

16 hours ago, pentestgeek said:

One of your iPhones has some additional firewall or IDS system which is blocking Nmap from probing some of the ports in its default range so therefore the result is "filtered"

Granted, however a scan simply using 'nmap -T4 -A -v' would not necessarily yield all available open ports. Using the options in my post above, I'll oftentimes come across ports that were previously filtered suddenly show as open, simply because they get locked-down during an obvious scan. Which -T4 with no other filters would be.

[aryakangler]

Thanks for the info. I will try more scans with the filters mentioned and compare results.

For the record, this is not a pentest. I am a serial tinkerer. Anytime I am with friends/family and I know everyone has a device connected to the local network I am running various scans out of curiosity. Again, it sparked an interest when this iPhone responded to the scan in this way. While the phones have different apps, I can not think of either that would have extra "firewall or IDS" installed. Different settings in the settings menu i'm sure, but other than that, the apps are nothing special.

My main concern is nefarious activity. To that degree, none of these filtered ports could be related to any type of backdoor or malware on the device right?