Jump to content

Different Nmap output


kuyaya

Recommended Posts

Posted

Hi guys.

I just recognized that the results of nmap from the bunny is different than from windows nmap.

Bunny: 

root@bunny:~# nmap 192.168.1.100

Starting Nmap 6.47 ( http://nmap.org ) at 2020-03-04 10:50 PST
Nmap scan report for 192.168.1.100
Host is up (0.0017s latency).
Not shown: 985 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
515/tcp   open  printer
548/tcp   open  afp
631/tcp   open  ipp
2049/tcp  open  nfs
5000/tcp  open  upnp
5001/tcp  open  commplex-link
5432/tcp  open  postgresql
7001/tcp  open  afs3-callback
50001/tcp open  unknown
50002/tcp open  iiimsf

Nmap done: 1 IP address (1 host up) scanned in 4.62 seconds

 

Windows:

C:\Nmap>nmap 192.168.1.100
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-28 23:04 W. Europe Standard Time
Nmap scan report for 192.168.1.100
Host is up (0.0025s latency).
Not shown: 986 closed ports
PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
515/tcp   open  printer
548/tcp   open  afp
631/tcp   open  ipp
2049/tcp  open  nfs
5000/tcp  open  upnp
5001/tcp  open  commplex-link
5432/tcp  open  postgresql
7001/tcp  open  afs3-callback
50001/tcp open  unknown
50002/tcp open  iiimsf
MAC Address: 00:11:32:03:47:1A (Synology Incorporated)

Nmap done: 1 IP address (1 host up) scanned in 1.36 seconds

 

On the bunny it shows that port 21 (active ftp) is open. On windows nmap it does not. When I try ftp://192.168.1.100:21 (in browser) it gives me an error: connection refused. Same as when I try in powershell "ftp 192.168.1.100". That means that port 21 is closed.

Am I the only one with this? It would be really helpful if somebody could test this and see if the same problem comes up.

Posted

I don't remember the exact flags off hand, but run it on the bunny with --reason and probably -v for verbose, and it will tell you why it thinks the port is open.

Have your tried making an FTP connection to that host from the bunny? You say you tried from the windows box and proved it was closed from there, but didn't prove it was closed from the bunny.

Posted
10 minutes ago, digininja said:

I don't remember the exact flags off hand, but run it on the bunny with --reason and probably -v for verbose, and it will tell you why it thinks the port is open.

Have your tried making an FTP connection to that host from the bunny? You say you tried from the windows box and proved it was closed from there, but didn't prove it was closed from the bunny.

Nmap with --reason -v from bunny:

root@bunny:~# nmap --reason -v 192.168.1.100

Starting Nmap 6.47 ( http://nmap.org ) at 2020-03-04 10:21 PST
Initiating Ping Scan at 10:21
Scanning 192.168.1.100 [4 ports]
Completed Ping Scan at 10:21, 1.14s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:21
Completed Parallel DNS resolution of 1 host. at 10:21, 0.01s elapsed
Initiating SYN Stealth Scan at 10:21
Scanning 192.168.1.100 [1000 ports]
Discovered open port 80/tcp on 192.168.1.100
Discovered open port 21/tcp on 192.168.1.100
Discovered open port 139/tcp on 192.168.1.100
Discovered open port 111/tcp on 192.168.1.100
Discovered open port 445/tcp on 192.168.1.100
Discovered open port 2049/tcp on 192.168.1.100
Discovered open port 5001/tcp on 192.168.1.100
Discovered open port 548/tcp on 192.168.1.100
Discovered open port 50001/tcp on 192.168.1.100
Discovered open port 5000/tcp on 192.168.1.100
Discovered open port 5432/tcp on 192.168.1.100
Discovered open port 631/tcp on 192.168.1.100
Discovered open port 50002/tcp on 192.168.1.100
Discovered open port 515/tcp on 192.168.1.100
Discovered open port 7001/tcp on 192.168.1.100
Completed SYN Stealth Scan at 10:21, 2.89s elapsed (1000 total ports)
Nmap scan report for 192.168.1.100
Host is up, received echo-reply (0.0029s latency).
Not shown: 985 closed ports
Reason: 985 resets
PORT      STATE SERVICE       REASON
21/tcp    open  ftp           syn-ack
80/tcp    open  http          syn-ack
111/tcp   open  rpcbind       syn-ack
139/tcp   open  netbios-ssn   syn-ack
445/tcp   open  microsoft-ds  syn-ack
515/tcp   open  printer       syn-ack
548/tcp   open  afp           syn-ack
631/tcp   open  ipp           syn-ack
2049/tcp  open  nfs           syn-ack
5000/tcp  open  upnp          syn-ack
5001/tcp  open  commplex-link syn-ack
5432/tcp  open  postgresql    syn-ack
7001/tcp  open  afs3-callback syn-ack
50001/tcp open  unknown       syn-ack
50002/tcp open  iiimsf        syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds
           Raw packets sent: 1083 (47.628KB) | Rcvd: 1078 (43.172KB)

 

Seems like the reason is Synchronise-Acknowledge (syn-ack).

Now when I try " ftp 192.168.1.100" it gives me that output:

root@bunny:~# ftp 192.168.1.100
Connected to 192.168.1.100.
421 Service not available, remote server has closed connection
ftp>

The result is kinda the same as on windows, just with another reason.

Posted

So there is something there listening, you just can't make a full FTP connection to it. That means the scan results are correct, port 21 is open.

Windows will be doing a full ack scan while Linux is doing a syn-ack scan. Try asking the bunny to do an ack scan and it might come back as closed.

This is something you need to watch out for when running nmap as a normal user or as root. Root does syn-ack by default, non-root does ack. Due to socket permissions I think, it's explained on the nmap site.

 

Posted
13 hours ago, digininja said:

So there is something there listening, you just can't make a full FTP connection to it. That means the scan results are correct, port 21 is open.

Windows will be doing a full ack scan while Linux is doing a syn-ack scan. Try asking the bunny to do an ack scan and it might come back as closed.

This is something you need to watch out for when running nmap as a normal user or as root. Root does syn-ack by default, non-root does ack. Due to socket permissions I think, it's explained on the nmap site.

 

root@bunny:~# nmap -sA 192.168.1.100

Starting Nmap 6.47 ( http://nmap.org ) at 2020-03-29 04:40 PDT
Nmap scan report for 192.168.1.100
Host is up (0.0019s latency).
Not shown: 999 unfiltered ports
PORT   STATE    SERVICE
21/tcp filtered ftp

Nmap done: 1 IP address (1 host up) scanned in 93.64 seconds

Posted

So there is something there and listening but not a full FTP server or something is limiting access to it.

On the box itself, check what is there and listening on that port. If it's a Linux box

ss -antp

As root ill get you a list of ports and their associated processes.

Posted

I logged in as root, but it seems like it has only very few commands available:

BusyBox v1.16.1 (2014-09-04 11:10:21 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

NAS> ss -antp
-ash: ss: not found
NAS> help
Built-in commands:
------------------
        . : [ [[ alias break cd chdir continue eval exec exit export
        false getopts hash help let local printf pwd read readonly return
        set shift source test times trap true type ulimit umask unalias
        unset wait
NAS> whoami
root
NAS> uname -a
Linux NAS 2.6.15 #1639 Thu Sep 4 11:00:36 CST 2014 armv5tejl GNU/Linux synology_88f5281_207+
NAS>

I googled a bit and these are the commands that you can use: https://www.synology-wiki.de/index.php/Grundlegende_Befehle_auf_der_Kommandozeile (sorry it's in german, I coulnd't find the english one.) The only package manager is ipkg. Wget is also installed.

Posted

netstat is the alternative to ss but it doesn't look like that is installed either.

Have a look in the web interface, they may have an option to turn FTP on and off, off may just block access rather than disable it.

ps aux may get you a list of running processes, look through that for ftp services.

Posted

ps aux gives me that back:

NAS> ps aux
ps: invalid option -- a
BusyBox v1.16.1 (2014-09-04 11:10:21 CST) multi-call binary.

Usage: ps

Report process status

Options:
        w       Wide output
NAS>

So I tried "ps -w"

NAS> ps -w
  PID USER       VSZ STAT COMMAND
    1 root      2584 S    init
    2 root         0 SWN  [ksoftirqd/0]
    3 root         0 SW<  [events/0]
    4 root         0 SW<  [khelper]
    5 root         0 SW<  [kthread]
   11 root         0 SW<  [kblockd/0]
   38 root         0 SW   [pdflush]
   39 root         0 SW   [pdflush]
   41 root         0 SW<  [aio/0]
   40 root         0 SW   [kswapd0]
  108 root         0 SW<  [ata/0]
  111 root         0 SW<  [scsi_eh_0]
  112 root         0 SW<  [scsi_eh_1]
  113 root         0 SW<  [scsi_eh_2]
  114 root         0 SW<  [scsi_eh_3]
  132 root         0 SW   [mtdblockd]
  152 root         0 SW<  [ksnapd]
  154 root         0 SW<  [md0_raid1]
  156 root         0 SW<  [md1_raid1]
  239 root         0 SW   [kjournald]
 1117 root         0 SW<  [khubd]
 1238 root      2576 S    /sbin/syslogd -S
 1240 root      2584 S    /sbin/klogd
 1337 root         0 SW<  [md2_raid1]
 1391 root     11760 S <  /usr/syno/bin/findhostd
 1415 root         0 SW   [kjournald]
 1492 admin    33228 S    /usr/syno/pgsql/bin/postgres -D /var/services/pgsql --config_file=/usr/syno/pgsql/etc/postgresql.conf --h
 1494 admin    33264 S    postgres: writer process
 1495 admin    33236 S    postgres: wal writer process
 1629 root      8376 S    /usr/syno/bin/scemd
 1893 root     10912 S    /usr/syno/sbin/hotplugd
 2025 root      2580 S    /sbin/getty 115200 console
 2038 root      4004 S    /usr/sbin/inetd
 2045 root      4020 S    /usr/sbin/crond
 2259 root      3080 S    /usr/syno/sbin/synologd
 2262 admin    33992 S    postgres: admin synolog [local] idle
 2361 root      3804 S    /usr/syno/sbin/cupsd -C /usr/local/cups/cupsd.conf
 2390 root     16092 S    /usr/syno/sbin/fileindexd
 2469 root     15292 S    /usr/syno/sbin/nmbd -D
 2525 root     19564 S    /usr/syno/sbin/smbd -D
 2527 root     19564 S    /usr/syno/sbin/smbd -D
 2543 root      7128 S    /usr/syno/sbin/cnid_metad -l log_error
 2545 root     14016 S    /usr/syno/sbin/afpd -g guest -c 256 -n NAS:AFPServer -l default log_error
 2588 1         1448 S    /sbin/portmap
 2590 root         0 SW   [nfsd]
 2593 root         0 SW   [lockd]
 2594 root         0 SW<  [rpciod/0]
 2595 root      1568 S    /usr/sbin/statd
 2598 root      1600 S    /usr/sbin/mountd -p 892
 2620 root     25080 S    /usr/syno/sbin/dms
 2625 root     25080 S    /usr/syno/sbin/dms
 2630 root      9856 S    /usr/syno/sbin/lighttpd -f /usr/syno/mediaserver/lighttpd.debug
 2644 root     25080 S    /usr/syno/sbin/dms
 2654 root     25080 S    /usr/syno/sbin/dms
 2660 root     25080 S    /usr/syno/sbin/dms
 2713 root      6892 S    /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
 2746 root      4912 S    /usr/syno/apache/bin/httpd
 2760 nobody    5012 S    /usr/syno/apache/bin/httpd
 2761 nobody    5012 S    /usr/syno/apache/bin/httpd
 2813 root      2648 S    avahi-daemon: running [NAS.local]
 2836 root      9324 S N  /usr/syno/bin/synomkthumbd
 2837 root     25984 S N  /usr/syno/sbin/synoindexd
 2839 admin    34288 S    postgres: admin photo [local] idle
 2840 root      9324 S N  /usr/syno/sbin/synomkflvd
 6938 admin    34208 S    postgres: admin mediaserver [local] idle
 7545 root     25080 S    /usr/syno/sbin/dms
 7617 root     25080 S    /usr/syno/sbin/dms
 7639 nobody    5012 S    /usr/syno/apache/bin/httpd
 7647 root      7160 S    /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
 7660 nobody    5012 S    /usr/syno/apache/bin/httpd
 7680 nobody    5012 S    /usr/syno/apache/bin/httpd
 8838 root     25080 S    /usr/syno/sbin/dms
 8867 root      7160 S    /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
 8875 root     24756 S    /usr/syno/sbin/smbd -D
 9091 root      7168 S    /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
 9109 root      6976 S    /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
 9111 root      7080 S    /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
 9135 root      3804 S    /usr/syno/sbin/sshd
 9210 root      6804 S    sshd: root@pts/0
 9216 root      4028 S    -ash
 9250 root      4008 R    ps -w
NAS>

I can't find any ftp services in here...

But netstat is available, so I did netstat -a

NAS> netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:nfs             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:3586            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:printer         0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:afpovertcp      0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:5001            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:netbios-ssn     0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:50001           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:50002           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:ipp             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:postgres        0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:afs3-callback   0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:892             0.0.0.0:*               LISTEN
tcp        0      0 localhost:4700          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:3485            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:microsoft-ds    0.0.0.0:*               LISTEN
tcp        0      0 NAS:microsoft-ds        desktop-a8nnct2.home:50950 ESTABLISHED
tcp        0    528 NAS:ssh                 desktop-g5thuvg.home:1047 ESTABLISHED
udp        0      0 0.0.0.0:1024            0.0.0.0:*
udp        0      0 0.0.0.0:nfs             0.0.0.0:*
udp        0      0 0.0.0.0:1026            0.0.0.0:*
udp        0      0 localhost:1027          0.0.0.0:*
udp        0      0 0.0.0.0:1028            0.0.0.0:*
udp        0      0 NAS:netbios-ns          0.0.0.0:*
udp        0      0 0.0.0.0:netbios-ns      0.0.0.0:*
udp        0      0 NAS:netbios-dgm         0.0.0.0:*
udp        0      0 0.0.0.0:netbios-dgm     0.0.0.0:*
udp        0      0 0.0.0.0:651             0.0.0.0:*
udp        0      0 0.0.0.0:9997            0.0.0.0:*
udp        0      0 0.0.0.0:9998            0.0.0.0:*
udp        0      0 0.0.0.0:9999            0.0.0.0:*
udp        0      0 0.0.0.0:5353            0.0.0.0:*
udp        0      0 0.0.0.0:1900            0.0.0.0:*
udp        0      0 0.0.0.0:sunrpc          0.0.0.0:*
udp        0      0 0.0.0.0:892             0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ]         DGRAM                      2099 /tmp/synologd
unix  2      [ ACC ]     STREAM     LISTENING       1373 /tmp/.s.PGSQL.5432
unix  10     [ ]         DGRAM                       968 /var/run/log
unix  2      [ ACC ]     STREAM     LISTENING       2247 /tmp/fileindexd.sck
unix  2      [ ACC ]     STREAM     LISTENING       2674 /var/run/afpd_ipc
unix  2      [ ACC ]     STREAM     LISTENING       2779 /var/run/avahi-daemon/socket
unix  2      [ ]         DGRAM                    7206666
unix  3      [ ]         STREAM     CONNECTED     3837218 /tmp/.s.PGSQL.5432
unix  3      [ ]         STREAM     CONNECTED     3837217
unix  3      [ ]         STREAM     CONNECTED       3144 /tmp/.s.PGSQL.5432
unix  3      [ ]         STREAM     CONNECTED       3143
unix  2      [ ]         DGRAM                      2403
unix  2      [ ]         DGRAM                      2371
unix  2      [ ]         DGRAM                      2224
unix  3      [ ]         STREAM     CONNECTED       2085 /tmp/.s.PGSQL.5432
unix  3      [ ]         STREAM     CONNECTED       2084
unix  2      [ ]         DGRAM                      1871
unix  2      [ ]         DGRAM                      1868
unix  2      [ ]         DGRAM                      1153
unix  2      [ ]         DGRAM                      1041
NAS>

I made a screenshot of the FTP settings from the web interface. It was in german so I translated it.

 

ftp.pngThe web interface shows that FTP service is not enabled (the "activate ftp-service" box doesn't have a tick)

Posted

Are there any iptables rules on the box? Looking at that, my guess would be something is open to allow the FTP connection in, but as the service is not enabled it isn't going anywhere.

Posted
On 4/4/2020 at 12:29 PM, digininja said:

Are there any iptables rules on the box? Looking at that, my guess would be something is open to allow the FTP connection in, but as the service is not enabled it isn't going anywhere.

As far as I know, there aren't any iptable rules on the box, but I'm not 100% sure.

NAS> iptables --list
iptables v1.4.2: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

https://community.synology.com/enu/forum/17/post/38904

Seems like I'm not the only one with the iptables issue. This guy solved it with the help of the second last comment. Maybe you can understand it, I only see gibberish.

Posted

I think we've reached a dead end for remote working out what is going on.

It will be something to do with the box supporting FTP but the service not running yet. Something will be holding the port open ready for it.

Posted
1 hour ago, digininja said:

I think we've reached a dead end for remote working out what is going on.

It will be something to do with the box supporting FTP but the service not running yet. Something will be holding the port open ready for it.

I'll try to find the cause of it. I'll inform you as soon as I get it.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...