kuyaya Posted March 28, 2020 Posted March 28, 2020 Hi guys. I just recognized that the results of nmap from the bunny is different than from windows nmap. Bunny: root@bunny:~# nmap 192.168.1.100 Starting Nmap 6.47 ( http://nmap.org ) at 2020-03-04 10:50 PST Nmap scan report for 192.168.1.100 Host is up (0.0017s latency). Not shown: 985 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 515/tcp open printer 548/tcp open afp 631/tcp open ipp 2049/tcp open nfs 5000/tcp open upnp 5001/tcp open commplex-link 5432/tcp open postgresql 7001/tcp open afs3-callback 50001/tcp open unknown 50002/tcp open iiimsf Nmap done: 1 IP address (1 host up) scanned in 4.62 seconds Windows: C:\Nmap>nmap 192.168.1.100 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-28 23:04 W. Europe Standard Time Nmap scan report for 192.168.1.100 Host is up (0.0025s latency). Not shown: 986 closed ports PORT STATE SERVICE 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 515/tcp open printer 548/tcp open afp 631/tcp open ipp 2049/tcp open nfs 5000/tcp open upnp 5001/tcp open commplex-link 5432/tcp open postgresql 7001/tcp open afs3-callback 50001/tcp open unknown 50002/tcp open iiimsf MAC Address: 00:11:32:03:47:1A (Synology Incorporated) Nmap done: 1 IP address (1 host up) scanned in 1.36 seconds On the bunny it shows that port 21 (active ftp) is open. On windows nmap it does not. When I try ftp://192.168.1.100:21 (in browser) it gives me an error: connection refused. Same as when I try in powershell "ftp 192.168.1.100". That means that port 21 is closed. Am I the only one with this? It would be really helpful if somebody could test this and see if the same problem comes up.
digininja Posted March 28, 2020 Posted March 28, 2020 I don't remember the exact flags off hand, but run it on the bunny with --reason and probably -v for verbose, and it will tell you why it thinks the port is open. Have your tried making an FTP connection to that host from the bunny? You say you tried from the windows box and proved it was closed from there, but didn't prove it was closed from the bunny.
kuyaya Posted March 28, 2020 Author Posted March 28, 2020 10 minutes ago, digininja said: I don't remember the exact flags off hand, but run it on the bunny with --reason and probably -v for verbose, and it will tell you why it thinks the port is open. Have your tried making an FTP connection to that host from the bunny? You say you tried from the windows box and proved it was closed from there, but didn't prove it was closed from the bunny. Nmap with --reason -v from bunny: root@bunny:~# nmap --reason -v 192.168.1.100 Starting Nmap 6.47 ( http://nmap.org ) at 2020-03-04 10:21 PST Initiating Ping Scan at 10:21 Scanning 192.168.1.100 [4 ports] Completed Ping Scan at 10:21, 1.14s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 10:21 Completed Parallel DNS resolution of 1 host. at 10:21, 0.01s elapsed Initiating SYN Stealth Scan at 10:21 Scanning 192.168.1.100 [1000 ports] Discovered open port 80/tcp on 192.168.1.100 Discovered open port 21/tcp on 192.168.1.100 Discovered open port 139/tcp on 192.168.1.100 Discovered open port 111/tcp on 192.168.1.100 Discovered open port 445/tcp on 192.168.1.100 Discovered open port 2049/tcp on 192.168.1.100 Discovered open port 5001/tcp on 192.168.1.100 Discovered open port 548/tcp on 192.168.1.100 Discovered open port 50001/tcp on 192.168.1.100 Discovered open port 5000/tcp on 192.168.1.100 Discovered open port 5432/tcp on 192.168.1.100 Discovered open port 631/tcp on 192.168.1.100 Discovered open port 50002/tcp on 192.168.1.100 Discovered open port 515/tcp on 192.168.1.100 Discovered open port 7001/tcp on 192.168.1.100 Completed SYN Stealth Scan at 10:21, 2.89s elapsed (1000 total ports) Nmap scan report for 192.168.1.100 Host is up, received echo-reply (0.0029s latency). Not shown: 985 closed ports Reason: 985 resets PORT STATE SERVICE REASON 21/tcp open ftp syn-ack 80/tcp open http syn-ack 111/tcp open rpcbind syn-ack 139/tcp open netbios-ssn syn-ack 445/tcp open microsoft-ds syn-ack 515/tcp open printer syn-ack 548/tcp open afp syn-ack 631/tcp open ipp syn-ack 2049/tcp open nfs syn-ack 5000/tcp open upnp syn-ack 5001/tcp open commplex-link syn-ack 5432/tcp open postgresql syn-ack 7001/tcp open afs3-callback syn-ack 50001/tcp open unknown syn-ack 50002/tcp open iiimsf syn-ack Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds Raw packets sent: 1083 (47.628KB) | Rcvd: 1078 (43.172KB) Seems like the reason is Synchronise-Acknowledge (syn-ack). Now when I try " ftp 192.168.1.100" it gives me that output: root@bunny:~# ftp 192.168.1.100 Connected to 192.168.1.100. 421 Service not available, remote server has closed connection ftp> The result is kinda the same as on windows, just with another reason.
digininja Posted March 28, 2020 Posted March 28, 2020 So there is something there listening, you just can't make a full FTP connection to it. That means the scan results are correct, port 21 is open. Windows will be doing a full ack scan while Linux is doing a syn-ack scan. Try asking the bunny to do an ack scan and it might come back as closed. This is something you need to watch out for when running nmap as a normal user or as root. Root does syn-ack by default, non-root does ack. Due to socket permissions I think, it's explained on the nmap site.
kuyaya Posted March 29, 2020 Author Posted March 29, 2020 13 hours ago, digininja said: So there is something there listening, you just can't make a full FTP connection to it. That means the scan results are correct, port 21 is open. Windows will be doing a full ack scan while Linux is doing a syn-ack scan. Try asking the bunny to do an ack scan and it might come back as closed. This is something you need to watch out for when running nmap as a normal user or as root. Root does syn-ack by default, non-root does ack. Due to socket permissions I think, it's explained on the nmap site. root@bunny:~# nmap -sA 192.168.1.100 Starting Nmap 6.47 ( http://nmap.org ) at 2020-03-29 04:40 PDT Nmap scan report for 192.168.1.100 Host is up (0.0019s latency). Not shown: 999 unfiltered ports PORT STATE SERVICE 21/tcp filtered ftp Nmap done: 1 IP address (1 host up) scanned in 93.64 seconds
digininja Posted March 29, 2020 Posted March 29, 2020 So there is something there and listening but not a full FTP server or something is limiting access to it. On the box itself, check what is there and listening on that port. If it's a Linux box ss -antp As root ill get you a list of ports and their associated processes.
kuyaya Posted April 3, 2020 Author Posted April 3, 2020 I logged in as root, but it seems like it has only very few commands available: BusyBox v1.16.1 (2014-09-04 11:10:21 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. NAS> ss -antp -ash: ss: not found NAS> help Built-in commands: ------------------ . : [ [[ alias break cd chdir continue eval exec exit export false getopts hash help let local printf pwd read readonly return set shift source test times trap true type ulimit umask unalias unset wait NAS> whoami root NAS> uname -a Linux NAS 2.6.15 #1639 Thu Sep 4 11:00:36 CST 2014 armv5tejl GNU/Linux synology_88f5281_207+ NAS> I googled a bit and these are the commands that you can use: https://www.synology-wiki.de/index.php/Grundlegende_Befehle_auf_der_Kommandozeile (sorry it's in german, I coulnd't find the english one.) The only package manager is ipkg. Wget is also installed.
digininja Posted April 3, 2020 Posted April 3, 2020 netstat is the alternative to ss but it doesn't look like that is installed either. Have a look in the web interface, they may have an option to turn FTP on and off, off may just block access rather than disable it. ps aux may get you a list of running processes, look through that for ftp services.
kuyaya Posted April 3, 2020 Author Posted April 3, 2020 ps aux gives me that back: NAS> ps aux ps: invalid option -- a BusyBox v1.16.1 (2014-09-04 11:10:21 CST) multi-call binary. Usage: ps Report process status Options: w Wide output NAS> So I tried "ps -w" NAS> ps -w PID USER VSZ STAT COMMAND 1 root 2584 S init 2 root 0 SWN [ksoftirqd/0] 3 root 0 SW< [events/0] 4 root 0 SW< [khelper] 5 root 0 SW< [kthread] 11 root 0 SW< [kblockd/0] 38 root 0 SW [pdflush] 39 root 0 SW [pdflush] 41 root 0 SW< [aio/0] 40 root 0 SW [kswapd0] 108 root 0 SW< [ata/0] 111 root 0 SW< [scsi_eh_0] 112 root 0 SW< [scsi_eh_1] 113 root 0 SW< [scsi_eh_2] 114 root 0 SW< [scsi_eh_3] 132 root 0 SW [mtdblockd] 152 root 0 SW< [ksnapd] 154 root 0 SW< [md0_raid1] 156 root 0 SW< [md1_raid1] 239 root 0 SW [kjournald] 1117 root 0 SW< [khubd] 1238 root 2576 S /sbin/syslogd -S 1240 root 2584 S /sbin/klogd 1337 root 0 SW< [md2_raid1] 1391 root 11760 S < /usr/syno/bin/findhostd 1415 root 0 SW [kjournald] 1492 admin 33228 S /usr/syno/pgsql/bin/postgres -D /var/services/pgsql --config_file=/usr/syno/pgsql/etc/postgresql.conf --h 1494 admin 33264 S postgres: writer process 1495 admin 33236 S postgres: wal writer process 1629 root 8376 S /usr/syno/bin/scemd 1893 root 10912 S /usr/syno/sbin/hotplugd 2025 root 2580 S /sbin/getty 115200 console 2038 root 4004 S /usr/sbin/inetd 2045 root 4020 S /usr/sbin/crond 2259 root 3080 S /usr/syno/sbin/synologd 2262 admin 33992 S postgres: admin synolog [local] idle 2361 root 3804 S /usr/syno/sbin/cupsd -C /usr/local/cups/cupsd.conf 2390 root 16092 S /usr/syno/sbin/fileindexd 2469 root 15292 S /usr/syno/sbin/nmbd -D 2525 root 19564 S /usr/syno/sbin/smbd -D 2527 root 19564 S /usr/syno/sbin/smbd -D 2543 root 7128 S /usr/syno/sbin/cnid_metad -l log_error 2545 root 14016 S /usr/syno/sbin/afpd -g guest -c 256 -n NAS:AFPServer -l default log_error 2588 1 1448 S /sbin/portmap 2590 root 0 SW [nfsd] 2593 root 0 SW [lockd] 2594 root 0 SW< [rpciod/0] 2595 root 1568 S /usr/sbin/statd 2598 root 1600 S /usr/sbin/mountd -p 892 2620 root 25080 S /usr/syno/sbin/dms 2625 root 25080 S /usr/syno/sbin/dms 2630 root 9856 S /usr/syno/sbin/lighttpd -f /usr/syno/mediaserver/lighttpd.debug 2644 root 25080 S /usr/syno/sbin/dms 2654 root 25080 S /usr/syno/sbin/dms 2660 root 25080 S /usr/syno/sbin/dms 2713 root 6892 S /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys 2746 root 4912 S /usr/syno/apache/bin/httpd 2760 nobody 5012 S /usr/syno/apache/bin/httpd 2761 nobody 5012 S /usr/syno/apache/bin/httpd 2813 root 2648 S avahi-daemon: running [NAS.local] 2836 root 9324 S N /usr/syno/bin/synomkthumbd 2837 root 25984 S N /usr/syno/sbin/synoindexd 2839 admin 34288 S postgres: admin photo [local] idle 2840 root 9324 S N /usr/syno/sbin/synomkflvd 6938 admin 34208 S postgres: admin mediaserver [local] idle 7545 root 25080 S /usr/syno/sbin/dms 7617 root 25080 S /usr/syno/sbin/dms 7639 nobody 5012 S /usr/syno/apache/bin/httpd 7647 root 7160 S /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys 7660 nobody 5012 S /usr/syno/apache/bin/httpd 7680 nobody 5012 S /usr/syno/apache/bin/httpd 8838 root 25080 S /usr/syno/sbin/dms 8867 root 7160 S /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys 8875 root 24756 S /usr/syno/sbin/smbd -D 9091 root 7168 S /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys 9109 root 6976 S /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys 9111 root 7080 S /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys 9135 root 3804 S /usr/syno/sbin/sshd 9210 root 6804 S sshd: root@pts/0 9216 root 4028 S -ash 9250 root 4008 R ps -w NAS> I can't find any ftp services in here... But netstat is available, so I did netstat -a NAS> netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3586 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:printer 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:afpovertcp 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5001 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:netbios-ssn 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:50001 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:50002 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ipp 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:postgres 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:afs3-callback 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:892 0.0.0.0:* LISTEN tcp 0 0 localhost:4700 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3485 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:microsoft-ds 0.0.0.0:* LISTEN tcp 0 0 NAS:microsoft-ds desktop-a8nnct2.home:50950 ESTABLISHED tcp 0 528 NAS:ssh desktop-g5thuvg.home:1047 ESTABLISHED udp 0 0 0.0.0.0:1024 0.0.0.0:* udp 0 0 0.0.0.0:nfs 0.0.0.0:* udp 0 0 0.0.0.0:1026 0.0.0.0:* udp 0 0 localhost:1027 0.0.0.0:* udp 0 0 0.0.0.0:1028 0.0.0.0:* udp 0 0 NAS:netbios-ns 0.0.0.0:* udp 0 0 0.0.0.0:netbios-ns 0.0.0.0:* udp 0 0 NAS:netbios-dgm 0.0.0.0:* udp 0 0 0.0.0.0:netbios-dgm 0.0.0.0:* udp 0 0 0.0.0.0:651 0.0.0.0:* udp 0 0 0.0.0.0:9997 0.0.0.0:* udp 0 0 0.0.0.0:9998 0.0.0.0:* udp 0 0 0.0.0.0:9999 0.0.0.0:* udp 0 0 0.0.0.0:5353 0.0.0.0:* udp 0 0 0.0.0.0:1900 0.0.0.0:* udp 0 0 0.0.0.0:sunrpc 0.0.0.0:* udp 0 0 0.0.0.0:892 0.0.0.0:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] DGRAM 2099 /tmp/synologd unix 2 [ ACC ] STREAM LISTENING 1373 /tmp/.s.PGSQL.5432 unix 10 [ ] DGRAM 968 /var/run/log unix 2 [ ACC ] STREAM LISTENING 2247 /tmp/fileindexd.sck unix 2 [ ACC ] STREAM LISTENING 2674 /var/run/afpd_ipc unix 2 [ ACC ] STREAM LISTENING 2779 /var/run/avahi-daemon/socket unix 2 [ ] DGRAM 7206666 unix 3 [ ] STREAM CONNECTED 3837218 /tmp/.s.PGSQL.5432 unix 3 [ ] STREAM CONNECTED 3837217 unix 3 [ ] STREAM CONNECTED 3144 /tmp/.s.PGSQL.5432 unix 3 [ ] STREAM CONNECTED 3143 unix 2 [ ] DGRAM 2403 unix 2 [ ] DGRAM 2371 unix 2 [ ] DGRAM 2224 unix 3 [ ] STREAM CONNECTED 2085 /tmp/.s.PGSQL.5432 unix 3 [ ] STREAM CONNECTED 2084 unix 2 [ ] DGRAM 1871 unix 2 [ ] DGRAM 1868 unix 2 [ ] DGRAM 1153 unix 2 [ ] DGRAM 1041 NAS> I made a screenshot of the FTP settings from the web interface. It was in german so I translated it. The web interface shows that FTP service is not enabled (the "activate ftp-service" box doesn't have a tick)
digininja Posted April 4, 2020 Posted April 4, 2020 Are there any iptables rules on the box? Looking at that, my guess would be something is open to allow the FTP connection in, but as the service is not enabled it isn't going anywhere.
kuyaya Posted April 5, 2020 Author Posted April 5, 2020 On 4/4/2020 at 12:29 PM, digininja said: Are there any iptables rules on the box? Looking at that, my guess would be something is open to allow the FTP connection in, but as the service is not enabled it isn't going anywhere. As far as I know, there aren't any iptable rules on the box, but I'm not 100% sure. NAS> iptables --list iptables v1.4.2: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. https://community.synology.com/enu/forum/17/post/38904 Seems like I'm not the only one with the iptables issue. This guy solved it with the help of the second last comment. Maybe you can understand it, I only see gibberish.
digininja Posted April 6, 2020 Posted April 6, 2020 I think we've reached a dead end for remote working out what is going on. It will be something to do with the box supporting FTP but the service not running yet. Something will be holding the port open ready for it.
kuyaya Posted April 6, 2020 Author Posted April 6, 2020 1 hour ago, digininja said: I think we've reached a dead end for remote working out what is going on. It will be something to do with the box supporting FTP but the service not running yet. Something will be holding the port open ready for it. I'll try to find the cause of it. I'll inform you as soon as I get it.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.