Different Nmap output

kuyaya · March 28, 2020

Hi guys.

I just recognized that the results of nmap from the bunny is different than from windows nmap.

Bunny:

root@bunny:~# nmap 192.168.1.100

Starting Nmap 6.47 ( http://nmap.org ) at 2020-03-04 10:50 PST
Nmap scan report for 192.168.1.100
Host is up (0.0017s latency).
Not shown: 985 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
515/tcp open printer
548/tcp open afp
631/tcp open ipp
2049/tcp open nfs
5000/tcp open upnp
5001/tcp open commplex-link
5432/tcp open postgresql
7001/tcp open afs3-callback
50001/tcp open unknown
50002/tcp open iiimsf

Nmap done: 1 IP address (1 host up) scanned in 4.62 seconds

Windows:

C:\Nmap>nmap 192.168.1.100
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-28 23:04 W. Europe Standard Time
Nmap scan report for 192.168.1.100
Host is up (0.0025s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
515/tcp open printer
548/tcp open afp
631/tcp open ipp
2049/tcp open nfs
5000/tcp open upnp
5001/tcp open commplex-link
5432/tcp open postgresql
7001/tcp open afs3-callback
50001/tcp open unknown
50002/tcp open iiimsf
MAC Address: 00:11:32:03:47:1A (Synology Incorporated)

Nmap done: 1 IP address (1 host up) scanned in 1.36 seconds

On the bunny it shows that port 21 (active ftp) is open. On windows nmap it does not. When I try ftp://192.168.1.100:21 (in browser) it gives me an error: connection refused. Same as when I try in powershell "ftp 192.168.1.100". That means that port 21 is closed.

Am I the only one with this? It would be really helpful if somebody could test this and see if the same problem comes up.

digininja · March 28, 2020

I don't remember the exact flags off hand, but run it on the bunny with --reason and probably -v for verbose, and it will tell you why it thinks the port is open.

Have your tried making an FTP connection to that host from the bunny? You say you tried from the windows box and proved it was closed from there, but didn't prove it was closed from the bunny.

kuyaya · March 28, 2020

10 minutes ago, digininja said:

I don't remember the exact flags off hand, but run it on the bunny with --reason and probably -v for verbose, and it will tell you why it thinks the port is open.

Have your tried making an FTP connection to that host from the bunny? You say you tried from the windows box and proved it was closed from there, but didn't prove it was closed from the bunny.

Nmap with --reason -v from bunny:

root@bunny:~# nmap --reason -v 192.168.1.100

Starting Nmap 6.47 ( http://nmap.org ) at 2020-03-04 10:21 PST
Initiating Ping Scan at 10:21
Scanning 192.168.1.100 [4 ports]
Completed Ping Scan at 10:21, 1.14s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:21
Completed Parallel DNS resolution of 1 host. at 10:21, 0.01s elapsed
Initiating SYN Stealth Scan at 10:21
Scanning 192.168.1.100 [1000 ports]
Discovered open port 80/tcp on 192.168.1.100
Discovered open port 21/tcp on 192.168.1.100
Discovered open port 139/tcp on 192.168.1.100
Discovered open port 111/tcp on 192.168.1.100
Discovered open port 445/tcp on 192.168.1.100
Discovered open port 2049/tcp on 192.168.1.100
Discovered open port 5001/tcp on 192.168.1.100
Discovered open port 548/tcp on 192.168.1.100
Discovered open port 50001/tcp on 192.168.1.100
Discovered open port 5000/tcp on 192.168.1.100
Discovered open port 5432/tcp on 192.168.1.100
Discovered open port 631/tcp on 192.168.1.100
Discovered open port 50002/tcp on 192.168.1.100
Discovered open port 515/tcp on 192.168.1.100
Discovered open port 7001/tcp on 192.168.1.100
Completed SYN Stealth Scan at 10:21, 2.89s elapsed (1000 total ports)
Nmap scan report for 192.168.1.100
Host is up, received echo-reply (0.0029s latency).
Not shown: 985 closed ports
Reason: 985 resets
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
80/tcp open http syn-ack
111/tcp open rpcbind syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
515/tcp open printer syn-ack
548/tcp open afp syn-ack
631/tcp open ipp syn-ack
2049/tcp open nfs syn-ack
5000/tcp open upnp syn-ack
5001/tcp open commplex-link syn-ack
5432/tcp open postgresql syn-ack
7001/tcp open afs3-callback syn-ack
50001/tcp open unknown syn-ack
50002/tcp open iiimsf syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds
Raw packets sent: 1083 (47.628KB) | Rcvd: 1078 (43.172KB)

Seems like the reason is Synchronise-Acknowledge (syn-ack).

Now when I try " ftp 192.168.1.100" it gives me that output:

root@bunny:~# ftp 192.168.1.100
Connected to 192.168.1.100.
421 Service not available, remote server has closed connection
ftp>

The result is kinda the same as on windows, just with another reason.

digininja · March 28, 2020

So there is something there listening, you just can't make a full FTP connection to it. That means the scan results are correct, port 21 is open.

Windows will be doing a full ack scan while Linux is doing a syn-ack scan. Try asking the bunny to do an ack scan and it might come back as closed.

This is something you need to watch out for when running nmap as a normal user or as root. Root does syn-ack by default, non-root does ack. Due to socket permissions I think, it's explained on the nmap site.

kuyaya · March 29, 2020

13 hours ago, digininja said:

So there is something there listening, you just can't make a full FTP connection to it. That means the scan results are correct, port 21 is open.

Windows will be doing a full ack scan while Linux is doing a syn-ack scan. Try asking the bunny to do an ack scan and it might come back as closed.

This is something you need to watch out for when running nmap as a normal user or as root. Root does syn-ack by default, non-root does ack. Due to socket permissions I think, it's explained on the nmap site.

root@bunny:~# nmap -sA 192.168.1.100

Starting Nmap 6.47 ( http://nmap.org ) at 2020-03-29 04:40 PDT
Nmap scan report for 192.168.1.100
Host is up (0.0019s latency).
Not shown: 999 unfiltered ports
PORT STATE SERVICE
21/tcp filtered ftp

Nmap done: 1 IP address (1 host up) scanned in 93.64 seconds

digininja · March 29, 2020

So there is something there and listening but not a full FTP server or something is limiting access to it.

On the box itself, check what is there and listening on that port. If it's a Linux box

ss -antp

As root ill get you a list of ports and their associated processes.

kuyaya · April 3, 2020

I logged in as root, but it seems like it has only very few commands available:

BusyBox v1.16.1 (2014-09-04 11:10:21 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

NAS> ss -antp
-ash: ss: not found
NAS> help
Built-in commands:
------------------
. : [ [[ alias break cd chdir continue eval exec exit export
false getopts hash help let local printf pwd read readonly return
set shift source test times trap true type ulimit umask unalias
unset wait
NAS> whoami
root
NAS> uname -a
Linux NAS 2.6.15 #1639 Thu Sep 4 11:00:36 CST 2014 armv5tejl GNU/Linux synology_88f5281_207+
NAS>

I googled a bit and these are the commands that you can use: https://www.synology-wiki.de/index.php/Grundlegende_Befehle_auf_der_Kommandozeile (sorry it's in german, I coulnd't find the english one.) The only package manager is ipkg. Wget is also installed.

digininja · April 3, 2020

netstat is the alternative to ss but it doesn't look like that is installed either.

Have a look in the web interface, they may have an option to turn FTP on and off, off may just block access rather than disable it.

ps aux may get you a list of running processes, look through that for ftp services.

kuyaya · April 3, 2020

ps aux gives me that back:

NAS> ps aux
ps: invalid option -- a
BusyBox v1.16.1 (2014-09-04 11:10:21 CST) multi-call binary.

Usage: ps

Report process status

Options:
w Wide output
NAS>

So I tried "ps -w"

NAS> ps -w
PID USER VSZ STAT COMMAND
1 root 2584 S init
2 root 0 SWN [ksoftirqd/0]
3 root 0 SW< [events/0]
4 root 0 SW< [khelper]
5 root 0 SW< [kthread]
11 root 0 SW< [kblockd/0]
38 root 0 SW [pdflush]
39 root 0 SW [pdflush]
41 root 0 SW< [aio/0]
40 root 0 SW [kswapd0]
108 root 0 SW< [ata/0]
111 root 0 SW< [scsi_eh_0]
112 root 0 SW< [scsi_eh_1]
113 root 0 SW< [scsi_eh_2]
114 root 0 SW< [scsi_eh_3]
132 root 0 SW [mtdblockd]
152 root 0 SW< [ksnapd]
154 root 0 SW< [md0_raid1]
156 root 0 SW< [md1_raid1]
239 root 0 SW [kjournald]
1117 root 0 SW< [khubd]
1238 root 2576 S /sbin/syslogd -S
1240 root 2584 S /sbin/klogd
1337 root 0 SW< [md2_raid1]
1391 root 11760 S < /usr/syno/bin/findhostd
1415 root 0 SW [kjournald]
1492 admin 33228 S /usr/syno/pgsql/bin/postgres -D /var/services/pgsql --config_file=/usr/syno/pgsql/etc/postgresql.conf --h
1494 admin 33264 S postgres: writer process
1495 admin 33236 S postgres: wal writer process
1629 root 8376 S /usr/syno/bin/scemd
1893 root 10912 S /usr/syno/sbin/hotplugd
2025 root 2580 S /sbin/getty 115200 console
2038 root 4004 S /usr/sbin/inetd
2045 root 4020 S /usr/sbin/crond
2259 root 3080 S /usr/syno/sbin/synologd
2262 admin 33992 S postgres: admin synolog [local] idle
2361 root 3804 S /usr/syno/sbin/cupsd -C /usr/local/cups/cupsd.conf
2390 root 16092 S /usr/syno/sbin/fileindexd
2469 root 15292 S /usr/syno/sbin/nmbd -D
2525 root 19564 S /usr/syno/sbin/smbd -D
2527 root 19564 S /usr/syno/sbin/smbd -D
2543 root 7128 S /usr/syno/sbin/cnid_metad -l log_error
2545 root 14016 S /usr/syno/sbin/afpd -g guest -c 256 -n NAS:AFPServer -l default log_error
2588 1 1448 S /sbin/portmap
2590 root 0 SW [nfsd]
2593 root 0 SW [lockd]
2594 root 0 SW< [rpciod/0]
2595 root 1568 S /usr/sbin/statd
2598 root 1600 S /usr/sbin/mountd -p 892
2620 root 25080 S /usr/syno/sbin/dms
2625 root 25080 S /usr/syno/sbin/dms
2630 root 9856 S /usr/syno/sbin/lighttpd -f /usr/syno/mediaserver/lighttpd.debug
2644 root 25080 S /usr/syno/sbin/dms
2654 root 25080 S /usr/syno/sbin/dms
2660 root 25080 S /usr/syno/sbin/dms
2713 root 6892 S /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
2746 root 4912 S /usr/syno/apache/bin/httpd
2760 nobody 5012 S /usr/syno/apache/bin/httpd
2761 nobody 5012 S /usr/syno/apache/bin/httpd
2813 root 2648 S avahi-daemon: running [NAS.local]
2836 root 9324 S N /usr/syno/bin/synomkthumbd
2837 root 25984 S N /usr/syno/sbin/synoindexd
2839 admin 34288 S postgres: admin photo [local] idle
2840 root 9324 S N /usr/syno/sbin/synomkflvd
6938 admin 34208 S postgres: admin mediaserver [local] idle
7545 root 25080 S /usr/syno/sbin/dms
7617 root 25080 S /usr/syno/sbin/dms
7639 nobody 5012 S /usr/syno/apache/bin/httpd
7647 root 7160 S /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
7660 nobody 5012 S /usr/syno/apache/bin/httpd
7680 nobody 5012 S /usr/syno/apache/bin/httpd
8838 root 25080 S /usr/syno/sbin/dms
8867 root 7160 S /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
8875 root 24756 S /usr/syno/sbin/smbd -D
9091 root 7168 S /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
9109 root 6976 S /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
9111 root 7080 S /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
9135 root 3804 S /usr/syno/sbin/sshd
9210 root 6804 S sshd: root@pts/0
9216 root 4028 S -ash
9250 root 4008 R ps -w
NAS>

I can't find any ftp services in here...

But netstat is available, so I did netstat -a

NAS> netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3586 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:printer 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:afpovertcp 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5001 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:netbios-ssn 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:50001 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:50002 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ipp 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:postgres 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:afs3-callback 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:892 0.0.0.0:* LISTEN
tcp 0 0 localhost:4700 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3485 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:microsoft-ds 0.0.0.0:* LISTEN
tcp 0 0 NAS:microsoft-ds desktop-a8nnct2.home:50950 ESTABLISHED
tcp 0 528 NAS:ssh desktop-g5thuvg.home:1047 ESTABLISHED
udp 0 0 0.0.0.0:1024 0.0.0.0:*
udp 0 0 0.0.0.0:nfs 0.0.0.0:*
udp 0 0 0.0.0.0:1026 0.0.0.0:*
udp 0 0 localhost:1027 0.0.0.0:*
udp 0 0 0.0.0.0:1028 0.0.0.0:*
udp 0 0 NAS:netbios-ns 0.0.0.0:*
udp 0 0 0.0.0.0:netbios-ns 0.0.0.0:*
udp 0 0 NAS:netbios-dgm 0.0.0.0:*
udp 0 0 0.0.0.0:netbios-dgm 0.0.0.0:*
udp 0 0 0.0.0.0:651 0.0.0.0:*
udp 0 0 0.0.0.0:9997 0.0.0.0:*
udp 0 0 0.0.0.0:9998 0.0.0.0:*
udp 0 0 0.0.0.0:9999 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:1900 0.0.0.0:*
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:*
udp 0 0 0.0.0.0:892 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 2099 /tmp/synologd
unix 2 [ ACC ] STREAM LISTENING 1373 /tmp/.s.PGSQL.5432
unix 10 [ ] DGRAM 968 /var/run/log
unix 2 [ ACC ] STREAM LISTENING 2247 /tmp/fileindexd.sck
unix 2 [ ACC ] STREAM LISTENING 2674 /var/run/afpd_ipc
unix 2 [ ACC ] STREAM LISTENING 2779 /var/run/avahi-daemon/socket
unix 2 [ ] DGRAM 7206666
unix 3 [ ] STREAM CONNECTED 3837218 /tmp/.s.PGSQL.5432
unix 3 [ ] STREAM CONNECTED 3837217
unix 3 [ ] STREAM CONNECTED 3144 /tmp/.s.PGSQL.5432
unix 3 [ ] STREAM CONNECTED 3143
unix 2 [ ] DGRAM 2403
unix 2 [ ] DGRAM 2371
unix 2 [ ] DGRAM 2224
unix 3 [ ] STREAM CONNECTED 2085 /tmp/.s.PGSQL.5432
unix 3 [ ] STREAM CONNECTED 2084
unix 2 [ ] DGRAM 1871
unix 2 [ ] DGRAM 1868
unix 2 [ ] DGRAM 1153
unix 2 [ ] DGRAM 1041
NAS>

I made a screenshot of the FTP settings from the web interface. It was in german so I translated it.

The web interface shows that FTP service is not enabled (the "activate ftp-service" box doesn't have a tick)

digininja · April 4, 2020

Are there any iptables rules on the box? Looking at that, my guess would be something is open to allow the FTP connection in, but as the service is not enabled it isn't going anywhere.

kuyaya · April 5, 2020

On 4/4/2020 at 12:29 PM, digininja said:

Are there any iptables rules on the box? Looking at that, my guess would be something is open to allow the FTP connection in, but as the service is not enabled it isn't going anywhere.

As far as I know, there aren't any iptable rules on the box, but I'm not 100% sure.

NAS> iptables --list
iptables v1.4.2: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

https://community.synology.com/enu/forum/17/post/38904

Seems like I'm not the only one with the iptables issue. This guy solved it with the help of the second last comment. Maybe you can understand it, I only see gibberish.

digininja · April 6, 2020

I think we've reached a dead end for remote working out what is going on.

It will be something to do with the box supporting FTP but the service not running yet. Something will be holding the port open ready for it.

kuyaya · April 6, 2020

1 hour ago, digininja said:

I think we've reached a dead end for remote working out what is going on.

It will be something to do with the box supporting FTP but the service not running yet. Something will be holding the port open ready for it.

I'll try to find the cause of it. I'll inform you as soon as I get it.

digininja · April 6, 2020

I like the hacker curiosity spirit.

Sign In

Different Nmap output

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived

Recently Browsing 0 members