topic nmap showing open ports on all IPs in General Topics

nmap showing open ports on all IPs

D_TK — Fri, 06 Aug 2021 22:36:20 GMT

I'm running an nmap scan of a /24 network across an MPLS network and receiving unexpected responses on "proxy" related ports.

The traffic flow is:

linux nmap -> FW1 -> MPLS ->FW2 -> 192.168.10.0 /24

i'm expecting no responses as all traffic is blocked on the FW2 firewall, but here is an example of what i'm receiving for every IP in the block:

Nmap scan report for 192.168.10.127
Host is up (0.0014s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
80/tcp open http
1720/tcp open h323q931
3128/tcp open squid-http
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8080/tcp open http-proxy

There is not even a device at this IP - 192.168.10.127

We do not have a proxy server, we do not have proxy enabled on any of the gateways. When i look at the fw logs between the nmap client and the 192.168.10.0 network, i see traffic hit both firewalls, accepted at FW1, and dropped at FW2 - EXCEPT FOR THE PORTS LISTED ABOVE. For those ports, i only see the traffic accepted on FW1.

Any thoughts as to what is responding?

Thanks - all versions are r80.40 jhfa 118

Re: nmap showing open ports on all IPs

PhoneBoy — Fri, 06 Aug 2021 23:14:40 GMT

Port 80 is likely because of an implied rule.
What precisely shows in the logs on FW2 when the traffic is accepted in the other cases?
Screenshots of log cards would be helpful.

Re: nmap showing open ports on all IPs

D_TK — Fri, 06 Aug 2021 23:39:43 GMT

Attached is a simple example. I did a scan of tcp/21 and tcp/8080. for 21 it shows exactly what i expected, allowed at fw1 and dropped at fw2. For tcp/8080, accepted at fw1, and nothing at fw2 - a running fw monitor showed the same, it's like it never reached that side of the net, but nmap showed 8080 as open, and again, there isn't even a device at that IP.

In the attached screenshot, "car-1" is the near side, "lc-1" is the far side. lmk if you like to see the actual card for any of these entries.

thanks

Re: nmap showing open ports on all IPs

PhoneBoy — Sat, 07 Aug 2021 06:23:57 GMT

What about something other than port 8080?
HTTPS Inspection picked up the traffic, even though it was a bypass rule, which I’m sure impacted the scan result.

Re: nmap showing open ports on all IPs

D_TK — Sat, 07 Aug 2021 17:15:13 GMT

I ran another scan for all the ports that show as "open" + tcp/21 (as the example of what's expected). Results attached.

Appreciate your help.

Re: nmap showing open ports on all IPs

PhoneBoy — Sun, 08 Aug 2021 21:55:30 GMT

Clearly the first gateway is seeing the traffic and nmap is getting something back.
That means something is answering the nmap probes.
The question is: what?
Can you confirm traffic is leaving the first gateway with tcpdump?
Is there any reply traffic and from what MAC does it originate?
If the second gateway, then you may need to see what is happening there.
Follow the bouncing packet.

Also rather than using nmap, try something like telnet or netcat on one of the ports (8000) and see what precisely happens, observing with tcpdump and/or fw monitor.