This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_TK
Collaborator
‎2021-08-06 03:36 PM

nmap showing open ports on all IPs

 

I'm running an nmap scan of a /24 network across an MPLS network and receiving unexpected responses on "proxy" related ports.

The traffic flow is:

linux nmap -> FW1 -> MPLS ->FW2 -> 192.168.10.0 /24

i'm expecting no responses as all traffic is blocked on the FW2 firewall, but here is an example of what i'm receiving for every IP in the block:

Nmap scan report for 192.168.10.127
Host is up (0.0014s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
80/tcp open http
1720/tcp open h323q931
3128/tcp open squid-http
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8080/tcp open http-proxy

There is not even a device at this IP - 192.168.10.127

We do not have a proxy server, we do not have proxy enabled on any of the gateways. When i look at the fw logs between the nmap client and the 192.168.10.0 network, i see traffic hit both firewalls, accepted at FW1, and dropped at FW2 - EXCEPT FOR THE PORTS LISTED ABOVE. For those ports, i only see the traffic accepted on FW1.

 

Any thoughts as to what is responding?

 

Thanks - all versions are r80.40 jhfa 118

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-08-06 04:14 PM

Port 80 is likely because of an implied rule.
What precisely shows in the logs on FW2 when the traffic is accepted in the other cases?
Screenshots of log cards would be helpful.

0 Kudos
D_TK
Collaborator
‎2021-08-06 04:39 PM
In response to PhoneBoy

Attached is a simple example.  I did a scan of tcp/21 and tcp/8080.  for 21 it shows exactly what i expected, allowed at fw1 and dropped at fw2.  For tcp/8080, accepted at fw1, and nothing at fw2 - a running fw monitor showed the same, it's like it never reached that side of the net, but nmap showed 8080 as open, and again, there isn't even a device at that IP.

In the attached screenshot, "car-1" is the near side, "lc-1" is the far side.  lmk if you like to see the actual card for any of these entries. 

 

thanks

Preview file
149 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-06 11:23 PM
In response to D_TK

What about something other than port 8080?
HTTPS Inspection picked up the traffic, even though it was a bypass rule, which I’m sure impacted the scan result. 

0 Kudos
D_TK
Collaborator
‎2021-08-07 10:15 AM
In response to PhoneBoy

I ran another scan for all the ports that show as "open" + tcp/21 (as the example of what's expected).  Results attached.

Appreciate your help.

Preview file
43 KB
Preview file
220 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-08 02:55 PM
In response to D_TK

Clearly the first gateway is seeing the traffic and nmap is getting something back.
That means something is answering the nmap probes.
The question is: what?
Can you confirm traffic is leaving the first gateway with tcpdump?
Is there any reply traffic and from what MAC does it originate?
If the second gateway, then you may need to see what is happening there. 
Follow the bouncing packet.

Also rather than using nmap, try something like telnet or netcat on one of the ports (8000) and see what precisely happens, observing with tcpdump and/or fw monitor.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events