Inconsistent port scans

Martin Macleod-Brown Wed, 24 Aug 2005 06:44:19 -0700

Hi Guys

Im having trouble verifying my port scans, I am getting very different results...

Running a nessus scan on a machine, I get 4 open ports, 445, 139, 427, 135

Running LANguard I get 7 TCP (21, 25, 110,135, 427, 445) and 3 UDP (137, 138, 445)

I have used all scanners, with the same results. Then I tried using each scanner individually to verify these results. I am using the correct SMB credentials, UDP and TCP scanning enabled, nessus scan results below. I have also copied the console output from a nmap scan at the bottom of the mail.

I can confirm that ports 110 and 21, 25 are open as I can telnet/FTP them.

Cant see why these open ports are not being picked up…

Results on using the nessus TCP scanner

NESSUS SECURITY SCAN REPORT

Created 24.08.2005 Sorted by host names

Session Name : testportscan

Start Time : 24.08.2005 14:36:25

Finish Time : 24.08.2005 14:36:32

Elapsed Time : 0 day(s) 00:00:07

Plugins used in this scan:

Id Name

----------------------------------------------------------------------------

10180 Ping the remote host

10335 Nessus TCP scanner

Preferences settings for this scan:

max_hosts = 16

max_checks = 10

log_whole_attack = yes

cgi_path = /cgi-bin

port_range = 1-1024

optimize_test = no

language = english

checks_read_timeout = 5

non_simult_ports = 139, 445

plugins_timeout = 320

safe_checks = no

auto_enable_dependencies = yes

silent_dependencies = yes

use_mac_addr = no

save_knowledge_base = yes

kb_restore = no

only_test_hosts_whose_kb_we_dont_have = no

only_test_hosts_whose_kb_we_have = no

kb_dont_replay_scanners = no

kb_dont_replay_info_gathering = no

kb_dont_replay_attacks = no

kb_dont_replay_denials = no

kb_max_age = 864000

plugin_upload = no

plugin_upload_suffixes = .nasl, .inc

slice_network_addresses = no

ntp_save_sessions = yes

ntp_detached_sessions = yes

server_info_nessusd_version = 2.2.5

server_info_libnasl_version = 2.2.5

Total security holes found : 4

high severity : 0

Medium severity : 0

informational : 4

Host: 163.119.128.180

Open ports:

netbios-ssn (139/tcp)

svrloc (427/tcp)

microsoft-ds (445/tcp)

unknown (135/tcp)

[EMAIL PROTECTED] sbin]# nmap -P0 -sS 163.119.128.180 -p 1-1024 -vv

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-22 14:28 BST Initiating SYN Stealth Scan against 163.119.128.180 [1024 ports] at 14:28 Discovered open port 139/tcp on 163.119.128.180 Discovered open port 135/tcp on 163.119.128.180 Discovered open port 445/tcp on 163.119.128.180 Discovered open port 427/tcp on 163.119.128.180 The SYN Stealth Scan took 0.05s to scan 1024 total ports.

Host 163.119.128.180 appears to be up ... good.

Interesting ports on 163.119.128.180:

(The 1020 ports scanned but not shown below are in state: closed)

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

427/tcp open svrloc

445/tcp open microsoft-ds

Nmap finished: 1 IP address (1 host up) scanned in 0.072 seconds

Raw packets sent: 1024 (41KB) | Rcvd: 1024 (47.1KB)

Network Project Engineer,

Information Systems Division

London Business School, Sussex Place, Regents Park, London. NW1 4SA

t: +44 (0)20 7000 7772 direct

+44 (0)20 7262 5050 general

fax: +44 (0)20 7000 7771 direct

+44 (0)20 7724 7875 general

e: mailto:[EMAIL PROTECTED] http://www.london.edu/technology/

[EMAIL PROTECTED] sbin]# nmap -P0 -sS 163.119.128.180 -p 1-1024 -vv