[oclug] re: stealth

Robert Echlin rechlin at magma.ca
Fri Apr 16 10:15:17 EDT 2004 


Bob Lockie wrote:
> Maybe somebody can explain this to me.
> 192* is the local IP of my machine and nmap displays the corrent open ports on it.
> 216* is the external IP of the Linksys WRT54G router.
> Except for pop-3, the other ports should be forwarded.
> I have no idea where the https port came from unless I can't port scan from inside.
> 
> 
> 192.168.1.110
> 216.168.118.131
> 
> $ nmap 192.168.1.110
> 
> Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2004-04-15 17:27 EDT
> Interesting ports on 192.168.1.110:
> (The 1652 ports scanned but not shown below are in state: closed)
> PORT    STATE SERVICE
> 22/tcp  open  ssh
> 25/tcp  open  smtp
> 53/tcp  open  domain
> 80/tcp  open  http
> 110/tcp open  pop-3
> 
> Nmap run completed -- 1 IP address (1 host up) scanned in 1.150 seconds
> 
> 
> $ nmap 216.168.118.131
> 
> Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2004-04-15 17:27 EDT
> Interesting ports on nexredback-216-168-118-131.nexicom.net (216.168.118.131):
> (The 1653 ports scanned but not shown below are in state: closed)
> PORT    STATE SERVICE
> 22/tcp  open  ssh
> 25/tcp  open  smtp
> 80/tcp  open  http
> 443/tcp open  https
> 
> Nmap run completed -- 1 IP address (1 host up) scanned in 1.805 seconds

I think your Linksys router has the capability of being managed from 
external addresses. Check the linksys settings to make sure that 
capability is turned off. If it is on, that would explain the HTTPS - it 
would be running an SSL-encrypted web server (HTTPS) to allow you to log 
in from outside to manage it. Try connecting to your external IP address 
with your browser to see if anything shows up.

It looks to me as if you have set your router to forward ports 22, 25, 
and 80, presumably to your linux box, and 53 and 110 are not forwarded. 
Are you running nmap from your own box? If so, I don't think that the 
ISP could block the connection from your machine to the outside of your 
router, unless your router is configured to forward all external 
addresses, even its own IP address, through the ISP's router. Can 
someone clarify what the settings are likely to be here?

It's also possible that your Linux box is running iptables, can you 
check what ports it has open?

I remember using some GUI program on Redhat to configure IPtables. It 
had check boxes for http, https, and smtp, IIRC. All other ports had to 
be listed in a dialog box, every time you ran it, and it did not provide 
as a default, the current list. Don't remember what it was called, but 
it sucked if you wanted to add just one more port to the several already 
opened. If you were running it, you might think you were adding another 
port to an existing list.

Robert

-- 
Robert Echlin
rechlin [at] magma.CA
Personal site: "Some People's Parents" => magma.ca/~rechlin
Company site: OfficeProfessor.CA

More information about the OCLUG mailing list