Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NMAP


  • Please log in to reply
17 replies to this topic

#1 spectre1982

spectre1982

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 21 May 2017 - 07:37 AM

Although I'm new to these tools, I installed Wireshark and Nmap. I was doing some learning on Wireshark and the tutorial called to use the command nmap localhost at the command prompt in Windows to see what ports are open on your system. This guy had two ports open, when I did the command I have literally hundreds of ports listed as belonging to one application or another. rpc somewhere, Elite, sql, iPhone-sync, rxapi,... The list goes on, literally just hundreds of entries. Are these ports all open for use by these services? On Windows 10, if they're open, how do I close them?



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:44 PM

Posted 21 May 2017 - 04:07 PM

I believe a nmap scan against localhost or in the form of a ip private like 192.168.1. x  are just the  open/closed/filtered ports of the local machine nmap is running on.  Not open exposed internet facing ports.


How Can I Reduce My Risk to Malware?


#3 spectre1982

spectre1982
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 21 May 2017 - 05:16 PM

Is there any reason for them to name off specific services then? Like monkeycom, elite; etc. These don't stand like standard mappings.

nmap -sT shows three services with 997 ports filtered against localhost but just nmap localhost shows hundreds/thousands. So you think there's nothing to worry over, the -sT argument is showing actual use?


Edited by spectre1982, 21 May 2017 - 05:22 PM.


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 AM

Posted 21 May 2017 - 05:30 PM

If it's really localhost (127.0.0.1/8 or ::1), then it's normal that there are many ports open. But localhost is only accessible on your machine.

 

Can you provide the exact nmap command you used?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:12:44 PM

Posted 21 May 2017 - 06:16 PM

I wouldnt worry to much mate, scanning your internet pc/network is like looking at a car with really dark window tinting.

When you are inside the car you see everything, when you look from the out side all you see is the car.

 

Scanning your own PC can show weaknesses but you really need to get someone to scan you from the out side, this is where GRC shields up comes in handy and i think there used to be an online nmap scanner from memory.

 

Just remember you will see many open internal ports for services and processes which need to access/open/create and close internal ports (Virtual ports) all the time.

NMAP uses a packet inspection which ID's/Guesses services/processes based on packet identifiers which then allows it to link it to a well known application of service.

 

Scan your modem router from the LAN and see it might say Busy Box, or LinkSys etc etc.



#6 spectre1982

spectre1982
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 21 May 2017 - 06:29 PM

At first I just did

nmap localhost

@JohnnyJammer thnx. I will try that when I am home!

 

Then I did

nmap -sT localhost

The previous showed all the crazy ports and the latter only 3.



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 AM

Posted 22 May 2017 - 03:11 AM

Are most of the ports in state unknown?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:44 PM

Posted 22 May 2017 - 06:53 PM

SecuritySpace's security audits http://www.securityspace.com/smysecure/index.html

Home PC Users.

Basic Audit ( Free ) Our classic port scan - scans 1500+ known service ports (http://www.securityspace.com/smysecure/daudit_ports.html) looking for services hackers might use to get in.

Single Test ( Free ) Run any of our 56160 vulnerability tests. Unlimited use.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#9 spectre1982

spectre1982
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 22 May 2017 - 07:45 PM

yes the states are unknown when there is no argument provided. so i guess this is as was stated, just a mapping of well known ports. sorry for the late response btw.



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 AM

Posted 23 May 2017 - 02:13 AM

It's a known problem with nmap scanning localhost on Windows.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 spectre1982

spectre1982
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 23 May 2017 - 05:26 PM

well I've always heard of nmap as the top scanner, but is there a scanner which won't do this? 



#12 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:12:44 PM

Posted 23 May 2017 - 11:20 PM

You mean like metasploit and or kali linux?



#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 AM

Posted 24 May 2017 - 12:39 PM

If you want to scan your computer, you should scan an interface that is exposed outside your computer like JJ suggested, and not localhost.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 spectre1982

spectre1982
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 24 May 2017 - 02:41 PM

If you want to scan your computer, you should scan an interface that is exposed outside your computer like JJ suggested, and not localhost.

 

I am just trying to learn about scanning and scanning techniques. I usually scan web targets, but scanned against localhost because someone asked me to to see what happened for something they were doing which spawned my curiosity. I installed nmap and bought a mini-nmap book. TBH I don't know what an exposed interface means. I just know how to ipconfig to learn about the different interfaces I have, and how to use nmap against an ip address. Which basically begs the question how do you hide or expose an interface? Is that something like network capture mode that wireshark does?

 

 

You mean like metasploit and or kali linux?

 

insofar as Metasploit well that did all kinds of mess to my computer. I bypassed it in antivirus as trusted and let down my firewall to have a look at the interface, but then wireshark interfaces disappeared as if npcap was gone and it was just through experimenting on what the issue was and uninstalling metasploit that I figured out it was some kind of service or otherwise that metasploit was doing. Npcap remains on my computer somehow, but is no longer listed as installed either. I ran a virus scan just in case and it's clean. So insofar as metasploit, maybe some other time and Kali always gives me network card issues. Plus it's legacy boot and I don't want to remove secure boot on my computer.



#15 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:44 PM

Posted 24 May 2017 - 06:19 PM

well I've always heard of nmap as the top scanner, but is there a scanner which won't do this?


See if Microsoft's port scanner, PortQueryUI will assist you? I think it has proxy capabilities, but I'll have to confirm that?

https://support.microsoft.com/en-au/help/310099/description-of-the-portqry.exe-command-line-utility
https://support.microsoft.com/en-us/help/832919/new-features-and-functionality-in-portqry-version-2-0

The PortQueryUI tool provides a graphical user interface and is available for download. PortQueryUI has several features that can make using PortQry easier. To obtain the PortQueryUI tool, visit the following Microsoft Web site: http://download.microsoft.com/download/3/f/4/3f4c6a54-65f0-4164-bdec-a3411ba24d3a/PortQryUI.exe
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users