User profile for user: MCBenson
MCBenson Author
User level: Level 1
0 points

Strange Results from Portscans

Something strange is going on with what ports appear open to my internal network filtered through the airport extreme. I have the following ports forwarded on my network:
22 (ssh)
25 (smtp)
80 (http)

When I scan my network via the domain name (thus going outside the LAN) I get the following results from the latest version of nmap run with -v and -A options (* added to ports that should not be open ports listed as filtered have been excluded from all scans):

PORT STATE SERVICE VERSION
21/tcp* open tcpwrapped
22/tcp open ssh OpenSSH 4.3p2 Debian 9 (protocol 2.0)
25/tcp open smtp Exim smtpd 4.63
53/tcp* open domain?
80/tcp open http lighttpd 1.4.13
139/tcp* open tcpwrapped
445/tcp* open netbios-ssn
548/tcp* open afpovertcp?
554/tcp* open rtsp?
7070/tcp* open realserver?
10000/tcp*open snet-sensor-mgmt?

Just to be sure that I was actually going through the WAN, I scanned a friend of mine who also has the airport extreme and has the same ports open (with the addition of imap):

PORT STATE SERVICE VERSION
21/tcp* open tcpwrapped
22/tcp open ssh OpenSSH 4.3p2 Debian 9 (protocol 2.0)
25/tcp open smtp?
80/tcp open http lighttpd 1.4.13
554/tcp* open rtsp?
993/tcp open ssl/imap Dovecot imapd
7070/tcp*open realserver

Ports 21, 554 and 7070 are open on both networks despite not having been opened.

I then logged into a VPN and scanned myself, getting the following results:

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3p2 Debian 9 (protocol 2.0)
25/tcp open smtp Exim smtpd 4.63
80/tcp open http lighttpd 1.4.13

In short: it looks precisely as it should. The network I am connecting to is not administered by me, but I know for a fact they don't filter outgoing traffic to port 21 (and don't think they firewall it at all for that matter).

I am totally mystified by these results, and have some concern about the security implications. Can anyone shed light on this issue?

Macbook, intel imac, B&W G4 Mac OS X (10.4.9)

Macbook, intel imac, B&W G4 Mac OS X (10.4.9)

Posted on Apr 10, 2007 5:20 PM

Reply
5 replies
User profile for user: jhw
jhw
User level: Level 2
215 points

Apr 10, 2007 10:01 PM in response to MCBenson

I don't see anything strange at all.

In the first scan, you're seeing all the ports you mapped (22, 25 and 80), plus the ports that are open with the WAN address via hairpinning from the LAN side of the AirPort (53, 139, 445, 548 and 10000; 5009 is only available at the LAN address and not by hairpinning), as well as the ports that redirected into the ALG proxies from the LAN side (21, 554 and 7070).

In the second scan, you're seeing all the ports your friend mapped (22, 24, 80 and 993) plus all the ports redirected into the ALG proxies from your LAN side (21, 554 and 7070).

In the third scan, you're seeing only the ports you mapped (22, 25 and 80).

What's the problem? What particular security risk are you concerned about?
Reply
User profile for user: MCBenson
MCBenson Author
User level: Level 1
0 points

Apr 10, 2007 11:22 PM in response to jhw

Well, I'm not quite following you, but the parts I am following make sense. Let's take this one part at a time:

plus the ports that are open with the WAN address via hairpinning from the LAN side of the AirPort (53, 139, 445, 548 and 10000; 5009 is only available at the LAN address and not by hairpinning)

I'm not quite following this. I'm scanning my network via my domain name, so the signal needs to come back in through the WAN port (this--I take it--is what term hairpinning means). Why then, do I see open ports that should only be open within than LAN? Does the router know that these particular packets originated internally and thus treat them differently?

I imagined that something like this might be possible, hence the second scan.

In the second scan, you're seeing all the ports your friend mapped (22, 24, 80 and 993) plus all the ports redirected into the ALG proxies from your LAN side (21, 554 and 7070).

As I understand it (and I'm probably not fully understanding it here) the ALG allows traffic through for applications. Why would it be letting packets through to port 21 (for example) in my friend's network? Why would it let those packets through when I scan from my network, but not when I scan from the VPN I'm connected to?

In the third scan, you're seeing only the ports you mapped (22, 25 and 80).
What's the problem?

Yes, the third scan behaves precisely the way I expected the first two scans to behave. What I'm confused about is the three scans are behaving differently. It sounds like you know the answer to this, but I'm not fully following you.

What particular security risk are you concerned about?

I hope I didn't give the impression that I was trying to point out a security "flaw" I'd found. Obviously the "risk" would be if it's somehow possible to get packets through to my local network to ports I thought I'd closed to the outside world (such as ftp). I have been totally unable to do this, and I have no evidence of some specific exploit.

Rather, my method of securing my network is working different than I expected it to. Perhaps my old router would have worked this way as well, but I happened to buy this router at the same time that I decided to set up a server an open up a few ports to the outside world. My old schema was simply to close all ports, both on the machines themselves and on the firewall. I was scanning to see if my network was working the way I expected it to, and it does not.

Macbook, intel imac, B&W G4 Mac OS X (10.4.9)
Reply
User profile for user: jhw
jhw
User level: Level 2
215 points

Apr 11, 2007 9:49 AM in response to MCBenson

Does the router know that these particular packets originated internally and thus treat them differently?


Yes.

Why would it be letting packets through to port 21 (for example) in my friend's network?


It isn't. You're seeing the side-effect of the redirection at your own network. You don't see it when you initiate the scan from outside.

Yes, the third scan behaves precisely the way I expected the first two scans to behave. What I'm confused about is the three scans are behaving differently. It sounds like you know the answer to this, but I'm not fully following you.


It's a side-effect of the way ALG's work in the NAT. Explaining how it works is way beyond the scope of what I'm prepared to do in a forum like this.

Rather, my method of securing my network is working different than I expected it to.


I was curious to know why you didn't expect to see a difference in the port scan results depending on which address realm you used to initiate the scan.
Reply
User profile for user: whuggy
whuggy
User level: Level 1
110 points

Jul 8, 2007 4:13 PM in response to MCBenson

I'm getting the same here.

I scanned from our office a remote server (which is I'm an admin of) and see the ports ftp, ssh, and http open as shown by nmap. Looks normal. I know these services are running.

But when I scanned the same server from home (behind an Airport Extreme) I get the following extra ports:

137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
554/tcp open rtsp
623/tcp filtered unknown
664/tcp filtered unknown
7070/tcp open realserver

I know it's not a security issue on the server. But this makes the nmap results "dirtier".
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Strange Results from Portscans

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up