Login or Register to Ask a Question and Join Our Community


Cybersecurity

Help with NMAP

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Help with NMAP
# 1  
Old 04-01-2013
Help with NMAP
I'm seeing a persistent address showing up on my firewall router logs. The address is 10.98.115.9:67, and is broadcasting to 255.255.255.255. I know that this would typically signal a BOOTP service, such as a bootp server announcing itself on the network. But I can't isolate which machine it is. I have only one machine running, then turn off the standalone wireless router and the switch, but it continues to show up. I ran nmap against it, and it automatically included another, completely different, IP in the scan. It's got me baffled. Here's the output:

Code:
Ximian1 FC30-3DA9 # nmap -v -unprivilege - Pn 10.98.115.9

Starting Nmap 6.00 at 2013-04-01 18:03 PDT
Invalid target host specification: -
Initiating Ping Scan at 18:03
Scanning 2 hosts [2 ports/host]
Completed Ping Scan at 18:03, 2.35s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 18:03
Completed Parallel DNS resolution of 2 hosts. at 18:03, 0.04s elapsed
Nmap scan report for 10.98.115.9 [host down]
Initiating Connect Scan at 18:03
Scanning Pn (80.68.93.100) [1000 ports]
Discovered open port 587/tcp on 80.68.93.100
Discovered open port 25/tcp on 80.68.93.100
Discovered open port 110/tcp on 80.68.93.100
Discovered open port 22/tcp on 80.68.93.100
Discovered open port 995/tcp on 80.68.93.100
Discovered open port 53/tcp on 80.68.93.100
Discovered open port 21/tcp on 80.68.93.100
Discovered open port 80/tcp on 80.68.93.100
Completed Connect Scan at 18:04, 16.47s elapsed (1000 total ports)
Nmap scan report for Pn (80.68.93.100)
Host is up (0.17s latency).
rDNS record for 80.68.93.100: tedside.pitcairn.net.pn
Not shown: 988 closed ports
PORT    STATE    SERVICE
21/tcp  open     ftp
22/tcp  open     ssh
25/tcp  open     smtp
53/tcp  open     domain
80/tcp  open     http
110/tcp open     pop3
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
587/tcp open     submission
593/tcp filtered http-rpc-epmap
995/tcp open     pop3s

Read data files from: /usr/bin/../share/nmap
Nmap done: 2 IP addresses (1 host up) scanned in 18.90 seconds

Can anyone shed light on this behavior?

PS. it's not a one-off thing, I ran it several times and every time it did the same.
# 2  
Old 04-02-2013
have you checked a lsof -i to see which application might be using this address?
# 3  
Old 04-02-2013
Thanks for the suggestion. I ran it but didn't see anything running at that address. Here's the output:

Code:
Ximian1 neo # lsof -i
COMMAND     PID   USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sshd        996   root    3u  IPv4     9497      0t0  TCP *:ssh (LISTEN)
sshd        996   root    4u  IPv6     9499      0t0  TCP *:ssh (LISTEN)
smbd       1024   root   27u  IPv6     9589      0t0  TCP *:microsoft-ds (LISTEN)
smbd       1024   root   28u  IPv6     9590      0t0  TCP *:netbios-ssn (LISTEN)
smbd       1024   root   29u  IPv4     9591      0t0  TCP *:microsoft-ds (LISTEN)
smbd       1024   root   30u  IPv4     9592      0t0  TCP *:netbios-ssn (LISTEN)
cupsd      1087   root   10u  IPv6     8909      0t0  TCP ip6-localhost:ipp (LISTEN)
cupsd      1087   root   11u  IPv4     8910      0t0  TCP localhost:ipp (LISTEN)
avahi-dae  1093  avahi   13u  IPv4     9565      0t0  UDP *:mdns 
avahi-dae  1093  avahi   14u  IPv6     9566      0t0  UDP *:mdns 
avahi-dae  1093  avahi   15u  IPv4     9567      0t0  UDP *:54012 
avahi-dae  1093  avahi   16u  IPv6     9568      0t0  UDP *:52840 
dhclient   1133   root    6u  IPv4     9749      0t0  UDP *:bootpc 
dhclient   1133   root   20u  IPv4     9729      0t0  UDP *:48744 
dhclient   1133   root   21u  IPv6     9730      0t0  UDP *:6551 
dnsmasq    1166 nobody    4u  IPv4     9820      0t0  UDP Ximian1:domain 
dnsmasq    1166 nobody    5u  IPv4     9821      0t0  TCP Ximian1:domain (LISTEN)
nmbd       1468   root    9u  IPv4     9143      0t0  UDP *:netbios-ns 
nmbd       1468   root   10u  IPv4     9144      0t0  UDP *:netbios-dgm 
nmbd       1468   root   11u  IPv4     9146      0t0  UDP Ximian1.local:netbios-ns 
nmbd       1468   root   12u  IPv4     9147      0t0  UDP 10.0.0.255:netbios-ns 
nmbd       1468   root   13u  IPv4     9148      0t0  UDP Ximian1.local:netbios-dgm 
nmbd       1468   root   14u  IPv4     9149      0t0  UDP 10.0.0.255:netbios-dgm 
ntop       1688   ntop    1u  IPv4    10756      0t0  TCP *:3000 (LISTEN)
master     1805   root   12u  IPv4    10900      0t0  TCP localhost:smtp (LISTEN)
master     1805   root   13u  IPv6    10901      0t0  TCP ip6-localhost:smtp (LISTEN)
miniserv.  2007   root    6u  IPv4    11530      0t0  TCP *:9000 (LISTEN)
miniserv.  2007   root    7u  IPv4    11531      0t0  UDP *:10000 
firefox    7146    neo  108u  IPv4 32031929      0t0  TCP Ximian1.local:46317->nuq04s08-in-f25.1e100.net:https (ESTABLISHED)
firefox    7146    neo  129u  IPv4    62573      0t0  TCP Ximian1.local:55370->nuq04s07-in-f21.1e100.net:https (ESTABLISHED)
firefox    7146    neo  196u  IPv4 32030638      0t0  TCP Ximian1.local:54106->ec2-184-73-124-237.compute-1.amazonaws.com:http (ESTABLISHED)
vsftpd    13225   root    3u  IPv4 32237311      0t0  TCP *:ftp (LISTEN)

# 4  
Old 04-02-2013
some service/application must be responsible for the connection. try to stop the services (i would start with smbd/nmbd) one by one and check again...
This User Gave Thanks to DukeNuke2 For This Post:
kaaliakahn
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Homework & Coursework Questions

How to scan IP range using nmap?

Scripting language : Bash Shell Script 1. problem statement I have to create function in which read IP addresses one by one from one file (iplist.txt) and scan these IP using nmap. This scan IP's output is saved in output.txt file and parse output.txt to save only open ports with particular IP... (3 Replies)
Discussion started by: sk151993
3 Replies

2. Shell Programming and Scripting

How to scan IP range using nmap?

Scripting language : Bash Shell Script I have to create function in which read IP addresses one by one from one file (ip.txt) and scan these IP using nmap. (4 Replies)
Discussion started by: sk151993
4 Replies

3. Linux

nmap binaries for linux

Hi , I am exploring the nmap utility for Linux. I know that, nmap binaries are specific to the platforms e.g. nmap binaries will be diferent for Windows , AIX , Solaris and Linux platforms. Can anyone tell me , will the nmap binaries be different for different flavours of Linux such as... (1 Reply)
Discussion started by: jatin56
1 Replies

4. Solaris

Nmap error

I 'm getting following error when i run nmap for an ip .. what could be the reason for it ? #nmap 10.22.67.18 Starting Nmap 4.68 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2009-07-06 19:07 UTC Warning: Unable to open interface e1000g3301000 -- skipping it.... (2 Replies)
Discussion started by: fugitive
2 Replies

5. Shell Programming and Scripting

FTP/nmap/.netrc

So... I'm trying to script and FTP Backup of some files from openVMS Alpha machine to a Unixware 7 machine. I decided to use .netrc to do all the FTP actions however when I send the nmap command. It pretty much gets ignored while even other things such "ascii", "case" etc.. get respected... (0 Replies)
Discussion started by: thesubmitter
0 Replies

6. Red Hat

To change of port name in nmap

Hi, Is it possible to change the nmap port name: For eg: 21/tcp open ftp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 836/tcp open unknown 843/tcp open unknown 953/tcp open rndc I need to change the port number 836 unknown to the name of the... (4 Replies)
Discussion started by: gsiva
4 Replies

7. AIX

nmap on aix 5.2

I'm trying to compile nmap 4.11 on an aix 5.2 machine and get the following error when attempting the 'make' command; make "Makefile", line 1: make: 1254-055 Dependency line needs colon or double colon operator. "Makefile", line 14: make: 1254-055 Dependency line needs colon or double colon... (2 Replies)
Discussion started by: zuessh
2 Replies

8. Shell Programming and Scripting

Nmap PHP FE

Hi everyone! I've temporarily come out of hibernation (and will be gone for about two weeks after this post too) to ask for input on a small PHP script I have just completed. The script aims to be a remote front-end for Nmap - now for the safety of this post, I ask that any replies refrain from... (6 Replies)
Discussion started by: Karma
6 Replies

9. UNIX for Dummies Questions & Answers

nmap results

Hi, Whenever I tried to run nmap on my linux (red hat 6.2) boxes i got these outputs: 4444/tcp filtered krb524 6666/tcp filtered irc-serv 6699/tcp filtered napster 8888/tcp filtered sun-answerbook Can anybody please... (10 Replies)
Discussion started by: necro
10 Replies

10. Cybersecurity

Nmap

I am pretty new at running nmap ,and i have some doubt about some o/ps the nmap shows I tried to scan my own system for UDP open ports I see that if i use one UDP port say 13 It shows that its in open state , etc But if i scan for the whole UDP ports in the nmap-services . I gives te... (2 Replies)
Discussion started by: DPAI
2 Replies
Login or Register to Ask a Question