2

I'm testing some vulnerabilities on a machine which has the port 22333 opened (it's used as the ssh port, and I can connect to it without any problem and the telned command get connected):

$ telnet  x.x.x.x 22333
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2

But when I use nmap against that machine, it doesn't detect that port to be listened to:

$ sudo nmap -p 22000-23000 -sT x.x.x.x
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-03 19:54 CEST
Nmap scan report for x.x.x.x
Host is up (0.00014s latency).
All 1001 scanned ports on x.x.x.x are filtered
Nmap done: 1 IP address (1 host up) scanned in 21.50 seconds

Any clue about why nmap doesn't detect the port 22333?

Toni
  • 207
  • 1
  • 2
  • 8
  • 2
    First, try using an updated version of nmap. Second, try with `-sV`. You might also want to try the other scan types: `-sS` – schroeder Jun 03 '15 at 18:09
  • I tried the -sS option with the same result. And now I've tried the -sV one now, and this one has detected it. – Toni Jun 03 '15 at 18:21
  • 1
    Great: the `-sV` connects and waits to get a response, just like your telnet connection. It slows down your scans, is very noisy on the target, but gives better results. – schroeder Jun 03 '15 at 18:34
  • `-sV` should not make a difference, since it does not run unless `-sS` or `-sT` detect the port to be open. Maybe there is some instability in the service that makes it not available all the time? – bonsaiviking Jun 03 '15 at 19:22
  • I would try to scan the specific port with nmap (-p 22333), and watch the traffic with tcpdump (tcpdump -nnei port 22333 and host x.x.x.x) to understand whats happening. Is it possible to get a tcpdump output in this scenario? – Dog eat cat world Jun 04 '15 at 11:01
  • My first guess is that the host is not ICMP reachable, nor does it run TCP ports 80 or 443, thus the host is skipped due to a lack of the -Pn flag. My second guess is that the parallelism and/or scan-delay defaults of T3 timing aren't sufficiently picking up the port, so try -T2 --scan-delay 1s, -T1, or even -T0 – atdre Jun 04 '15 at 19:49

1 Answers1

3

Which version of nmap are you using?

Run

nmap --version

to find out.

If the version in your repository is outdated you can grab the sources and compile them on your own:

$ tar zxvf nmap_6.47.tgz
$ cd nmap_6.47
$ make
# make install

You can also increase the verbosity level by setting the -v [1..6] flag in order to get a better view of what nmap is doing. For example:

nmap -sT -p 22000-23000 -v 6 x.x.x.x
Sebi
  • 1,391
  • 9
  • 16