Purely for research purposes used nmap to check security of my application deployed to Firebase. However, there some questions which I can’t understand:
- Why Firebase has open so many ports? Something like few hundreds.
- Almost on every port I’m getting an error
auth-owners: ERROR: Script execution failed without any information about it. Why is that? The only one which gives some information are the following ports: 80, 443, 5269, and 65389.
- Is TCP Sequence Prediction difficulty=17 and Network Distance 2 hops a good or bad result?
- What means ssl-date: TLS randomness does not represent time?
- What means IP ID Sequence Generation: Incremental?
- What are Aggressive OS guesses?
- I could see the open few hundreds of ports only after first scan, later on couldn’t replicate this. Is it possible that Firebase/Google closed the ports or blocked me for some of them? In second scan and every other I could see only information about open ports 80, and 443 with a log “Not shown: 998 filtered ports”.
- I did test this on Kali Linux using VirtualBox. In the nmap output I can see Running: Oracle Virtualbox, OS CPE: cpe:/o:oracle:virtualbox, OS details: Oracle Virtualbox, is it about my system or the scanned website hsoted on Firebase?
Even answers for some of this questions would be already really appreciated!
On the Nmap home page in my language, I can see -sP scan, but on the English version of the site, I can’t see it. But I see -sn that looks very similar, I want to understand what’s the difference.
I’m currently enumerating a VM the results of which show me two open ports 22 and 3306 with SSH and mysql being the services running on them. However, when I further investigate 3306 with Metasploit or nmap using the various mysql scripts I receive errors. Is this due to the service on 3306 not actually being mysql?
Thanks for any help,
Hen I run server test with
nmap (version 7.70) I got such an output:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
As I know, the
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 chipher has
secp384r1 specification (eq. 7680 bits RSA). Is it some errer of
I mean why are tools needed for pen-testing? I’ve hacked websites using plain XSS and SQL injections. I didn’t require any tools such as the ones I listed above. Now that I want to progress further and improve my overall flexibility as a pen-tester. I seek an answer to this question.
I ran an
nmap -sn scan on a host, and
nmap reported the host as down. I then pinged the same host with
ping and got ICMP responses. I’m confused, because I was sure that
-sn among other things, did an ICMP
Output from my two commands:
~ $ nmap -sn 192.168.1.237 Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-16 09:35 BST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.00 seconds ~ $ ping 192.168.1.237 PING 192.168.1.237 (192.168.1.237) 56(84) bytes of data. 64 bytes from 192.168.1.237: icmp_seq=1 ttl=128 time=9.82 ms 64 bytes from 192.168.1.237: icmp_seq=2 ttl=128 time=5.25 ms 64 bytes from 192.168.1.237: icmp_seq=3 ttl=128 time=2.95 ms 64 bytes from 192.168.1.237: icmp_seq=4 ttl=128 time=9.10 ms ^C --- 192.168.1.237 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 2.957/6.785/9.826/2.810 ms
Any ideas why NMAP could be confused? I’m running the scan from my Ubuntu 16.04 box, the target is a Windows 10.
It is possible to make Server respond with irrelevant data if it is scanned with Nmap? If yes, are there any examples of such SW?
I’m running kali and metasploitable2 in Virtualbox, and have them connected via the host-only networking mode. I can ping and ssh from kali to metasploitable, and have assigned the following IP addresses: 192.168.56.1 (kali) and 192.168.56.13 (metasploitable). For some reason, I was unable to see most open ports when running a simple scan:
kali$ nmap -sV 192.168.56.13 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-16 09:04 CEST Nmap scan report for 22.214.171.124 Host is up (0.011s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http? 443/tcp open https? 8080/tcp open http-proxy?
But if I open another shell and run the same command I get a very different result:
kali$ nmap -sV 192.168.56.13 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-16 09:05 CEST Nmap scan report for 192.168.56.13 Host is up (0.00029s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind 2 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd --- snip ----
This is a potentially very much a beginner question but what could be giving these differences between the shells? The env variables were identical in both.
So I have a live host on 192.168.0.151 on my local network. I know it’s life since I’ve set it up with a static IP and also if pinged I get a reply.
Now the weird thing is when I run nmap -sP 192.168.0.151 I can see that the host is up indeed, but when running nmap -sP 192.168.0.1/24 it goes straight pass it and shows that it’s down.. I’ve trying this same exact thing using arp and python module called scapy and I seem to consistently have the same issue where I cannot for some reason specify an IPv4 range to do an arp request on….
what i do in scapy is:
#/usr/bin/env python import scapy.all as scapy scappy.arping("192.168.0.1/24")
I need to block all communication (inbound/outbound) from server A to server B (all ports/all protocols). Server A should communicate with every machine except server B. I can’t place firewall rules on server B, so I have placed all rules on server A.
I have done the following on server A:
- First I disabled all default firewall rules (inbound/outbound) on server A. (This is required.)
- Then I created an inbound rule that allow access from anywhere.
- Then I created an inbound rule that deny access to server B (all protocols/ports).
- Then I created an outbound rule that deny access to server B (all protocols/ports).
I have tested that the access is restricted via ping from both servers, and it seemed to work. But then I installed Nmap on server A and scanned server B. My assumption was that Nmap would not be able to scan server B, as the firewall would block it. But Nmap is able to scan open ports of server B. How is that possible?
Windows Server 2008 is installed on both machines.