Firebase ports scanning using nmap

Purely for research purposes used nmap to check security of my application deployed to Firebase. However, there some questions which I can’t understand:

  1. Why Firebase has open so many ports? Something like few hundreds.
  2. Almost on every port I’m getting an error auth-owners: ERROR: Script execution failed without any information about it. Why is that? The only one which gives some information are the following ports: 80, 443, 5269, and 65389.
  3. Is TCP Sequence Prediction difficulty=17 and Network Distance 2 hops a good or bad result?
  4. What means ssl-date: TLS randomness does not represent time?
  5. What means IP ID Sequence Generation: Incremental?
  6. What are Aggressive OS guesses?
  7. I could see the open few hundreds of ports only after first scan, later on couldn’t replicate this. Is it possible that Firebase/Google closed the ports or blocked me for some of them? In second scan and every other I could see only information about open ports 80, and 443 with a log “Not shown: 998 filtered ports”.
  8. I did test this on Kali Linux using VirtualBox. In the nmap output I can see Running: Oracle Virtualbox, OS CPE: cpe:/o:oracle:virtualbox, OS details: Oracle Virtualbox, is it about my system or the scanned website hsoted on Firebase?

Even answers for some of this questions would be already really appreciated!

nmap and service detection

I’m currently enumerating a VM the results of which show me two open ports 22 and 3306 with SSH and mysql being the services running on them. However, when I further investigate 3306 with Metasploit or nmap using the various mysql scripts I receive errors. Is this due to the service on 3306 not actually being mysql?

Thanks for any help,

Angus

nmap error or TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is secp384r1?

Hen I run server test with nmap (version 7.70) I got such an output:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A 

As I know, the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 chipher has secp384r1 specification (eq. 7680 bits RSA). Is it some errer of nmap?

NMAP discovery scan reporting host offline, pinging the same host gets ICMP responses

I ran an nmap -sn scan on a host, and nmap reported the host as down. I then pinged the same host with ping and got ICMP responses. I’m confused, because I was sure that -sn among other things, did an ICMP echo request.

Output from my two commands:

~ $   nmap -sn 192.168.1.237   Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-16 09:35 BST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.00 seconds  ~ $   ping 192.168.1.237 PING 192.168.1.237 (192.168.1.237) 56(84) bytes of data. 64 bytes from 192.168.1.237: icmp_seq=1 ttl=128 time=9.82 ms 64 bytes from 192.168.1.237: icmp_seq=2 ttl=128 time=5.25 ms 64 bytes from 192.168.1.237: icmp_seq=3 ttl=128 time=2.95 ms 64 bytes from 192.168.1.237: icmp_seq=4 ttl=128 time=9.10 ms ^C --- 192.168.1.237 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 2.957/6.785/9.826/2.810 ms 

Any ideas why NMAP could be confused? I’m running the scan from my Ubuntu 16.04 box, the target is a Windows 10.

nmap gives different results in two shells on the same computer

I’m running kali and metasploitable2 in Virtualbox, and have them connected via the host-only networking mode. I can ping and ssh from kali to metasploitable, and have assigned the following IP addresses: 192.168.56.1 (kali) and 192.168.56.13 (metasploitable). For some reason, I was unable to see most open ports when running a simple scan:

kali$   nmap -sV 192.168.56.13 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-16 09:04 CEST Nmap scan report for 198.168.56.13 Host is up (0.011s latency). Not shown: 997 filtered ports PORT     STATE SERVICE     VERSION 80/tcp   open  http? 443/tcp  open  https? 8080/tcp open  http-proxy? 

But if I open another shell and run the same command I get a very different result:

kali$   nmap -sV 192.168.56.13 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-16 09:05 CEST Nmap scan report for 192.168.56.13 Host is up (0.00029s latency). Not shown: 977 closed ports PORT     STATE SERVICE     VERSION 21/tcp   open  ftp         vsftpd 2.3.4 22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp   open  telnet      Linux telnetd 25/tcp   open  smtp        Postfix smtpd 53/tcp   open  domain      ISC BIND 9.4.2 80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp  open  rpcbind     2 (RPC #100000) 139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 512/tcp  open  exec        netkit-rsh rexecd --- snip ---- 

This is a potentially very much a beginner question but what could be giving these differences between the shells? The env variables were identical in both.

NMAP not showing all live hosts

So I have a live host on 192.168.0.151 on my local network. I know it’s life since I’ve set it up with a static IP and also if pinged I get a reply.

Now the weird thing is when I run nmap -sP 192.168.0.151 I can see that the host is up indeed, but when running nmap -sP 192.168.0.1/24 it goes straight pass it and shows that it’s down.. I’ve trying this same exact thing using arp and python module called scapy and I seem to consistently have the same issue where I cannot for some reason specify an IPv4 range to do an arp request on….

what i do in scapy is:

#/usr/bin/env python  import scapy.all as scapy  scappy.arping("192.168.0.1/24") 

How can Nmap bypass Windows Server firewall rules?

I need to block all communication (inbound/outbound) from server A to server B (all ports/all protocols). Server A should communicate with every machine except server B. I can’t place firewall rules on server B, so I have placed all rules on server A.

I have done the following on server A:

  • First I disabled all default firewall rules (inbound/outbound) on server A. (This is required.)
  • Then I created an inbound rule that allow access from anywhere.
  • Then I created an inbound rule that deny access to server B (all protocols/ports).
  • Then I created an outbound rule that deny access to server B (all protocols/ports).

I have tested that the access is restricted via ping from both servers, and it seemed to work. But then I installed Nmap on server A and scanned server B. My assumption was that Nmap would not be able to scan server B, as the firewall would block it. But Nmap is able to scan open ports of server B. How is that possible?

Windows Server 2008 is installed on both machines.