Nmap results incorrect when connecting via VPN

Question

I am trying to determine why my nmap results are incorrect when I am connected to a VPN provider.

As you can see below nmap reports that ports are open when connecting to a VPN provider even though the host has no open ports.

Here's an example:

No VPN

root@localhost# nmap -vvv --open 156.145.28.186
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-31 11:41 EDT
Initiating Ping Scan at 11:41
Scanning 156.145.28.186 [2 ports]
Completed Ping Scan at 11:41, 3.01s elapsed (1 total hosts)
Read data files from: /usr/local/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds

Windscribe VPN

Shows TCP 443 open

root@localhost# nmap -vvv --open 156.145.28.186
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-31 11:40 EDT
Initiating Ping Scan at 11:40
Scanning 156.145.28.186 [2 ports]
Completed Ping Scan at 11:40, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:40
Completed Parallel DNS resolution of 1 host. at 11:40, 0.01s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 11:40
Scanning ariel.c2b2.columbia.edu (156.145.28.186) [1000 ports]
Discovered open port 443/tcp on 156.145.28.186
Completed Connect Scan at 11:40, 4.10s elapsed (1000 total ports)
Nmap scan report for ariel.c2b2.columbia.edu (156.145.28.186)
Host is up, received syn-ack (0.014s latency).
Scanned at 2021-05-31 11:40:34 EDT for 4s
Not shown: 999 filtered ports
Reason: 999 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE REASON
443/tcp open  https   syn-ack

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.21 seconds

Nord VPN

Shows TCP 80,443,5060,8080 open

root@localhost# nmap -vvv --open 156.145.28.186
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-31 12:00 EDT
Initiating Ping Scan at 12:00
Scanning 156.145.28.186 [2 ports]
Completed Ping Scan at 12:00, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:00
Completed Parallel DNS resolution of 1 host. at 12:00, 0.41s elapsed
DNS resolution of 1 IPs took 0.41s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 12:00
Scanning ariel.c2b2.columbia.edu (156.145.28.186) [1000 ports]
Discovered open port 443/tcp on 156.145.28.186
Discovered open port 8080/tcp on 156.145.28.186
Discovered open port 80/tcp on 156.145.28.186
Discovered open port 5060/tcp on 156.145.28.186
Completed Connect Scan at 12:00, 4.09s elapsed (1000 total ports)
Nmap scan report for ariel.c2b2.columbia.edu (156.145.28.186)
Host is up, received syn-ack (0.028s latency).
Scanned at 2021-05-31 12:00:44 EDT for 4s
Not shown: 996 filtered ports
Reason: 996 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE    REASON
80/tcp   open  http       syn-ack
443/tcp  open  https      syn-ack
5060/tcp open  sip        syn-ack
8080/tcp open  http-proxy syn-ack

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.62 seconds

Could you elaborate, what exactly is this IP address, and where are you running nmap from? — Tero Kilkanen, May 31 '21 at 16:11

score 0 · Answer 1 · answered Nov 24 '21 at 21:04

I think the VPN service is proxying those connections, hence the SYN ACK.

I tested the same thing

Without VPN

nmap --version-intensity 0 -T4 -Pn -sTV 156.145.28.186 -vv -top-ports 1000
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-24 13:28 CST
NSE: Loaded 45 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 13:28
Completed Parallel DNS resolution of 1 host. at 13:28, 0.28s elapsed
Initiating Connect Scan at 13:28
Scanning ariel.c2b2.columbia.edu (156.145.28.186) [1000 ports]
Discovered open port 995/tcp on 156.145.28.186
Discovered open port 143/tcp on 156.145.28.186
Discovered open port 110/tcp on 156.145.28.186
Discovered open port 993/tcp on 156.145.28.186
Completed Connect Scan at 13:29, 4.93s elapsed (1000 total ports)
Initiating Service scan at 13:29
Scanning 4 services on ariel.c2b2.columbia.edu (156.145.28.186)

With VPN (Nord VPN)

nmap --version-intensity 0 -T4 -Pn -sTV 156.145.28.186 -vv -top-ports 1000
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-24 15:01 CST
NSE: Loaded 45 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 15:01
Completed Parallel DNS resolution of 1 host. at 15:01, 1.10s elapsed
Initiating Connect Scan at 15:01
Scanning ariel.c2b2.columbia.edu (156.145.28.186) [1000 ports]
Discovered open port 8080/tcp on 156.145.28.186
Discovered open port 110/tcp on 156.145.28.186
Discovered open port 80/tcp on 156.145.28.186
Discovered open port 993/tcp on 156.145.28.186
Discovered open port 443/tcp on 156.145.28.186
Discovered open port 995/tcp on 156.145.28.186
Discovered open port 143/tcp on 156.145.28.186
Discovered open port 5060/tcp on 156.145.28.186
Completed Connect Scan at 15:01, 4.83s elapsed (1000 total ports)
Initiating Service scan at 15:01
Scanning 8 services on ariel.c2b2.columbia.edu (156.145.28.186)

Nmap results incorrect when connecting via VPN

1 Answers1