4

I have a C# application that I've written that listens on port 789. It is running on a Windows XP Professional computer. Running

netstat -an | find "789" 

TCP    0.0.0.0:789            0.0.0.0:0              LISTENING

When I run nmap -A -vv ip on a different linux machine (but same subnet) it only reports other ports open on the host (i.e. mysql, vnc, etc), but not the port opened by my application.

However, when I run nmap -p 789 ip I get:

PORT     STATE   SERVICE
789/tcp  open  unknown

Why is there a difference between the two nmap scans? Is there anything I can do to ensure that nmap detects the open port when doing a full scan?

Andrew
  • 153
  • 1
  • 7

4 Answers4

8

By default, nmap only scans for "common" ports (the 1000 most common ports per protocol I believe). Since 789 is not a common port it isn't found. If you do

nmap -A -vv -p- ip

it should scan ports 1-65535.

Here is the nmap documentation that tells what ports are scanned by default: http://nmap.org/book/man-port-specification.html

MattB
  • 11,194
  • 1
  • 30
  • 36
  • The docs I found disagree with you, as I mention below in my answer. – mfinni Jun 04 '10 at 18:50
  • @mfinni: Link? I just and looked it up and the documentation I found agrees with me: http://nmap.org/book/man-port-specification.html – MattB Jun 04 '10 at 18:53
  • You're right - the documentation I found was for an older version. Seems like it was changed sometime after 2006. – mfinni Jun 04 '10 at 18:55
  • Is there a way to tell what the 1000 most common ports are? It seems I also read the documentation thinking -A was between 1 and 1024. – Andrew Jun 04 '10 at 19:02
  • @Andrew: there is a file called nmap-services that contains the information. There is a link to a description of the file/etc. in the documentation I linked. – MattB Jun 04 '10 at 19:08
  • -A doesn't scan those first few ports. Check my comment to mfinni's answer. – Dentrasi Jun 04 '10 at 19:12
1

The only way you could do that is to modify your nmap's services file, which isn't recommended. The -A option runs advanced options, including service detection, OS detection, tracerouting, etc - it doesn't scan the full range. If you want to scan all 65k ports, use the option -p-. Other than that, you've just got to specify the port with -p 789. Your best option is probably to create an alias that does nmap -p 789, to save yourself time.

If you really need to change the services file (/usr/local/share/nmap/nmap-services by default), find the line that reads unknown 789/tcp 0.000075 and replace it with your program's name, and put the number on the end at 0.9, so it's the top port nmap includes. An alias would be much better though.

Dentrasi
  • 3,752
  • 1
  • 24
  • 19
0

The nmap -A is the aggressive command as it will run several scripts in the background and that is the main reason why it will give you more results. It combines version detection -sV with Operating system detection -O (capital letter O and not the number zero) and other discovery scripts. Nmap by default, and if not given the specific port number will scan the first 1000 most common ports(these are specified in the nmap-services file which you can edit). The aggressive command can be fed with the ports that you want to scan so you don`t get the results for other ports besides the one you want to scan, TCP 789

nmap -p 789 -A TARGET_IP_ADDRESS_OR_IP_RANGE

whereas if you want only to check if the port, 789 in your case, is open/closed/filtered

nmap -p 789 TARGET_IP_ADDRESS_OR_IP_RANGE

Since -A executes several scripts and is loud(in network traffic terms) it gets easily flagged by IDSs and will most likely be blocked by firewalls or IPSs and that can be one of the reasons that it does not give the correct port status.

nassim
  • 111
  • 4
0

I'm not sure. It is detecting it as "open", which is what you want right? So it is listening. Why it's not being found with -A, I'm not sure.

Edit - this is from old documentation that might not apply to your version. Run man nmap and let us know what version you have.

From the docs, I see :

"The default is to scan all ports between 1 and 1024 as well as any ports listed in the services file which comes with nmap."

So, 789 should be scanned, even if you don't have it in your services file (since it's labeled as "unknown", I'm sure it's not.)

Thus, I dunno. Check your man file for your version of nmap, maybe its behavior for which ports to scan using -A is different from the document I found?

This one is unlikely, but might be worth investigatin - The difference may be in your user ID on the Linux machine. Privileged vs unprivileged users of NMap have different default scan types. Users with root can do TCP SYN scans, users without will default to TCP connect() .

mfinni
  • 36,144
  • 4
  • 53
  • 86