You are having problems while retrieving results after performing port scanning during internal testing. You verify that there are no security devices between you and the target system. When both stealth and connect scanning do not work, you decide to perform a NULL scan with NMAP. The first few systems scanned shows all ports open.
Which one of the following statements is probably true?
A.
The systems have all ports open.
B.
The systems are running a host based IDS.
C.
The systems are web servers.
D.
The systems are running Windows.
Explanation:
The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real world. If the port is closed, a RST frame should be returned and a null scan to an open port results in no response. Unfortunately Microsoft (like usual) decided to completely ignore the standard and do things their own way. Thus this scan type will not work against systems running Windows as they choose not to response at all. This is a good way to distinguish that the system being scanned is running Microsoft Windows.
That answer doesn’t make sense. If the port says OPEN then Nmap received NO RESPONSE from that scan. Windows doesn’t respond to any INVERSE SCANNING with no response, it ALWAYS responds with RST because it doesn’t implement RFC 793 like other OSes. So it can’t be Windows! If you scanned an internal windows box with just “nmap -sN {IP address}” it would tell you that that machine is UP but that all ports are closed! The golden CEH rule is Windows always responds with RST to inverse scans.
If the scan said OPEN|FILTERED (which was not said) then it can’t tell if it’s opened or closed, you get that on *nix with some kind of device or something filtering packets. It might be tweaked to block port scanning but inverse scans are most stealthy than even the stealth scan (-sS) that failed here. So whatever protection used, it doesn’t have stateful packet inspection likely. So it’s likely the inverse scan beat the hids/hips. That’s what the scans are for!
That means either A or B is correct. You don’t know the syntax of the scan! Maybe they scanned ports open on all machines.
REad the inverse scanning section of Nmap http://nmap.org/book/man-port-scanning-techniques.html
Eddie Guerrero I was thinking the same thing…..