Discussion:
scan shows open ports as tcpwrapped
Fahad A. Saeed
2012-10-31 02:28:35 UTC
Permalink
I'd a scan task and I faced following result (appro. for all ports except
for really used ones i.e. ssl and smtp):

Host is up (0.032s latency).
Scanned at 2012-10-25 16:06:38 AST for 856s
PORT STATE SERVICE VERSION
1/tcp open tcpwrapped
3/tcp open tcpwrapped
4/tcp open tcpwrapped
.
.
19/tcp open tcpwrapped
20/tcp open tcpwrapped
21/tcp open tcpwrapped
22/tcp open tcpwrapped
23/tcp open tcpwrapped
.
.
64623/tcp open tcpwrapped
64680/tcp open tcpwrapped
65000/tcp open tcpwrapped
65129/tcp open tcpwrapped
65389/tcp open tcpwrapped

Scan methodology was:

nmap -n -vv -A x.x.x.x --min-parallelism=50 --max-parallelism=150 -PN
-T2 -oA x.x.x.x

I'm sure that this is a firewall's or loadbalancer's game. I tried many way
such as change source port, source IP , fragmentation, etc..

- Do you have any idea/suggestion to bypass this case and to identify
real services behind open ports?
- on another hand, Do you know how to do that on firewall policy(on any
firewall)?

Thanks in advance.
Daniel Miller
2012-11-01 21:30:23 UTC
Permalink
Post by Fahad A. Saeed
I'd a scan task and I faced following result (appro. for all ports except
Host is up (0.032s latency).
Scanned at 2012-10-25 16:06:38 AST for 856s
PORT STATE SERVICE VERSION
1/tcp open tcpwrapped
3/tcp open tcpwrapped
4/tcp open tcpwrapped
.
.
19/tcp open tcpwrapped
20/tcp open tcpwrapped
21/tcp open tcpwrapped
22/tcp open tcpwrapped
23/tcp open tcpwrapped
.
.
64623/tcp open tcpwrapped
64680/tcp open tcpwrapped
65000/tcp open tcpwrapped
65129/tcp open tcpwrapped
65389/tcp open tcpwrapped
nmap -n -vv -A x.x.x.x --min-parallelism=50 --max-parallelism=150 -PN
-T2 -oA x.x.x.x
I'm sure that this is a firewall's or loadbalancer's game. I tried many way
such as change source port, source IP , fragmentation, etc..
- Do you have any idea/suggestion to bypass this case and to identify
real services behind open ports?
- on another hand, Do you know how to do that on firewall policy(on any
firewall)?
Thanks in advance.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Fahad,

I and several others answered you on security.stackexchange.com [1].
There is nothing to bypass here.

Dan

[1]
http://security.stackexchange.com/questions/23407/how-to-bypass-tcpwrapped-with-nmap-scan
Fahad A. Saeed
2012-11-01 21:49:10 UTC
Permalink
Thank you Dan for your response.
My colleague posted thebquestion there.
The point is, and for example, one of the scanned machine is a MS Exchange
configured as OWA. The scan result was tcpwrapped for all ports even for
SMTP and SSL.
This doesn't make scenes. BTW we are sure MS Exchange is working fine.
When I used the same scan syntax posted before but with --packet-trace I
got all ports "closed". And I got all responses from the machine itself not
from LB\FW.
Another thing, in both syntax it shows the OS as F5 Big-IP but again it
should be Windows.

I tried also to review all packets using tcpdump and nothing there.
When traceroute is performed the traffic is as following:
Internet --> Core Router --> LB\FW --> the target (i.e MS Exchange).

Thanks again for your response.
Post by Daniel Miller
Post by Fahad A. Saeed
I'd a scan task and I faced following result (appro. for all ports except
Host is up (0.032s latency).
Scanned at 2012-10-25 16:06:38 AST for 856s
PORT STATE SERVICE VERSION
1/tcp open tcpwrapped
3/tcp open tcpwrapped
4/tcp open tcpwrapped
.
.
19/tcp open tcpwrapped
20/tcp open tcpwrapped
21/tcp open tcpwrapped
22/tcp open tcpwrapped
23/tcp open tcpwrapped
.
.
64623/tcp open tcpwrapped
64680/tcp open tcpwrapped
65000/tcp open tcpwrapped
65129/tcp open tcpwrapped
65389/tcp open tcpwrapped
nmap -n -vv -A x.x.x.x --min-parallelism=50 --max-parallelism=150 -PN
-T2 -oA x.x.x.x
I'm sure that this is a firewall's or loadbalancer's game. I tried many way
such as change source port, source IP , fragmentation, etc..
- Do you have any idea/suggestion to bypass this case and to identify
real services behind open ports?
- on another hand, Do you know how to do that on firewall policy(on any
firewall)?
Thanks in advance.
______________________________**_________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev>
Archived at http://seclists.org/nmap-dev/
Fahad,
I and several others answered you on security.stackexchange.com [1].
There is nothing to bypass here.
Dan
[1] http://security.stackexchange.**com/questions/23407/how-to-**
bypass-tcpwrapped-with-nmap-**scan<http://security.stackexchange.com/questions/23407/how-to-bypass-tcpwrapped-with-nmap-scan>
David Fifield
2012-11-01 23:03:22 UTC
Permalink
Post by Fahad A. Saeed
I'd a scan task and I faced following result (appro. for all ports except
Host is up (0.032s latency).
Scanned at 2012-10-25 16:06:38 AST for 856s
PORT STATE SERVICE VERSION
1/tcp open tcpwrapped
3/tcp open tcpwrapped
4/tcp open tcpwrapped
.
.
19/tcp open tcpwrapped
20/tcp open tcpwrapped
21/tcp open tcpwrapped
22/tcp open tcpwrapped
23/tcp open tcpwrapped
.
.
64623/tcp open tcpwrapped
64680/tcp open tcpwrapped
65000/tcp open tcpwrapped
65129/tcp open tcpwrapped
65389/tcp open tcpwrapped
nmap -n -vv -A x.x.x.x --min-parallelism=50 --max-parallelism=150 -PN
-T2 -oA x.x.x.x
I'm sure that this is a firewall's or loadbalancer's game. I tried many way
such as change source port, source IP , fragmentation, etc..
- Do you have any idea/suggestion to bypass this case and to identify
real services behind open ports?
- on another hand, Do you know how to do that on firewall policy(on any
firewall)?
My suggestion is to use -sT or --unprivileged. There appears to be
something spoofing the first part of the three-way handshake, but -sT
will require a full handshake to be completed before the port is
considered open.

David Fifield
Fahad A. Saeed
2012-11-02 07:46:05 UTC
Permalink
Dear David,
Thank you for your response and suggestion.

I tried both -sT and -sA. In -sA I got the same result (tcpwrapped) and for
-sA I got unfiltered.
Also, I tried to -S to spoof my IP address. I used multiple IPs (e.g. Other
system in the same subnet, Firewall, and Main Router). But Unfortunately I
got the same result (tcpwrapped).
When I tried --packet-trace it shows that I'm getting RST ACK from the
target (here it's Windows with MS Exchange) and nmap gives me suggested OS
as F5 Big-IP.
When I use different tools for port scan (i.e Nessus) it gives me all ports
OPEN, ALL PORTS !!

Thanks again David.
Post by David Fifield
Post by Fahad A. Saeed
I'd a scan task and I faced following result (appro. for all ports except
Host is up (0.032s latency).
Scanned at 2012-10-25 16:06:38 AST for 856s
PORT STATE SERVICE VERSION
1/tcp open tcpwrapped
3/tcp open tcpwrapped
4/tcp open tcpwrapped
.
.
19/tcp open tcpwrapped
20/tcp open tcpwrapped
21/tcp open tcpwrapped
22/tcp open tcpwrapped
23/tcp open tcpwrapped
.
.
64623/tcp open tcpwrapped
64680/tcp open tcpwrapped
65000/tcp open tcpwrapped
65129/tcp open tcpwrapped
65389/tcp open tcpwrapped
nmap -n -vv -A x.x.x.x --min-parallelism=50 --max-parallelism=150 -PN
-T2 -oA x.x.x.x
I'm sure that this is a firewall's or loadbalancer's game. I tried many
way
Post by Fahad A. Saeed
such as change source port, source IP , fragmentation, etc..
- Do you have any idea/suggestion to bypass this case and to identify
real services behind open ports?
- on another hand, Do you know how to do that on firewall policy(on
any
Post by Fahad A. Saeed
firewall)?
My suggestion is to use -sT or --unprivileged. There appears to be
something spoofing the first part of the three-way handshake, but -sT
will require a full handshake to be completed before the port is
considered open.
David Fifield
Daniel Miller
2012-11-03 22:21:23 UTC
Permalink
-sT wouldn't help in this case, since "tcpwrapped" is a result from
version detection, which does a full TCP connection anyway.

Fahad, there is nothing to bypass here. It's a load balancer doing its
job. If you find out how to bypass it, you should report it as a major
vulnerability in the load balancer. Not everything can be bypassed,
thankfully.

Dan
Post by Fahad A. Saeed
Dear David,
Thank you for your response and suggestion.
I tried both -sT and -sA. In -sA I got the same result (tcpwrapped) and for
-sA I got unfiltered.
Also, I tried to -S to spoof my IP address. I used multiple IPs (e.g. Other
system in the same subnet, Firewall, and Main Router). But Unfortunately I
got the same result (tcpwrapped).
When I tried --packet-trace it shows that I'm getting RST ACK from the
target (here it's Windows with MS Exchange) and nmap gives me suggested OS
as F5 Big-IP.
When I use different tools for port scan (i.e Nessus) it gives me all ports
OPEN, ALL PORTS !!
Thanks again David.
Post by David Fifield
Post by Fahad A. Saeed
I'd a scan task and I faced following result (appro. for all ports except
Host is up (0.032s latency).
Scanned at 2012-10-25 16:06:38 AST for 856s
PORT STATE SERVICE VERSION
1/tcp open tcpwrapped
3/tcp open tcpwrapped
4/tcp open tcpwrapped
.
.
19/tcp open tcpwrapped
20/tcp open tcpwrapped
21/tcp open tcpwrapped
22/tcp open tcpwrapped
23/tcp open tcpwrapped
.
.
64623/tcp open tcpwrapped
64680/tcp open tcpwrapped
65000/tcp open tcpwrapped
65129/tcp open tcpwrapped
65389/tcp open tcpwrapped
nmap -n -vv -A x.x.x.x --min-parallelism=50 --max-parallelism=150 -PN
-T2 -oA x.x.x.x
I'm sure that this is a firewall's or loadbalancer's game. I tried many
way
Post by Fahad A. Saeed
such as change source port, source IP , fragmentation, etc..
- Do you have any idea/suggestion to bypass this case and to identify
real services behind open ports?
- on another hand, Do you know how to do that on firewall policy(on
any
Post by Fahad A. Saeed
firewall)?
My suggestion is to use -sT or --unprivileged. There appears to be
something spoofing the first part of the three-way handshake, but -sT
will require a full handshake to be completed before the port is
considered open.
David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Fahad A. Saeed
2012-11-04 06:46:48 UTC
Permalink
Greetings Dan,
This is what we ended with. A mixed feeling between love and hate toward
Load Balancers.
Thanks again for your inputs.

Fahad
Post by Daniel Miller
-sT wouldn't help in this case, since "tcpwrapped" is a result from
version detection, which does a full TCP connection anyway.
Fahad, there is nothing to bypass here. It's a load balancer doing its
job. If you find out how to bypass it, you should report it as a major
vulnerability in the load balancer. Not everything can be bypassed,
thankfully.
Dan
Post by Fahad A. Saeed
Dear David,
Thank you for your response and suggestion.
I tried both -sT and -sA. In -sA I got the same result (tcpwrapped) and
for
Post by Fahad A. Saeed
-sA I got unfiltered.
Also, I tried to -S to spoof my IP address. I used multiple IPs (e.g.
Other
Post by Fahad A. Saeed
system in the same subnet, Firewall, and Main Router). But Unfortunately
I
Post by Fahad A. Saeed
got the same result (tcpwrapped).
When I tried --packet-trace it shows that I'm getting RST ACK from the
target (here it's Windows with MS Exchange) and nmap gives me suggested
OS
Post by Fahad A. Saeed
as F5 Big-IP.
When I use different tools for port scan (i.e Nessus) it gives me all
ports
Post by Fahad A. Saeed
OPEN, ALL PORTS !!
Thanks again David.
Post by David Fifield
Post by Fahad A. Saeed
I'd a scan task and I faced following result (appro. for all ports
except
Post by Fahad A. Saeed
Post by David Fifield
Post by Fahad A. Saeed
Host is up (0.032s latency).
Scanned at 2012-10-25 16:06:38 AST for 856s
PORT STATE SERVICE VERSION
1/tcp open tcpwrapped
3/tcp open tcpwrapped
4/tcp open tcpwrapped
.
.
19/tcp open tcpwrapped
20/tcp open tcpwrapped
21/tcp open tcpwrapped
22/tcp open tcpwrapped
23/tcp open tcpwrapped
.
.
64623/tcp open tcpwrapped
64680/tcp open tcpwrapped
65000/tcp open tcpwrapped
65129/tcp open tcpwrapped
65389/tcp open tcpwrapped
nmap -n -vv -A x.x.x.x --min-parallelism=50 --max-parallelism=150 -PN
-T2 -oA x.x.x.x
I'm sure that this is a firewall's or loadbalancer's game. I tried
many
Post by Fahad A. Saeed
Post by David Fifield
way
Post by Fahad A. Saeed
such as change source port, source IP , fragmentation, etc..
- Do you have any idea/suggestion to bypass this case and to
identify
Post by Fahad A. Saeed
Post by David Fifield
Post by Fahad A. Saeed
real services behind open ports?
- on another hand, Do you know how to do that on firewall policy(on
any
Post by Fahad A. Saeed
firewall)?
My suggestion is to use -sT or --unprivileged. There appears to be
something spoofing the first part of the three-way handshake, but -sT
will require a full handshake to be completed before the port is
considered open.
David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Loading...