New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nmap shows TCP port 3128 open when it's not. #1338

Open
le-jawa opened this Issue Oct 2, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@le-jawa

le-jawa commented Oct 2, 2018

I scanned a server today to make sure all ports were open after making host firewall changes. For some reason tcp/3128 showed up in the scan, rather unexpectedly. I checked the following to see if I could find any evidence that something had that port open:

  • netstat (nothing had 3128 open)

  • checked firewall status, as well as every firewall config I could find (nothing referenced tcp/3128)

  • the process list for proxy servers that might have it open. (nothing)

  • netcat to the port (no connection)

I'm pretty comfortable at this point that tcp/3128 is not actually open on the server.

OS: macOS 10.14 (Mojave)
nmap: v7.70

The port was "detected" on a Centos 7.5 Linux server.

If anyone has any other suggestions for looking for the port, I'm open to suggestions; otherwise this one looks much more like a false detection on the part of nmap than an actual port.

@rcv211

This comment has been minimized.

Show comment
Hide comment
@rcv211

rcv211 Oct 3, 2018

Have you checked iptables on centos, for any port routing?
iptables -L
iptables -t nat -L

rcv211 commented Oct 3, 2018

Have you checked iptables on centos, for any port routing?
iptables -L
iptables -t nat -L

@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Oct 3, 2018

Nmap itself can give you more information about why it is saying the port is open. Try this command:

nmap -v --reason -p 22,3128 <target>

Port 3128 is often used by HTTP proxies, specifically Squid Proxy. There could be an intercepting proxy responding to outgoing connections. I've added port 22 to the previous command so we can compare the received IP TTL value for both ports and see if there is a difference, which would indicate that the response is being spoofed. You can also compare results between the -sS and -sT scan types.

dmiller-nmap commented Oct 3, 2018

Nmap itself can give you more information about why it is saying the port is open. Try this command:

nmap -v --reason -p 22,3128 <target>

Port 3128 is often used by HTTP proxies, specifically Squid Proxy. There could be an intercepting proxy responding to outgoing connections. I've added port 22 to the previous command so we can compare the received IP TTL value for both ports and see if there is a difference, which would indicate that the response is being spoofed. You can also compare results between the -sS and -sT scan types.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment