Npam Scan

Hi guys ,
i have run Npam for Windows on one my Domain Controller in Windows 2000 domain.
since i am new to security area, i need help on understanding the following results

i need help esspecially on ports with 1000 + number

thanks

(The 1573 ports scanned but not shown below are in state: closed)
Port       State       Service
25/tcp     open        smtp                    
80/tcp     open        http                    
88/tcp     open        kerberos-sec            
110/tcp    open        pop-3                  
119/tcp    open        nntp                    
135/tcp    open        loc-srv                
139/tcp    open        netbios-ssn            
143/tcp    open        imap2                  
389/tcp    open        ldap                    
443/tcp    open        https                  
445/tcp    open        microsoft-ds            
464/tcp    open        kpasswd5                
563/tcp    open        snews                  
593/tcp    open        http-rpc-epmap          
636/tcp    open        ldapssl                
691/tcp    open        resvc                  
993/tcp    open        imaps                  
995/tcp    open        pop3
s                  
1026/tcp   open        LSA-or-nterm            
1029/tcp   open        ms-lsa                  
1373/tcp   open        chromagrafx            
1492/tcp   open        stone-design-1          
1723/tcp   open        pptp                    
2301/tcp   open        compaqdiag              
3372/tcp   open        msdtc                  
3389/tcp   open        ms-term-serv            
6101/tcp   open        VeritasBackupExec      
49400/tcp  open        compaqdiag              
Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
cakirfatihAsked:
Who is Participating?
 
Joseph_MooreCommented:
Ok, first off, you have NMAP (www.insecure.org), the best port scanner out there!

Now, here is what I see. You scanned a Win2K or Win2K3 Domain Controller (port 88, 389, 464) tells this. Those ports are used by Kerberos for authentication.

IIS is installed and running EVERYTHING: FTP, WWW, News, SMTP, POP3. All of it. Ports 21, 25 80,443, 119 are for this. Since you have WWW running, you have SSL enabled (port 443), which also turns on Secure News (port 563) and the Secure LDAP (port 563)

NetBIOS is enabled, so that's 139; SMB is on so that's 445. Both of these ports are for File & Print Sharing. (You also would have UDP port 137 & 138 enabled, but you only did a TCP port scan, not a UDP port scan, which is why those ports didn't show).

Port 1732 is open, so Routing and Remote Access (RRAS) is turned on with the default VPN mode enabled. This is your PPTP port showing.

This must be a Compaq server, since it has some Compaq Insight Agent ports showing (49400, 2301).

Terminal Services is up, so port 3389 is listening.

Veritas for backup? Looks like it. Port 6101 for that.

MS Distributed Transaction Coordinator is on by default, so port 3372 is there.

Ports 1372 & 1492 I am not familiar with, but it looks like (based of the NMAP service column) that they are from real applications, not trojans.

You are actually also running RPC over HTTP (port 593)? Ok. Weird. Not wrong, just different.

Here is a link to standard ports in Windows Domain Controllers:
http://support.microsoft.com/default.aspx?scid=kb;en-us;289241

Off the top of my head, nothing terrible here, unless this is on a server that is NOT protected by a firewall. If this server is only accessed on your LAN, then it looks OK to me. If this box is onthe Internet with no firewall, then you are just asking to be attacked and "0wned"!

One last NMAP thing. Go get the newest version of NMAP (v 3.50) and run it with the -A switch to enable the service detection. A new feature is for NMAP to read the banners it received on each port and not only tell you "compaqdiag" but it might tell you something like "Compaq Insight Agent V ####"  Kinda cool!

Good luck.

0
 
trywaredkCommented:
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html#Trojans

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
cakirfatihAuthor Commented:
thanks a lot fo these valuable information

fatih
0
 
trywaredkCommented:
:o) Glad we could help you - thank you for the points
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.