Solved

Npam Scan

Posted on 2004-04-27
4
6,569 Views
Last Modified: 2013-12-04
Hi guys ,
i have run Npam for Windows on one my Domain Controller in Windows 2000 domain.
since i am new to security area, i need help on understanding the following results

i need help esspecially on ports with 1000 + number

thanks

(The 1573 ports scanned but not shown below are in state: closed)
Port       State       Service
25/tcp     open        smtp                    
80/tcp     open        http                    
88/tcp     open        kerberos-sec            
110/tcp    open        pop-3                  
119/tcp    open        nntp                    
135/tcp    open        loc-srv                
139/tcp    open        netbios-ssn            
143/tcp    open        imap2                  
389/tcp    open        ldap                    
443/tcp    open        https                  
445/tcp    open        microsoft-ds            
464/tcp    open        kpasswd5                
563/tcp    open        snews                  
593/tcp    open        http-rpc-epmap          
636/tcp    open        ldapssl                
691/tcp    open        resvc                  
993/tcp    open        imaps                  
995/tcp    open        pop3
s                  
1026/tcp   open        LSA-or-nterm            
1029/tcp   open        ms-lsa                  
1373/tcp   open        chromagrafx            
1492/tcp   open        stone-design-1          
1723/tcp   open        pptp                    
2301/tcp   open        compaqdiag              
3372/tcp   open        msdtc                  
3389/tcp   open        ms-term-serv            
6101/tcp   open        VeritasBackupExec      
49400/tcp  open        compaqdiag              
Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
0
Comment
Question by:cakirfatih
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
Joseph_Moore earned 350 total points
ID: 10931088
Ok, first off, you have NMAP (www.insecure.org), the best port scanner out there!

Now, here is what I see. You scanned a Win2K or Win2K3 Domain Controller (port 88, 389, 464) tells this. Those ports are used by Kerberos for authentication.

IIS is installed and running EVERYTHING: FTP, WWW, News, SMTP, POP3. All of it. Ports 21, 25 80,443, 119 are for this. Since you have WWW running, you have SSL enabled (port 443), which also turns on Secure News (port 563) and the Secure LDAP (port 563)

NetBIOS is enabled, so that's 139; SMB is on so that's 445. Both of these ports are for File & Print Sharing. (You also would have UDP port 137 & 138 enabled, but you only did a TCP port scan, not a UDP port scan, which is why those ports didn't show).

Port 1732 is open, so Routing and Remote Access (RRAS) is turned on with the default VPN mode enabled. This is your PPTP port showing.

This must be a Compaq server, since it has some Compaq Insight Agent ports showing (49400, 2301).

Terminal Services is up, so port 3389 is listening.

Veritas for backup? Looks like it. Port 6101 for that.

MS Distributed Transaction Coordinator is on by default, so port 3372 is there.

Ports 1372 & 1492 I am not familiar with, but it looks like (based of the NMAP service column) that they are from real applications, not trojans.

You are actually also running RPC over HTTP (port 593)? Ok. Weird. Not wrong, just different.

Here is a link to standard ports in Windows Domain Controllers:
http://support.microsoft.com/default.aspx?scid=kb;en-us;289241

Off the top of my head, nothing terrible here, unless this is on a server that is NOT protected by a firewall. If this server is only accessed on your LAN, then it looks OK to me. If this box is onthe Internet with no firewall, then you are just asking to be attacked and "0wned"!

One last NMAP thing. Go get the newest version of NMAP (v 3.50) and run it with the -A switch to enable the service detection. A new feature is for NMAP to read the banners it received on each port and not only tell you "compaqdiag" but it might tell you something like "Compaq Insight Agent V ####"  Kinda cool!

Good luck.

0
 
LVL 12

Assisted Solution

by:trywaredk
trywaredk earned 150 total points
ID: 10936664
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html#Trojans

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 

Author Comment

by:cakirfatih
ID: 10943430
thanks a lot fo these valuable information

fatih
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967118
:o) Glad we could help you - thank you for the points
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now