Solved

Npam Scan

Posted on 2004-04-27
4
6,620 Views
Last Modified: 2013-12-04
Hi guys ,
i have run Npam for Windows on one my Domain Controller in Windows 2000 domain.
since i am new to security area, i need help on understanding the following results

i need help esspecially on ports with 1000 + number

thanks

(The 1573 ports scanned but not shown below are in state: closed)
Port       State       Service
25/tcp     open        smtp                    
80/tcp     open        http                    
88/tcp     open        kerberos-sec            
110/tcp    open        pop-3                  
119/tcp    open        nntp                    
135/tcp    open        loc-srv                
139/tcp    open        netbios-ssn            
143/tcp    open        imap2                  
389/tcp    open        ldap                    
443/tcp    open        https                  
445/tcp    open        microsoft-ds            
464/tcp    open        kpasswd5                
563/tcp    open        snews                  
593/tcp    open        http-rpc-epmap          
636/tcp    open        ldapssl                
691/tcp    open        resvc                  
993/tcp    open        imaps                  
995/tcp    open        pop3
s                  
1026/tcp   open        LSA-or-nterm            
1029/tcp   open        ms-lsa                  
1373/tcp   open        chromagrafx            
1492/tcp   open        stone-design-1          
1723/tcp   open        pptp                    
2301/tcp   open        compaqdiag              
3372/tcp   open        msdtc                  
3389/tcp   open        ms-term-serv            
6101/tcp   open        VeritasBackupExec      
49400/tcp  open        compaqdiag              
Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
0
Comment
Question by:cakirfatih
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
Joseph_Moore earned 350 total points
ID: 10931088
Ok, first off, you have NMAP (www.insecure.org), the best port scanner out there!

Now, here is what I see. You scanned a Win2K or Win2K3 Domain Controller (port 88, 389, 464) tells this. Those ports are used by Kerberos for authentication.

IIS is installed and running EVERYTHING: FTP, WWW, News, SMTP, POP3. All of it. Ports 21, 25 80,443, 119 are for this. Since you have WWW running, you have SSL enabled (port 443), which also turns on Secure News (port 563) and the Secure LDAP (port 563)

NetBIOS is enabled, so that's 139; SMB is on so that's 445. Both of these ports are for File & Print Sharing. (You also would have UDP port 137 & 138 enabled, but you only did a TCP port scan, not a UDP port scan, which is why those ports didn't show).

Port 1732 is open, so Routing and Remote Access (RRAS) is turned on with the default VPN mode enabled. This is your PPTP port showing.

This must be a Compaq server, since it has some Compaq Insight Agent ports showing (49400, 2301).

Terminal Services is up, so port 3389 is listening.

Veritas for backup? Looks like it. Port 6101 for that.

MS Distributed Transaction Coordinator is on by default, so port 3372 is there.

Ports 1372 & 1492 I am not familiar with, but it looks like (based of the NMAP service column) that they are from real applications, not trojans.

You are actually also running RPC over HTTP (port 593)? Ok. Weird. Not wrong, just different.

Here is a link to standard ports in Windows Domain Controllers:
http://support.microsoft.com/default.aspx?scid=kb;en-us;289241

Off the top of my head, nothing terrible here, unless this is on a server that is NOT protected by a firewall. If this server is only accessed on your LAN, then it looks OK to me. If this box is onthe Internet with no firewall, then you are just asking to be attacked and "0wned"!

One last NMAP thing. Go get the newest version of NMAP (v 3.50) and run it with the -A switch to enable the service detection. A new feature is for NMAP to read the banners it received on each port and not only tell you "compaqdiag" but it might tell you something like "Compaq Insight Agent V ####"  Kinda cool!

Good luck.

0
 
LVL 12

Assisted Solution

by:trywaredk
trywaredk earned 150 total points
ID: 10936664
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html#Trojans

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 

Author Comment

by:cakirfatih
ID: 10943430
thanks a lot fo these valuable information

fatih
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10967118
:o) Glad we could help you - thank you for the points
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
OfficeMate Freezes on login or does not load after login credentials are input.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question