What are some instant red flags when scanning an network with nmap

To echo gameOver's comment and elaborate further, simply detecting that a port is open is interesting but I wouldn't see it as an immediate 'red flag'. Perhaps a better approach might be to run Nmap with the -sV or -sC flags which will either run a service/version scan or launch the default NSE (Nmap Scripting Engine) scripts against the target port that you've deemed interesting, provided you have the proper authorization to do so.

So, for example let's say you discovered that port 21 is open, which is interesting, but it only becomes a potential attack vector when you can enumerate the service running behind it. Once you discover the specific service you can begin searching CVEs and gain a better understanding if there is a vulnerability tied to it. By running a script-scan, the NSE will test your specific port in question and will output its findings, this might include (for port 21) an anonymous FTP login misconfiguration that allows for read/write access.

Now, after further enumeration of the service running behind port 21, you have a potential attack vector.

As a final note, there are some known ports where specific types of malware have a history of using, but these can also be false positives as I could simply run my SSH client out of TCP port 31337. You might see this port as open and immediately think Back Orifice! Instead I'm just running SSH using an unusual port to do so.

Sources:

  • https://nmap.org/nsedoc/scripts/

Just because a port exists in a scan is not enough to raise a red flag.

  1. Some firewalls or other protection mechanisms (honeypots) will make it look like a port is up when it is not
  2. Not all ports run the services that are typical
  3. Any port that might look suspicious on one network might be locked down properly on another
  4. You should be investigating all ports that pop up in a scan anyway, so it really doesn't matter what pops up

The point is that you should have a methodical process to address all ports with as much vigour as the rest, so getting excited about one port, in particular, is not very helpful.

Tags:

Nmap

Penetration Test

Network Scanners

Related

Why do Chrome and Firefox report a different server certificate and issuer than OpenSSL? Should I allow communication on public networks? Why might I want to remove the wlwmanifest.xml file in WordPress? Does it improve security to use obscure port numbers? What happened with Kazakhstan's Root CA MITM policy? Is it common to allow local desktop and/or active directory admin access and rights for developers in organizations? Should I encrypt my entire hard drive, or only a partition? Microsoft said UAC is not a security barrier. But in what cases? Recent ESLint hack or how can we protect ourselves from installing malicious npm packages? Why can a man-in-the-middle attack not happen with RSA? Sealed Room Security - Possibility of writing assembled binary code What legitimate uses do browser proxies have?

Recent Posts