Parece que SonicWall está bloqueando attemtps para escanear sus puertos. Sé que tiene algunos puertos abiertos, como 443, porque si accedo usando el navegador obtengo un sitio web. Pero cuando intento usar NMap no puedo ver el puerto abierto.
Si intento realizar una exploración SYN en este puerto, no obtengo respuesta:
# nmap -sS -vvv -PN -p443 --reason XXX.XXX.XXX.XXX
Starting Nmap 5.00 ( http://nmap.org ) at 2013-04-22 08:31 CEST
NSE: Loaded 0 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 08:31
Completed Parallel DNS resolution of 1 host. at 08:31, 0.05s elapsed
DNS resolution of 1 IPs took 0.06s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:31
Scanning XXX.XXX.XXX.XXX [1 port]
Completed SYN Stealth Scan at 08:31, 2.01s elapsed (1 total ports)
Host XXX.XXX.XXX.XXX is up, received user-set.
Scanned at 2013-04-22 08:31:35 CEST for 2s
Interesting ports on XXX.XXX.XXX.XXX:
PORT STATE SERVICE REASON
443/tcp filtered https no-response
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds
Raw packets sent: 2 (88B) | Rcvd: 0 (0B)
Si uso un tiempo de espera más largo, obtengo un reinicio ( editado para incluir --paquete -paquete )
# nmap -sS -vvv -PN -p443 --min-rtt-timeout 30s --packet-trace --reason XXX.XXX.XXX.222
Starting Nmap 5.00 ( http://nmap.org ) at 2013-04-22 10:01 CEST
NSE: Loaded 0 scripts for scanning.
NSOCK (0.0810s) UDP connection requested to XXX.XXX.XXX.111:53 (IOD #1) EID 8
NSOCK (0.0810s) Read request from IOD #1 [XXX.XXX.XXX.111:53] (timeout: -1ms) EID 18
Initiating Parallel DNS resolution of 1 host. at 10:01
NSOCK (0.0810s) Write request for 45 bytes to IOD #1 EID 27 [XXX.XXX.XXX.111:53]: Y............222.XXX.XXX.XXX.in-addr.arpa.....
NSOCK (0.0810s) nsock_loop() started (timeout=500ms). 3 events pending
NSOCK (0.0810s) Callback: CONNECT SUCCESS for EID 8 [XXX.XXX.XXX.111:53]
NSOCK (0.0810s) Callback: WRITE SUCCESS for EID 27 [XXX.XXX.XXX.111:53]
NSOCK (0.1280s) Callback: READ SUCCESS for EID 18 [XXX.XXX.XXX.111:53] (105 bytes)
NSOCK (0.1280s) Read request from IOD #1 [XXX.XXX.XXX.111:53] (timeout: -1ms) EID 34
Completed Parallel DNS resolution of 1 host. at 10:01, 0.05s elapsed
DNS resolution of 1 IPs took 0.05s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:01
Scanning XXX.XXX.XXX.222 [1 port]
SENT (0.1370s) TCP XXX.XXX.XXX.333:44390 > XXX.XXX.XXX.222:443 S ttl=53 id=3162 iplen=44 seq=1146988289 win=2048 <mss 1460>
RCVD (21.1530s) TCP XXX.XXX.XXX.222:443 > XXX.XXX.XXX.333:44390 RA ttl=128 id=23009 iplen=40 seq=1292449307 win=64240 ack=1146988290
Completed SYN Stealth Scan at 10:01, 21.02s elapsed (1 total ports)
Host XXX.XXX.XXX.222 is up, received user-set (21s latency).
Scanned at 2013-04-22 10:01:10 CEST for 21s
Interesting ports on XXX.XXX.XXX.222:
PORT STATE SERVICE REASON
443/tcp closed https reset
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 21.15 seconds
Raw packets sent: 1 (44B) | Rcvd: 1 (40B)
Pero el puerto está abierto porque si uso netcat me conecto:
# nc XXX.XXX.XXX.XXX 443
HEAD / HTTP/1.0
(UNKNOWN) [XXX.XXX.XXX.XXX] 443 (https) : Connection timed out
HEAD / HTTP/1.0
200 OK
Content-Length: 860
Content-Type: text/html
Last-Modified: Tue, 22 Nov 2011 07:45:36 GMT
Client-Date: Mon, 22 Apr 2013 06:34:56 GMT
200 OK
Connection: close
Date: Mon, 22 Apr 2013 06:40:31 GMT
Server: Apache-Coyote/1.1
Content-Length: 1166
Content-Type: text/html
Client-Date: Mon, 22 Apr 2013 06:34:57 GMT
Client-Peer: XXX.XXX.XXX.XXX:80
Client-Response-Num: 1
He probado otros tipos de exploraciones NMap ACK, FIN, Maimon, Windows, NULL, TCP y XMAS sin resultados.
Algo he intentado cambiar el puerto de origen a 80 usando:
-g 80
¿Cuáles son las opciones correctas para que NMap escanee correctamente este tipo de dispositivo? ¿Qué pasos puedo investigar para descubrirlos?