Strange Nmap Scan Results

Question

Sometimes I receive some odd, or inconsistent port scan results. Consider the two following excerpts, copied from my command shell:

user@host:~$ nmap 10.1.1.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-15 13:47 AWST
Nmap scan report for (10.1.1.1)
Host is up (0.0073s latency).
Not shown: 979 closed ports
PORT      STATE    SERVICE
21/tcp    open     ftp
22/tcp    open     ssh
23/tcp    open     telnet
80/tcp    open     http
139/tcp   open     netbios-ssn
445/tcp   open     microsoft-ds
500/tcp   filtered isakmp
720/tcp   filtered unknown
1097/tcp  filtered sunclustermgr
1218/tcp  filtered aeroflight-ads
2191/tcp  filtered tvbus
3000/tcp  filtered ppp
3013/tcp  filtered gilatskysurfer
3283/tcp  filtered netassistant
5001/tcp  filtered commplex-link
5431/tcp  open     park-agent
7741/tcp  filtered scriptview
8000/tcp  open     http-alt
8008/tcp  filtered http
49176/tcp filtered unknown
55555/tcp filtered unknown

Less than ten minutes after the first scan started:

user@host:~$ nmap 10.1.1.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-15 13:56 AWST
Nmap scan report for (10.1.1.1)
Host is up (0.0081s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
5431/tcp open  park-agent
8000/tcp open  http-alt

I haven't done anything in between scans and don't understand what would cause the results to differ. Most of these extra services are unknown to me, so I can only speculate that these results are being shown in error; raising more questions. This is a frequent occurrence. What is likely to be the cause of this?

Thanks in advance.

Answer 1

The main difference between the two scans is the absence of the filtered ports in the second scan.

filtered in nmap terms means something like "i don't know for sure" so the second scan might be a bit more accurate, as nmap claims the ports in question are closed.

Possible reasons for the different results are:

• timing - you might try to slow down nmap (timing --scan-delay=2s or -T3) and see if that makes the results more stable
• Firewall with rate-limits - maybe there is a firewall / packtefilter in the path that changes block behaviour after some packets (DROP instead of sending icmp-port-unreachables or tcp-fin) so that the result of the portscan differs

But don't spend too much time on that topic unless you want to educate yourself on that. For day to day use you can assume that the filtered ports are closed and think of the two results as equal.

Answer 2

Any TCP/IP connection you make uses two ports. You use the "well-known" port number to initiate the connection with the server and a fairly randomly selected port for the return path. Any port could legitimately be used occasionally for that purpose. You can run netstat with the -p parameter to discover what program is listening on a given port. The command: netstat -p -a | grep 55555

Where 55555 is the port in question. This will give you an idea if the port is being used properly or by a trojan etc.