Page 1 of 1

IRC filtered, all other ports open

Posted: Sat Jan 07, 2017 12:27 am UTC
by peterdavidcarter
A bit of a naive question, but I'm a sorta baffled by a recent nmap result on a server, which is showing all ports wide open apart from IRC, which is filtered. Is this a common configuration? In people's opinions what would they say is the most likely reason someone would config their server this way?

Re: IRC filtered, all other ports open

Posted: Sat Jan 07, 2017 1:14 am UTC
by Soupspoon
(Darnit, refreshed and wiped my response. Resummarising.)

Proxy gateway/NAT pre-emptively ACKing before it knows the true target's actual intention?
IDS (or even full Honeypot) being deliberately (mostly!) undiscriminating?
A listener daemon that is truly promiscuous?
Full-spectrum port spoofing to obfuscate and render ports-open profiling effectively useless?

As to the IRC (port 194 and/or 666x?), perhaps that's the single deliberately configured port, auto-rejecting requests outside of a preconfigured IP or subnet because it is expecting/already using that port as comms with a hardcoded remote machine?

That's just off the top of my head, some of those answers are a bit off the wall... But I don't think nmap does much more than get an ACK back... Maybe a bit of manual telnetting with some intelligent guessing as to the handshaking required can reveal more info. Or at least rule out some of the options.?