NMAP Port Scanning - confusion...

Discussion in 'Network questions and troubleshooting' started by EnthusiastX, Jun 5, 2020.

  1. EnthusiastX

    EnthusiastX Active Member

    Messages:
    53
    Likes Received:
    3
    GPU:
    EVGA RTX 3090
    My cable internet setup is:
    - ISP-supplied Arris 2-in-1 cable modem-router for internet and phone (port forwarding disabled, WiFi disabled)
    - Personal Netgear WiFi router connected to Arris modem (port forwarding disabled, port triggering disabled)

    Only personal Netgear router is connected to Arris modem. All other devices (mobile phones, PC's, tablets) are connected to Netgear router.

    When both Arris modem/router and Netgear router are in DHCP NAT modes, the result is Double NAT. With Double NAT:
    - Online NMAP port scanners show all ports to be either closed of filtered
    - ZENMAP (local PC NMAP) Intense port scanning (all TCP ports) via my PC (with the latest NPCAP driver) shows 0 opened ports

    When Arris modem-router is set to Bridged mode (no DHCP, no NAT) and Netgear router is the only NAT-enabled router (with port forwarding disabled and port triggering disabled):
    - Online NMAP port scanners show all ports to be either closed of filtered
    - ZENMAP (local PC NMAP) Intense port scanning (all TCP ports) via my PC (with the latest NPCAP driver) shows several opened ports

    Traceroute commands do show that setting Arris modem-router to Bridged mode results in Arris modem-router default IP (192.168.0.1) missing from the trace and devices cannot access Arris modem-router settings page through that IP when they are connected to Netgear router. Accessing Arris modem-router settings is now only possible via direct LAN connection to the Arris modem-router.

    What I am confused about is:
    1. Why Arris+Netgear Double NAT setup ZENMAP scanning results in detection of 0 opened ports and Netgear-only NAT (with Arris modem-router set to Bridged mode) results in opened ports (even though Netgear router port forwarding and port triggering are disabled)?
    2. Why ZENMAP (local PC NMAP) port scanning results differ from online website NMAP scanning results? All online NMAP port scanning results indicate closed or filtered ports with Netgear-only NAT (Arris modem-router in Bridges mode) while ZENMAP (local PC NMAP) port scanning shows opened ports..
    3. Why some online scanners report the same ports as closed or non-responsive, while other online scanners report the same ports as filtered. Both Firefox-based and Chrome/Chromium-based browsers report identical results. These are the online scanners I tried:
    - https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
    - https://www.ipvoid.com/port-scan/
    - https://hackertarget.com/nmap-online-port-scanner/
    4. How dangerous is it to have a setup with the mentioned ports being detected as opened by ZENMAP? The internet says Double NAT tends to only add complexity to a network and does not make it more secure. In this case though, Double NAT results in ZENMAP detecting 0 opened ports.
     
    Last edited: Jun 12, 2020
  2. EnthusiastX

    EnthusiastX Active Member

    Messages:
    53
    Likes Received:
    3
    GPU:
    EVGA RTX 3090
    Bump... I keep testing and so far Double NAT is the only way to get "no opened ports detected" via nmap.org ZENMAP intensive TCP/UDP port scanning or via Android Kali NetHunter nmap.org intensive TCP/UDP port scanning. I think I just know and understand too little...
     
  3. 386SX

    386SX Ancient Guru

    Messages:
    2,075
    Likes Received:
    2,238
    GPU:
    AMD Vega64 RedDevil
    What interface of what device are you testing? You have got 4 ...

    Kali is pretty intrusive. I hope you know what you are doing.

    What ports specifically are shown as open? You didn't name them yet. Like TCP 443 or UDP 666 or whatever.
     
  4. EnthusiastX

    EnthusiastX Active Member

    Messages:
    53
    Likes Received:
    3
    GPU:
    EVGA RTX 3090
    I test my public IP and local IP's (all devices) with the latest NMAP/ZENMAP SYN Scan (Intensive + UDP) from my local Windows 10 PC (LAN-only, no WiFi allowed). For public IP testing, I enable NPCAP driver and for local IP I enable both NPCAP and Loopback driver. SYN scan requires the Loopback driver for local IP, but not for public IP. Cloudflare 1.1.1.1/1.0.0.1 DNS is set on every device (router, modem, all local devices, hardware + software). Cloudflare DoH is enabled on all, but one local devices either via AdGuard in VPN Mode + browser settings or YogaDNS + browser settings. One device simply does not support it DoH or DoH-enabled software, but it is set to use 1.1.1.1/1.0.0.1 DNS (without DoH). ISP modem uses DHCP to get its own DNS, but ISP modem LAN settings are set to override ISP DNS with Cloudflare DNS. Thorough browser tests show no DNS leakage on any device.

    UPnP, ALG, pinging, DMZ, port forwarding + triggering, IGMP Proxying, VLAN, IPSec Passthrough, and whichever gimmicky multimedia, printer-sharing, etc. features are disabled on both routers. IPv6 is disabled in both routers and on every local device. This is a home network and I am only in control as much as the situation allows me. All devices use the latest firmware, OS version, updated, etc. There is no DD-WRT/OpenWRT/Tomato firmware for home or ISP router. Other people at home generally know too little about network and PC's. On one tablet, AdGuard blocks 1000+ ads and 250+ trackers in 3 hours of use due to the user playing some game. I can't do all the testing I want because home residents need to actually use the internet for work and communication. Interruptions for the sake of knowledge are unwelcome (especially since it doesn't provide $$$).


    Double NAT Public IP Testing

    Public IP NMAP SYN "Intensive Scan + UDP" detects only UDP port 53 as open/filtered, but ZENMAP/NMAP adds "UDP port 53 is actually open". It's a DNS port. I have no idea how to close it. All pinging, port forwarding, and triggering is disabled, but I understand too little. If a port is detected as open for public IP via NMAP SYN scan from a local device, is it caused by the NAT or can a local device with opened port 53 be the cause? Perhaps it is simply detected as such because I use local device to run tests? Some online sources say UDP scan is not very reliable and others say that ISP can keep port 53 open. Recent tests show that even though pinging is disabled on both routers, my public IP is pingable from the machine on which I conduct tests. Such wasn't the case with tests performed 6 days ago... Public IP was not pingable 6 days ago.


    Single NAT Public IP Testing (ISP router-modem in Bridged Mode with NAT disabled)
    Public IP NMAP SYN Intensive Scan + UDP detects TCP ports 21, 80, 631, 5000, 20005, and 33344 as open + UDP port 53 as opened/filtered but ZENMAP/NMAP adds "UDP port 53 is actually open". I haven't done any reverse testing with personal router in Bridged Mode and ISP router-modem in NAT mode.


    Local IP Testing (of personal PC)
    Local IP NMAP SYN "Intensive Scan + UDP" shows UDP port 53 and TCP port 135 as open. DCOM is disabled via DCOMCFG and registry. NetBIOS is disabled in Network Settings and in Windows Services. NMAP SYN scan manages to detect my OS with relatively high accuracy, but it only does so 33% of the time and gets the general OS build and exact version number wrong. OS detection is supposedly due to port 135 always in "Listening" mode. I use built-in Windows 10 Firewall because other good firewalls (like Sphinx and TinyWall) block everything and expect users to allow access on per-app/port basis. It is a total pain in the butt, just like NoScript that disables most scripts and expects users to visit whichever sites, look at which scripts are blocked, and allow/enable only the ones users want.

    I don't think Windows 10 Firewall even works as it should... Blocking every default WIndows App/Feature like Core Networking DHCP doesn't actually seem to block anything and Windows doesn't ask "Do you want to allow XXX" for every program I launch. It asks if I want to allow games through Windows Firewall, but not portable Apps. For example, If I install Chrome, Windows would ask me if I want to allow Chrome through Windows firewall, but if I use portable version Chrome, Windows doesn't ask. Perhaps that is why 3rd party firewall programs are better and why the best security practice is to let your firewall block everything as a default setting to allow you unblock only specific apps and ports.
     

  5. itpro

    itpro Maha Guru

    Messages:
    1,364
    Likes Received:
    735
    GPU:
    AMD Testing
    "There Is No Such Thing As Absolute Security"

    Start from this. You are trying hard to find out things irrelevant to any threatening scenario. The only way to block everything is unplug the net. Or use serious exclusive firewalls hardware occupying like pfsense, OPNsense or others.
     
    386SX likes this.

Share This Page