VMware Cloud Community
FiremanE63
Contributor
Contributor
‎11-19-2009 02:33 PM

Scanning guest os, host ports respond

Hello,

I am seeing is issue where if I do a network scan or nmap of a guest OS on ESXi 4 I also get back ports that the Host has open. I also get results when the guest is shutdown. Any one have any ideas on why this happens. It did not alway happen and I have not updated the ESXi host between when it did give me the results I expect and now. I can connect to port 80 (even when guest is shut down) and it does respond but looks like the ESXi host. This happens on every guest that is on this ESXi host.

Nmap results from guest on same ESXi host:

Interesting ports on 192.168.X.X:

Not shown: 997 filtered ports

PORT STATE SERVICE

22/tcp open ssh

113/tcp closed auth

9898/tcp open unknown

Nmap results from my desktop to same guest.

Interesting ports on 192.168.X.X:

Not shown: 980 filtered ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

113/tcp closed auth

1720/tcp open H.323/Q.931

1863/tcp open msnp

3128/tcp open squid-http

4445/tcp open unknown

6000/tcp closed X11

6001/tcp closed X11:1

6002/tcp closed X11:2

6003/tcp closed X11:3

6004/tcp closed X11:4

6005/tcp closed X11:5

6006/tcp closed X11:6

6007/tcp closed X11:7

6009/tcp closed X11:9

6025/tcp closed unknown

6059/tcp closed X11:59

8080/tcp open http-proxy

9898/tcp open unknown

With guest turned off I get:

Interesting ports on 192.168.X.X:

Not shown: 983 filtered ports

PORT STATE SERVICE

80/tcp open http

1720/tcp open H.323/Q.931

1863/tcp open msnp

3128/tcp open squid-http

4445/tcp open unknown

6000/tcp closed X11

6001/tcp closed X11:1

6002/tcp closed X11:2

6003/tcp closed X11:3

6004/tcp closed X11:4

6005/tcp closed X11:5

6006/tcp closed X11:6

6007/tcp closed X11:7

6009/tcp closed X11:9

6025/tcp closed unknown

6059/tcp closed X11:59

8080/tcp open http-proxy

When I connect to port 80 I get this info:

HTTP/1.0 200 OK

Pragma: no-cache

Cache-Control: no-store

Content-Type: text/html

Content-Length: 230







Access denied due to security policy violation


Reject ID: 4b05c77a-10004-12071dac-7b6





Connection to host lost.

0 Kudos
3 Replies
Texiwill
Leadership
Leadership
‎11-19-2009 05:57 PM

Hello,

Moved to Security Forum.

What this looks like is that you are scanning the subnet and that the ESXi vmkernel management console is also on the same subnet. Can you explain your network and nmap options?

If you 'target' a guest, you should only see that guest. However, if you see anything else it could be other items on the subnet.

Also, please provide your nmap command line.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
FiremanE63
Contributor
Contributor
‎11-19-2009 06:21 PM

The nmap command line is "nmap 192.168.81.27" just doing a basic scan no special options. If I do this from my PC that is on a 10.6.3.x network I get all the extra ports. If I do it from 192.168.81.26 server (a guest on the ESXi host) I only get the 3 ports I expect. If I shutdown all the guests on that ESXi box (esxi host ip is 192.168.81.18) and do a nmap -P0 192.168.81.27 I get the results that I have shown. This happens on all the guets on that host 192.168.81.19-30 with same results. It's almost was if the ESXi host is routing the scans and responding to some of them.

The only physical server on the 192.168.81.16 subnet is the ESXi host. No other managment tools are being used. I run the clinet from my desktop on the 10.6.3.x network.

0 Kudos
Texiwill
Leadership
Leadership
‎11-20-2009 08:00 AM

Hello,

So you scan the single IP from a VM already in that subnet and you get 3 ports opened. This does not look like it is returning anything related to ESXi which would include port 902, etc.

If you scan the single IP from a desktop OUTSIDE that subnet (10.) you get more ports open. This sounds like you are actually scanning the router/firewall/NAT device instead of the actual IP as you see H.323 support. I do not think you are scanning what you intend to scan.

Neither of these scans actually look like the ESXi vmkernel device as the wrong ports are actually opened.

You could scan your vmkernel device, then report your findings and compare that to what your VM is showing, etc.

In all this your vmkernel is NOT part of this network really. You are hitting the vSwitch then the vSwitch goes to the vNIC... vmkernel Management COnsole is not part of this picture at all.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos