Hello,
I am seeing is issue where if I do a network scan or nmap of a guest OS on ESXi 4 I also get back ports that the Host has open. I also get results when the guest is shutdown. Any one have any ideas on why this happens. It did not alway happen and I have not updated the ESXi host between when it did give me the results I expect and now. I can connect to port 80 (even when guest is shut down) and it does respond but looks like the ESXi host. This happens on every guest that is on this ESXi host.
Nmap results from guest on same ESXi host:
Interesting ports on 192.168.X.X:
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp closed auth
9898/tcp open unknown
Nmap results from my desktop to same guest.
Interesting ports on 192.168.X.X:
Not shown: 980 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
113/tcp closed auth
1720/tcp open H.323/Q.931
1863/tcp open msnp
3128/tcp open squid-http
4445/tcp open unknown
6000/tcp closed X11
6001/tcp closed X11:1
6002/tcp closed X11:2
6003/tcp closed X11:3
6004/tcp closed X11:4
6005/tcp closed X11:5
6006/tcp closed X11:6
6007/tcp closed X11:7
6009/tcp closed X11:9
6025/tcp closed unknown
6059/tcp closed X11:59
8080/tcp open http-proxy
9898/tcp open unknown
With guest turned off I get:
Interesting ports on 192.168.X.X:
Not shown: 983 filtered ports
PORT STATE SERVICE
80/tcp open http
1720/tcp open H.323/Q.931
1863/tcp open msnp
3128/tcp open squid-http
4445/tcp open unknown
6000/tcp closed X11
6001/tcp closed X11:1
6002/tcp closed X11:2
6003/tcp closed X11:3
6004/tcp closed X11:4
6005/tcp closed X11:5
6006/tcp closed X11:6
6007/tcp closed X11:7
6009/tcp closed X11:9
6025/tcp closed unknown
6059/tcp closed X11:59
8080/tcp open http-proxy
When I connect to port 80 I get this info:
HTTP/1.0 200 OK
Pragma: no-cache
Cache-Control: no-store
Content-Type: text/html
Content-Length: 230
Access denied due to security policy violation
Reject ID: 4b05c77a-10004-12071dac-7b6
Connection to host lost.
Hello,
Moved to Security Forum.
What this looks like is that you are scanning the subnet and that the ESXi vmkernel management console is also on the same subnet. Can you explain your network and nmap options?
If you 'target' a guest, you should only see that guest. However, if you see anything else it could be other items on the subnet.
Also, please provide your nmap command line.
Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]
The nmap command line is "nmap 192.168.81.27" just doing a basic scan no special options. If I do this from my PC that is on a 10.6.3.x network I get all the extra ports. If I do it from 192.168.81.26 server (a guest on the ESXi host) I only get the 3 ports I expect. If I shutdown all the guests on that ESXi box (esxi host ip is 192.168.81.18) and do a nmap -P0 192.168.81.27 I get the results that I have shown. This happens on all the guets on that host 192.168.81.19-30 with same results. It's almost was if the ESXi host is routing the scans and responding to some of them.
The only physical server on the 192.168.81.16 subnet is the ESXi host. No other managment tools are being used. I run the clinet from my desktop on the 10.6.3.x network.
Hello,
So you scan the single IP from a VM already in that subnet and you get 3 ports opened. This does not look like it is returning anything related to ESXi which would include port 902, etc.
If you scan the single IP from a desktop OUTSIDE that subnet (10.) you get more ports open. This sounds like you are actually scanning the router/firewall/NAT device instead of the actual IP as you see H.323 support. I do not think you are scanning what you intend to scan.
Neither of these scans actually look like the ESXi vmkernel device as the wrong ports are actually opened.
You could scan your vmkernel device, then report your findings and compare that to what your VM is showing, etc.
In all this your vmkernel is NOT part of this network really. You are hitting the vSwitch then the vSwitch goes to the vNIC... vmkernel Management COnsole is not part of this picture at all.
Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]