I’ve tried netcat and telnet with Wireshark installed to monitor traffic to this port, all I get is a syn, syn ack, fin ack, nothing else.

Here are the results of my scan:

Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-29 15:18 Eastern Standard Time
NSE: Loaded 57 scripts for scanning.
Initiating ARP Ping Scan at 15:18
Scanning 172.16.10.231 [1 port]
Completed ARP Ping Scan at 15:18, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:18
Completed Parallel DNS resolution of 1 host. at 15:18, 5.53s elapsed
Initiating SYN Stealth Scan at 15:18
Scanning 172.16.10.231 [1000 ports]
Discovered open port 80/tcp on 172.16.10.231
Discovered open port 21/tcp on 172.16.10.231
Discovered open port 443/tcp on 172.16.10.231
Discovered open port 23/tcp on 172.16.10.231
Discovered open port 14000/tcp on 172.16.10.231
Discovered open port 9100/tcp on 172.16.10.231
Discovered open port 515/tcp on 172.16.10.231
Discovered open port 7627/tcp on 172.16.10.231
Increasing send delay for 172.16.10.231 from 0 to 5 due to max_successful_tryno increase to 5
Discovered open port 280/tcp on 172.16.10.231
Completed SYN Stealth Scan at 15:18, 7.55s elapsed (1000 total ports)
Initiating Service scan at 15:18
Scanning 8 services on 172.16.10.231
Completed Service scan at 15:19, 53.71s elapsed (9 services on 1 host)
Initiating OS detection (try #1) against 172.16.10.231
NSE: Script scanning 172.16.10.231.
Initiating NSE at 15:19
Completed NSE at 15:19, 4.00s elapsed
Nmap scan report for 172.16.10.231
Host is up (0.00s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp HP JetDirect ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can’t get directory listing: Can’t parse PASV response: “Authentication required.”
23/tcp open telnet HP JetDirect telnetd
80/tcp open http HP-ChaiSOE 1.0 (HP LaserJet http config)
|_http-methods: GET HEAD
| http-title: HP Color LaserJet CP4005 Printers
|_Requested resource was http://172.16.10.231/hp/device/this.LCDispatcher
280/tcp open http HP-ChaiSOE 1.0 (HP LaserJet http config)
|_http-methods: GET HEAD
| http-title: HP Color LaserJet CP4005 Printers
|_Requested resource was http://172.16.10.231/hp/device/this.LCDispatcher
443/tcp open ssl/http HP-ChaiSOE 1.0 (HP LaserJet http config)
|_http-methods: GET HEAD
| http-title: HP Color LaserJet CP4005 Printers
|_Requested resource was http://172.16.10.231/hp/device/this.LCDispatcher
515/tcp open printer
7627/tcp open http HP-ChaiSOE 1.0 (HP LaserJet http config)
|_http-methods: GET HEAD
| http-title: HP Color LaserJet CP4005 Printers
|_Requested resource was http://172.16.10.231/hp/device/this.LCDispatcher
9100/tcp open jetdirect?
14000/tcp open tcpwrapped
MAC Address: 00:1F:29:16:42:76 (Hewlett Packard)
Device type: printer
Running: HP embedded
OS details: HP LaserJet 2055dn, 2420, P3005, CP4005, or P4014 printer
Uptime guess: 13.947 days (since Tue Nov 15 16:36:17 2011)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Device: printer

Can anyone explain why this port is opened?

Because something is listening on it. It went through a standard handshake, but either Nmap had no knowledge of what was expected or you weren’t connecting from an appropriate source location.

As for “what” is doing the listening, perhaps only HP can answer.

Nmap reports it as ‘tcpwrapped’ to indicate that some type of security (or obscurity) is blocking access. Since a more normal RST wasn’t returned and some handshaking succeeded, Nmap is notifying you that a TCP Wrapper is a likely explanation. It doesn’t that that’s what it is; it just has that kind of response profile.

HP might have a kind of service port that isn’t otherwise useful. Or any number of other possibilities exist.

Tom

Tom, thanks for the response. I understand the tcpwrapper possibility, Nmap is just interpreting and it’s probably wrong. But, the bottom line is that a port, 14000, is still open and listening. It fin-ack’d every attempt to connect. It didn’t just sit there and not respond, it responded. I’ve googled for days looking for any references linking the port to HP and have found nothing. Regarding your comment, “either Nmap had no knowledge of what was expected or you weren’t connecting from an appropriate source location”, exactly! Who or what is the appropriate source location? Is this a port that is used for firmware updates? I don’t know, I just can’t find any reference.

Thanks again.

…a port, 14000, is still open and listening. It fin-ack’d every attempt to connect.

That is, of course, the basic behavior that gets classified as “TCP Wrapper”. Unless the correct form of authentication is provided, nothing will get through.

I did a cursory look for references to { HP port 14000 } and didn’t see anything useful. Something like “firmware updates” came to mind, though I didn’t really think that’s what it was except that a ‘fast FTP’ function is sometimes expected to use port 14000.

Unless you get very lucky, I wouldn’t expect an answer from anywhere but HP support. They ought to know what it is. (And if they don’t know, they should be notified about it.)

Tom

Interesting side note today — Can a hacker catch your HP printer on fire?.

Tom

If I understood correctly, then Plz see this link here, hope it may help u!

Thanks for your responses. I do know about Scotty and I was aware of the article. The article prompted my attention. I’ve search the HP archives and there is no reference. Still looking.