mailing list archives
Re: help interpreting the nmap output
From: miguel.dilaj () pharma novartis com
Date: Fri, 17 Dec 2004 09:37:57 +0100
Good! Yes, you guess correctly, it seems that Apache was setup to show
only its name.
For other ports, like services that don't have a text banner, you've 2
very nice options:
a) use the -sV option in nmap. Read The Fine Manual, and also the article
Take into account that this is not stealth (like -sS), it establishes the
full TCP connection.
Be sure to use latest nmap, this option is quite new (>=3.45).
There's also a good article by Brian Hatch at InfoSec News:
b) use amap (http://www.thc.org/releases.php)
Amap is a next-generation scanning tool, which identifies applications and
services even if they are not listening on the default port by creating a
bogus-communication and analyzing the responses. Changes: more
identifications, SSL bugix. Voted into the top-50 security tool list!
There're other tools out there to do the identification, Nessus for
example can do some detection, but the 2 tools above are the preferred
ones by most people (in my case: plain nmap, but I recognize the merits of
amap as well).
Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG
"Ivan Fratric" <hacky_2001 () hotmail com>
To: Miguel Dilaj/PH/Novartis () PH, security-basics () securityfocus com
Subject: Re: help interpreting the nmap output
Thanks for the reply. I tried using netcat, and I get the following
nc -vv xxx.xxx.xxx.xxx 80
xxxxxxxxxxxx.com [xxx.xxx.xxx.xxx] 80 (http) open
HEAD / HTTP/1.1
HTTP/1.1 200 OK
Date: Thu, 16 Dec 2004 19:41:45 GMT
Content-Type: text/html; charset=iso-8859-1
So I guess the apache is configured not to show its version? When I try
using netcat on the other mentioned ports I get something like
nc -vv xxx.xxx.xxx.xxx 23
xxxxxxxxxxxx.com [xxx.xxx.xxx.xxx] 23 (telnet) open
sent 0, rcvd 0: NOTSOCK
Is there anything else that can be done regarding the ports giving output