Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: more beta30/Darwin tests

more beta30/Darwin tests

From: Paul Tod Rieger <prie_at_abl.com>
Date: Mon, 05 Nov 2001 00:17:43 -0500

Testing nmap/AppleBSD on a larger /24 network (and hoping to
develop a "test suite" eventually):

# nmap -n -sP 172.16.100.0/24
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
[...]
Nmap run completed -- 256 IP addresses (128 hosts up) scanned in 8 seconds

# nmap -n -sS -O -p'80,113,139' 172.16.100.0/24
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
[...]
Nmap run completed -- 256 IP addresses (135 hosts up) scanned in 431 seconds

Most are M$ boxes, with a few exceptions:

1) nmap only identified 2 of 3 Cisco switches:

Interesting ports on (172.16.100.91):
(The 2 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
Remote OS guesses: AS5200, Cisco 2501/5260/5300 terminal server IOS 11.3.6(T1), Cisco IOS 11.3 - 12.0(11)

Interesting ports on (172.16.100.94):
(The 2 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
Remote OS guesses: AS5200, Cisco 2501/5260/5300 terminal server IOS 11.3.6(T1), Cisco IOS 11.3 - 12.0(11)

even though the 3rd switch:

Interesting ports on (172.16.100.1):
(The 2 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=2.54BETA30%P=powerpc-apple-darwin1.4%D=11/1%Time=3BE1EA95%O=80%C=113)
TSeq(Class=TR%IPID=Z%TS=U)
T1(Resp=Y%DF=N%W=1020%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=1020%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 3 scanned ports on (172.16.100.13) are: closed
Too many fingerprints match this host for me to give an accurate OS guess

has an admin webpage:

# telnet 172.16.100.1 80
[...]
Date: Wed, 05 May 1993 10:56:33 UTC
Server: cisco-IOS/12.0 HTTP-server/1.0(1)
TITLE>Switch Home Page
H1>Cisco Systems
H2>Accessing Cisco WS-C2924-XL "Switch"
[...]

nearly identical to the other 2, which barely differ:

# telnet 172.16.100.91 80
[...]
Date: Sat, 20 Mar 1993 00:23:10 UTC
Server: cisco-IOS/12.0 HTTP-server/1.0(1)
TITLE>WS-C2924-XL Home Page
H1>Cisco Systems
H2>Accessing Cisco WS-C2924-XL "WS-C2924-XL"

# telnet 172.16.100.94 80
[...]
Date: Sat, 20 Mar 1993 00:24:58 UTC
Server: cisco-IOS/12.0 HTTP-server/1.0(1)
TITLE>WS-C2924-XL Home Page
H1>Cisco Systems
H2>Accessing Cisco WS-C2924-XL "WS-C2924-XL"

Why might the 3rd switch look different? Would another
type of scan give some insight?

2) Another box wasn't identified:

# nmap -n -sS -O -F 172.16.100.25
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on (172.16.100.25):
(The 1110 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
427/tcp open svrloc
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=2.54BETA30%P=powerpc-apple-darwin1.4%D=11/1%Time=3BE1EABB%O=139%C=80)
TSeq(Class=TD%gcd=1%SI=1%IPID=BI%TS=0)
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds

Is there another way nmap might identify this system's OS?

3) Curiously, .115 didn't show up in the ping scan, then
looked filtered in the network scan:

Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on (172.16.100.115):
Port State Service
80/tcp filtered http
113/tcp filtered auth
139/tcp filtered netbios-ssn
Too many fingerprints match this host for me to give an accurate OS guess

but then opened up:

# nmap -n -sS -O -F 172.16.100.115
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on (172.16.100.115):
(The 1108 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
1026/tcp open nterm
Remote operating system guess: Windows NT4 / Win95 / Win98
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds

Is there a reason for this "flakiness"? (Maybe the
system was booting up?)

4) Some were probably behind "personal firewalls":

# nmap -n -sS -O -F 172.16.100.39
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1113 scanned ports on (172.16.100.39) are: closed
Too many fingerprints match this host for me to give an accurate OS guess
Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds

Any scans that might work on these?

Thanks!

Tod
abl.com

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Nov 05 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos