Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: NAP 3.55 SP2 testing

NAP 3.55 SP2 testing

From: Sean <news_nospam__at_warnocksolutions.com>
Date: Fri, 13 Aug 2004 09:08:43 -0700

    Much better response than before. Performance is up from previous versions using a syn scan. I went ahead and ran 3.55 without the patch and sure enough my SP2 XP box just sits there for what seems like all eternity. The new patch seems to do version scanning correctly and as suspected TCP Connect scans take quite a while to complete. For comparisons I ran two scans against this host (tirpitz, an internal test machine running Windows Server 2003 and a ton of services). Time to complete a SYN scan was around half a second. The TCP connect scan was still running at over an hour when I finally just sent this e-mail. At this time I would say the TPC connect scan is broken on XP SP2 but having the application run at all again under XP is a great place to be. Thanks for all of the hard work to all of the contributors to the app and I whish I could do more than this.

Sean

Just a SYN scan with version scanning:
Starting nmap 3.55-SP2 ( http://www.insecure.org/nmap ) at 2004-08-13 08:0
fic Daylight Time
Host tirpitz.corp.warnocksolutions.com (192.168.200.201) appears to be up
od.
Initiating SYN Stealth Scan against tirpitz.corp.warnocksolutions.com (192
00.201) at 08:02
Adding open port 25/tcp
Adding open port 593/tcp
Adding open port 1067/tcp
Adding open port 42/tcp
Adding open port 53/tcp
Adding open port 8081/tcp
Adding open port 139/tcp
Adding open port 3389/tcp
Adding open port 6002/tcp
Adding open port 3268/tcp
Adding open port 443/tcp
Adding open port 636/tcp
Adding open port 3269/tcp
Adding open port 1433/tcp
Adding open port 691/tcp
Adding open port 6001/tcp
Adding open port 1026/tcp
Adding open port 135/tcp
Adding open port 445/tcp
Adding open port 80/tcp
Adding open port 6004/tcp
Adding open port 1025/tcp
Adding open port 444/tcp
Adding open port 88/tcp
Adding open port 389/tcp
Adding open port 464/tcp
Adding open port 1112/tcp
The SYN Stealth Scan took 0 seconds to scan 1660 ports.
Initiating service scan against 27 services on 1 host at 08:02
The service scan took 91 seconds to scan 27 services on 1 host.
Interesting ports on tirpitz.corp.warnocksolutions.com (192.168.200.201):
(The 1633 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft ESMTP 6.0.3790.0
42/tcp open wins Microsoft Windows Wins
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS webserver 6.0
88/tcp open kerberos-sec Microsoft Windows kerberos-sec
135/tcp open msrpc Microsoft Windows msrpc
139/tcp open netbios-ssn
389/tcp open ldap Microsoft LDAP server
443/tcp open ssl Microsoft IIS SSL
444/tcp open ssl Microsoft IIS SSL
445/tcp open microsoft-ds Microsoft Windows 2003 microsoft-ds
464/tcp open kpasswd5?
593/tcp open http-rpc-epmap?
636/tcp open ssl Microsoft IIS SSL
691/tcp open resvc Microsoft Exchange routing server 6.5.7226

1025/tcp open msrpc Microsoft Windows msrpc
1026/tcp open msrpc Microsoft Windows msrpc
1067/tcp open msrpc Microsoft Windows msrpc
1112/tcp open msrpc Microsoft Windows msrpc
1433/tcp open ms-sql-s?
3268/tcp open ldap Microsoft LDAP server
3269/tcp open ssl Microsoft IIS SSL
3389/tcp open microsoft-rdp Microsoft Terminal Service (Windows 2000 S

6001/tcp open X11:1?
6002/tcp open X11:2?
6004/tcp open X11:4?
8081/tcp open blackice-icecap?
5 services unrecognized despite returning data. If you know the service/ve
 please submit the following fingerprints at http://www.insecure.org/cgi-b
vicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port593-TCP:V=3.55-SP2%D=8/13%Time=411CD7FE%P=i686-pc-windows-windows%r
SF:(NULL,E,"ncacn_http/1\.0")%r(GenericLines,E,"ncacn_http/1\.0")%r(GetReq
SF:uest,E,"ncacn_http/1\.0")%r(HTTPOptions,E,"ncacn_http/1\.0")%r(RTSPRequ
SF:est,E,"ncacn_http/1\.0")%r(RPCCheck,E,"ncacn_http/1\.0")%r(DNSVersionBi
SF:ndReq,E,"ncacn_http/1\.0")%r(DNSStatusRequest,E,"ncacn_http/1\.0")%r(He
SF:lp,E,"ncacn_http/1\.0")%r(SSLSessionReq,E,"ncacn_http/1\.0")%r(SMBProgN
SF:eg,26,"ncacn_http/1\.0\x05\0\r\x03\x10\0\0\0\x18\0\0\0\0\x08\x01@\x04\0
SF:\x01\x05\0\0\0\0")%r(X11Probe,E,"ncacn_http/1\.0")%r(LPDString,E,"ncacn
SF:_http/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_h
SF:ttp/1\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1\
SF:.0")%r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")%
SF:r(oracle-tns,E,"ncacn_http/1\.0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6001-TCP:V=3.55-SP2%D=8/13%Time=411CD804%P=i686-pc-windows-windows%
SF:r(NULL,E,"ncacn_http/1\.0")%r(X11Probe,E,"ncacn_http/1\.0")%r(GenericLi
SF:nes,E,"ncacn_http/1\.0")%r(GetRequest,E,"ncacn_http/1\.0")%r(HTTPOption
SF:s,E,"ncacn_http/1\.0")%r(RTSPRequest,E,"ncacn_http/1\.0")%r(RPCCheck,E,
SF:"ncacn_http/1\.0")%r(DNSVersionBindReq,E,"ncacn_http/1\.0")%r(DNSStatus
SF:Request,E,"ncacn_http/1\.0")%r(Help,E,"ncacn_http/1\.0")%r(SSLSessionRe
SF:q,E,"ncacn_http/1\.0")%r(SMBProgNeg,26,"ncacn_http/1\.0\x05\0\r\x03\x10
SF:\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\0\0\0")%r(LPDString,E,"ncac
SF:n_http/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_
SF:http/1\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1
SF:\.0")%r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")
SF:%r(oracle-tns,E,"ncacn_http/1\.0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6002-TCP:V=3.55-SP2%D=8/13%Time=411CD804%P=i686-pc-windows-windows%
SF:r(NULL,E,"ncacn_http/1\.0")%r(X11Probe,E,"ncacn_http/1\.0")%r(GenericLi
SF:nes,E,"ncacn_http/1\.0")%r(GetRequest,E,"ncacn_http/1\.0")%r(HTTPOption
SF:s,E,"ncacn_http/1\.0")%r(RTSPRequest,E,"ncacn_http/1\.0")%r(RPCCheck,E,
SF:"ncacn_http/1\.0")%r(DNSVersionBindReq,E,"ncacn_http/1\.0")%r(DNSStatus
SF:Request,E,"ncacn_http/1\.0")%r(Help,E,"ncacn_http/1\.0")%r(SSLSessionRe
SF:q,E,"ncacn_http/1\.0")%r(SMBProgNeg,26,"ncacn_http/1\.0\x05\0\r\x03\x10
SF:\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\0\0\0")%r(LPDString,E,"ncac
SF:n_http/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_
SF:http/1\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1
SF:\.0")%r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")
SF:%r(oracle-tns,E,"ncacn_http/1\.0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6004-TCP:V=3.55-SP2%D=8/13%Time=411CD804%P=i686-pc-windows-windows%
SF:r(NULL,E,"ncacn_http/1\.0")%r(X11Probe,E,"ncacn_http/1\.0")%r(GenericLi
SF:nes,E,"ncacn_http/1\.0")%r(GetRequest,E,"ncacn_http/1\.0")%r(HTTPOption
SF:s,E,"ncacn_http/1\.0")%r(RTSPRequest,E,"ncacn_http/1\.0")%r(RPCCheck,E,
SF:"ncacn_http/1\.0")%r(DNSVersionBindReq,E,"ncacn_http/1\.0")%r(DNSStatus
SF:Request,E,"ncacn_http/1\.0")%r(Help,E,"ncacn_http/1\.0")%r(SSLSessionRe
SF:q,E,"ncacn_http/1\.0")%r(SMBProgNeg,26,"ncacn_http/1\.0\x05\0\r\x03\x10
SF:\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\0\0\0")%r(LPDString,E,"ncac
SF:n_http/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_
SF:http/1\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1
SF:\.0")%r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")
SF:%r(oracle-tns,E,"ncacn_http/1\.0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8081-TCP:V=3.55-SP2%D=8/13%Time=411CD80A%P=i686-pc-windows-windows%
SF:r(GetRequest,A5,"HTTP/1\.1\x20503\x20Service\x20Unavailable\r\nContent-
SF:Type:\x20text/html\r\nDate:\x20Fri,\x2013\x20Aug\x202004\x2015:01:10\x2
SF:0GMT\r\nConnection:\x20close\r\nContent-Length:\x2028\r\n\r\n<h1>Servic
SF:e\x20Unavailable</h1>")%r(HTTPOptions,A5,"HTTP/1\.1\x20503\x20Service\x
SF:20Unavailable\r\nContent-Type:\x20text/html\r\nDate:\x20Fri,\x2013\x20A
SF:ug\x202004\x2015:01:15\x20GMT\r\nConnection:\x20close\r\nContent-Length
SF::\x2028\r\n\r\n<h1>Service\x20Unavailable</h1>")%r(RTSPRequest,95,"HTTP
SF:/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nDate:\x
SF:20Fri,\x2013\x20Aug\x202004\x2015:01:15\x20GMT\r\nConnection:\x20close\
SF:r\nContent-Length:\x2020\r\n\r\n<h1>Bad\x20Request</h1>")%r(RPCCheck,A4
SF:,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nD
SF:ate:\x20Fri,\x2013\x20Aug\x202004\x2015:01:15\x20GMT\r\nConnection:\x20
SF:close\r\nContent-Length:\x2035\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x
SF:20Verb\)</h1>")%r(DNSVersionBindReq,A4,"HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\nContent-Type:\x20text/html\r\nDate:\x20Fri,\x2013\x20Aug\x202004
SF:\x2015:01:15\x20GMT\r\nConnection:\x20close\r\nContent-Length:\x2035\r\
SF:n\r\n<h1>Bad\x20Request\x20\(Invalid\x20Verb\)</h1>")%r(DNSStatusReques
SF:t,A4,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\
SF:r\nDate:\x20Fri,\x2013\x20Aug\x202004\x2015:01:15\x20GMT\r\nConnection:
SF:\x20close\r\nContent-Length:\x2035\r\n\r\n<h1>Bad\x20Request\x20\(Inval
SF:id\x20Verb\)</h1>")%r(Help,A4,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCo
SF:ntent-Type:\x20text/html\r\nDate:\x20Fri,\x2013\x20Aug\x202004\x2015:01
SF::15\x20GMT\r\nConnection:\x20close\r\nContent-Length:\x2035\r\n\r\n<h1>
SF:Bad\x20Request\x20\(Invalid\x20Verb\)</h1>")%r(SSLSessionReq,A4,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nDate:\x20
SF:Fri,\x2013\x20Aug\x202004\x2015:01:15\x20GMT\r\nConnection:\x20close\r\
SF:nContent-Length:\x2035\r\n\r\n<h1>Bad\x20Request\x20\(Invalid\x20Verb\)
SF:</h1>")%r(SMBProgNeg,A4,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-
SF:Type:\x20text/html\r\nDate:\x20Fri,\x2013\x20Aug\x202004\x2015:01:15\x2
SF:0GMT\r\nConnection:\x20close\r\nContent-Length:\x2035\r\n\r\n<h1>Bad\x2
SF:0Request\x20\(Invalid\x20Verb\)</h1>");

Nmap run completed -- 1 IP address (1 host up) scanned in 90.937 seconds

C:\nmap\nmap-3.55-SP2>

Basic SYN scan
Starting nmap 3.55-SP2 ( http://www.insecure.org/nmap ) at 2004-08-13 08:16 Paci
fic Daylight Time
Host tirpitz.corp.warnocksolutions.com (192.168.200.201) appears to be up ... go
od.
Initiating SYN Stealth Scan against tirpitz.corp.warnocksolutions.com (192.168.2
00.201) at 08:16
Adding open port 1025/tcp
Adding open port 53/tcp
Adding open port 88/tcp
Adding open port 42/tcp
Adding open port 1067/tcp
Adding open port 6001/tcp
Adding open port 3389/tcp
Adding open port 135/tcp
Adding open port 1433/tcp
Adding open port 8081/tcp
Adding open port 80/tcp
Adding open port 1112/tcp
Adding open port 389/tcp
Adding open port 139/tcp
Adding open port 691/tcp
Adding open port 25/tcp
Adding open port 636/tcp
Adding open port 6004/tcp
Adding open port 593/tcp
Adding open port 3269/tcp
Adding open port 464/tcp
Adding open port 6002/tcp
Adding open port 443/tcp
Adding open port 3268/tcp
Adding open port 1026/tcp
Adding open port 445/tcp
Adding open port 444/tcp
The SYN Stealth Scan took 0 seconds to scan 1660 ports.
Interesting ports on tirpitz.corp.warnocksolutions.com (192.168.200.201):
(The 1633 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
42/tcp open nameserver
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
444/tcp open snpp
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
691/tcp open resvc
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1067/tcp open instl_boots
1112/tcp open msql
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-term-serv
6001/tcp open X11:1
6002/tcp open X11:2
6004/tcp open X11:4
8081/tcp open blackice-icecap

Nmap run completed -- 1 IP address (1 host up) scanned in 0.578 seconds
Received on Aug 13 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos