Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Here's something to ponder...

Here's something to ponder...

From: Craig Humphrey <Craig.Humphrey_at_chapmantripp.com>
Date: Wed, 6 Jul 2005 10:28:11 +1200

Hi People,

Just came across an interesting result in nmap 3.81 (on WinXPsp2 no
less).

nmap.exe -sSV -O some.computer.net
Interesting ports on some.computer.net (xxx.xxx.xxx.xxx):
(The 1657 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
25/tcp open smtp?
80/tcp closed http
143/tcp open imap Microsoft Exchange 2000 IMAP4rev1 server
6.0.6249.0
1723/tcp open pptp?
3389/tcp open microsoft-rdp Microsoft Terminal Service
4444/tcp open http Microsoft IIS webserver 5.0
[snip snip]
Device type: general purpose
Running: Microsoft Windows 2003/.NET
OS details: Microsoft Windows Server 2003 Standard Edition

Nmap finished: 1 IP address (1 host up) scanned in 124.183 seconds

Spot the point of interest? The host reports as Win2k3, yet it's
running IIS5 (which is Win2k) and Exchange2000 (which must be run on a
Win2k server, not 2k3).

The service signature for the SMTP services wasn't recognised (I'll post
the sig below), which is odd, since you'd expect it to be
Exchange2000...

All of which seems to suggest that this box is actually doing some form
of port-forwarding (ISA?) to multiple boxes behind the scenes... Or nmap
got the OS sig wrong.... Which seems a little unlikely.

What would people generally do next to determine if this is actually a
firewall/proxy box. Firewalk? Packet sniff the packets to/from services
to see if they have the same RTT as a ping to the boxe's IP address?

I guess this would normally be a Friday type question... But the list
has been relativly quiet... [everyone must be "working"]

How does nmap handle unicode/utf-8 responses? It might explain the odd
SMTP sig.

Later'ish
Craig

SMTP sig:
1 service unrecognized despite returning data. If you know the
service/version,
please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servi
cefp-submit.cgi :
SF-Port25-TCP:V=3.81%D=7/6%Time=42CAFFC2%P=i686-pc-windows-windows%r(NUL
L,
SF:76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*\*\*
\*
SF:\*\*\*\*200\x20\r\n")%r(Help,96,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*200\*\*0\*\*\*\*\*\*\*\*\*\*200\x20\r\n500\x205\.3\.3\x20Unr
ec
SF:ognized\x20command\r\n")%r(GenericLines,76,"220\x20\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\*0\*\*\*\*200\x20\r\n")%r(GetRequ
es
SF:t,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\
*\
SF:*0\x20\*\*200\x20\r\n")%r(HTTPOptions,76,"220\x20\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\*\*\*\*\*\*200\x20\r\n")%r(RTSPRequ
es
SF:t,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\
*2
SF:0\x20\*\*200\x20\r\n")%r(RPCCheck,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*200\*\*0\*\*\*2\*2\*\*\*\*200\x20\r\n")%r(DNSVersionBin
dR
SF:eq,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2
\*
SF:\*0\x20\*\*200\x20\r\n");

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on Jul 05 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos