-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, I could be wrong, but here's what I think.
Most ports are filtered, except for port 80. Now, that can mean two things:
a) The host is firewalled, but something (maybe an ISP) is blocking port 80)
b) There is a hardware firewall/router that forwards ports including 80,
but port 80 is closed on the host.
If (b) is what's going on, then I don't know what the problem is.
If (a) is what's going on, then it's possible it's partly fingerprinting
whatever is blocking the port (the ISP), not the actual server. This
has happened to me before, when my friend's ISP blocked ports by closing
them, not filtering.
This can be confirmed with a traceroute on port 80 compared to a
traceroute on, say, port 25, and comparing the results.
Another possibility is that there's a rewriting proxy or router that is
reforming the packets. I'm not sure how to detect if that's happening,
I'm afraid.
Hope that helps a bit.
- -Ron
Craig Humphrey wrote:
> Hi People,
>
> Just came across an interesting result in nmap 3.81 (on WinXPsp2 no
> less).
>
> nmap.exe -sSV -O some.computer.net
> Interesting ports on some.computer.net (xxx.xxx.xxx.xxx):
> (The 1657 ports scanned but not shown below are in state: filtered)
> PORT STATE SERVICE VERSION
> 25/tcp open smtp?
> 80/tcp closed http
> 143/tcp open imap Microsoft Exchange 2000 IMAP4rev1 server
> 6.0.6249.0
> 1723/tcp open pptp?
> 3389/tcp open microsoft-rdp Microsoft Terminal Service
> 4444/tcp open http Microsoft IIS webserver 5.0
> [snip snip]
> Device type: general purpose
> Running: Microsoft Windows 2003/.NET
> OS details: Microsoft Windows Server 2003 Standard Edition
>
> Nmap finished: 1 IP address (1 host up) scanned in 124.183 seconds
>
> Spot the point of interest? The host reports as Win2k3, yet it's
> running IIS5 (which is Win2k) and Exchange2000 (which must be run on a
> Win2k server, not 2k3).
>
> The service signature for the SMTP services wasn't recognised (I'll post
> the sig below), which is odd, since you'd expect it to be
> Exchange2000...
>
> All of which seems to suggest that this box is actually doing some form
> of port-forwarding (ISA?) to multiple boxes behind the scenes... Or nmap
> got the OS sig wrong.... Which seems a little unlikely.
>
> What would people generally do next to determine if this is actually a
> firewall/proxy box. Firewalk? Packet sniff the packets to/from services
> to see if they have the same RTT as a ping to the boxe's IP address?
>
> I guess this would normally be a Friday type question... But the list
> has been relativly quiet... [everyone must be "working"]
>
> How does nmap handle unicode/utf-8 responses? It might explain the odd
> SMTP sig.
>
> Later'ish
> Craig
>
> SMTP sig:
> 1 service unrecognized despite returning data. If you know the
> service/version,
> please submit the following fingerprint at
> http://www.insecure.org/cgi-bin/servi
> cefp-submit.cgi :
> SF-Port25-TCP:V=3.81%D=7/6%Time=42CAFFC2%P=i686-pc-windows-windows%r(NUL
> L,
> SF:76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
> \*
> SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\
> *\
> SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*\*\*
> \*
> SF:\*\*\*\*200\x20\r\n")%r(Help,96,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
> *\
> SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
> \*
> SF:\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
> *\
> SF:*\*\*\*\*200\*\*0\*\*\*\*\*\*\*\*\*\*200\x20\r\n500\x205\.3\.3\x20Unr
> ec
> SF:ognized\x20command\r\n")%r(GenericLines,76,"220\x20\*\*\*\*\*\*\*\*\*
> \*
> SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
> *\
> SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
> \*
> SF:\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\*0\*\*\*\*200\x20\r\n")%r(GetRequ
> es
> SF:t,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
> \*
> SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\
> *\
> SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\
> *\
> SF:*0\x20\*\*200\x20\r\n")%r(HTTPOptions,76,"220\x20\*\*\*\*\*\*\*\*\*\*
> \*
> SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
> *\
> SF:*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
> \*
> SF:\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\*\*\*\*\*\*200\x20\r\n")%r(RTSPRequ
> es
> SF:t,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
> \*
> SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\
> *\
> SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\
> *2
> SF:0\x20\*\*200\x20\r\n")%r(RPCCheck,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*
> \*
> SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
> *\
> SF:*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
> \*
> SF:\*\*\*\*\*\*\*200\*\*0\*\*\*2\*2\*\*\*\*200\x20\r\n")%r(DNSVersionBin
> dR
> SF:eq,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
> *\
> SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*
> \*
> SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2
> \*
> SF:\*0\x20\*\*200\x20\r\n");
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCyxqefqSf2EkP4p4RAgf6AJ4tuSou2OvbyTDfwudrdcSgAcQb0wCfRkLN
Mn9hsTIwRE8K0S7fCOLaYSg=
=E8X5
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on Jul 05 2005
Intro
