# Nmap 4.52 scan initiated Mon Jan 7 00:51:28 2008 as: ./nmap -F -O -traceroute -d2 -oN complete-output-4.52-d2-not-fail.txt xx.yy.zz.64/27 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 --------------------------------------------- Changing ping technique for xx.yy.zz.70 to TCP Changing global ping host to xx.yy.zz.70. Changing ping technique for xx.yy.zz.66 to TCP Changing global ping host to xx.yy.zz.66. Changing ping technique for xx.yy.zz.78 to TCP Changing global ping host to xx.yy.zz.78. Changing ping technique for xx.yy.zz.77 to TCP Changing global ping host to xx.yy.zz.77. Changing ping technique for xx.yy.zz.81 to TCP Changing global ping host to xx.yy.zz.81. Changing ping technique for xx.yy.zz.65 to ICMP Changing global ping host to xx.yy.zz.65. Changing ping technique for xx.yy.zz.76 to ICMP Changing global ping host to xx.yy.zz.76. Ultrascan DROPPED probe packet to xx.yy.zz.67 detected Changing ping technique for xx.yy.zz.67 to TCP Changing global ping host to xx.yy.zz.67. Ultrascan DROPPED probe packet to xx.yy.zz.68 detected Changing ping technique for xx.yy.zz.68 to TCP Changing global ping host to xx.yy.zz.68. Ultrascan DROPPED probe packet to xx.yy.zz.72 detected Changing ping technique for xx.yy.zz.72 to TCP Changing global ping host to xx.yy.zz.72. Changing ping technique for xx.yy.zz.66 to TCP Changing ping technique for xx.yy.zz.67 to TCP Changing ping technique for xx.yy.zz.65 to TCP Changing ping technique for xx.yy.zz.68 to TCP Changing ping technique for xx.yy.zz.70 to TCP Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.68 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.68 detected Ultrascan PING SENT to xx.yy.zz.66 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.70 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.67 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan PING SENT to xx.yy.zz.68 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.66 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.70 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.67 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan PING SENT to xx.yy.zz.68 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.66 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.67 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan PING SENT to xx.yy.zz.70 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.68 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.66 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.68 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED PING probe packet to xx.yy.zz.68 detected Ultrascan PING SENT to xx.yy.zz.67 [tcp to port 21; flags: S] Ultrascan DROPPED PING probe packet to xx.yy.zz.67 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan PING SENT to xx.yy.zz.66 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan PING SENT to xx.yy.zz.70 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.68 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.67 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.66 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.70 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan PING SENT to xx.yy.zz.68 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.67 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.70 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.66 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.68 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.67 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan PING SENT to xx.yy.zz.66 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.68 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan PING SENT to xx.yy.zz.70 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.67 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.66 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.68 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.70 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.65 detected processData took 76ms Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan DROPPED probe packet to xx.yy.zz.65 detected Ultrascan PING SENT to xx.yy.zz.66 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.67 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.68 [tcp to port 21; flags: S] Ultrascan DROPPED PING probe packet to xx.yy.zz.68 detected processData took 137ms Ultrascan PING SENT to xx.yy.zz.66 [tcp to port 21; flags: S] processData took 123ms Ultrascan PING SENT to xx.yy.zz.68 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.68 [tcp to port 21; flags: S] processData took 86ms Initiating OS detection (try #1) against 5 hosts Sleep 44us for next sequence probe Send probe (type: OFP_TSEQ, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_TSEQ, subid: 0) to xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 0) from xx.yy.zz.67 Got a valid response for probe (type: OFP_TSEQ subid: 0) from xx.yy.zz.66 Got a valid response for probe (type: OFP_TSEQ subid: 0) from xx.yy.zz.70 Send probe (type: OFP_TSEQ, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_TSEQ, subid: 1) to xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 1) from xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 1) from xx.yy.zz.67 Got a valid response for probe (type: OFP_TSEQ subid: 1) from xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 2) to xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 2) to xx.yy.zz.67 Send probe (type: OFP_TSEQ, subid: 2) to xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 2) from xx.yy.zz.66 Got a valid response for probe (type: OFP_TSEQ subid: 2) from xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 2) from xx.yy.zz.67 Send probe (type: OFP_TSEQ, subid: 3) to xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 3) to xx.yy.zz.67 Send probe (type: OFP_TSEQ, subid: 3) to xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 3) from xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 3) from xx.yy.zz.67 Got a valid response for probe (type: OFP_TSEQ subid: 3) from xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 4) to xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 4) to xx.yy.zz.67 Send probe (type: OFP_TSEQ, subid: 4) to xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 4) from xx.yy.zz.66 Got a valid response for probe (type: OFP_TSEQ subid: 4) from xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 4) from xx.yy.zz.67 Send probe (type: OFP_TSEQ, subid: 5) to xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 5) to xx.yy.zz.67 Send probe (type: OFP_TSEQ, subid: 5) to xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 5) from xx.yy.zz.66 Got a valid response for probe (type: OFP_TSEQ subid: 5) from xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 5) from xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.65 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.68 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.70 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.65 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.68 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.70 Got a valid response for probe (type: OFP_TICMP subid: 0) from xx.yy.zz.65 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.65 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.68 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.70 Got a valid response for probe (type: OFP_TICMP subid: 1) from xx.yy.zz.65 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.65 Send probe (type: OFP_TECN, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TECN, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.68 Send probe (type: OFP_TECN, subid: 0) to xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.65 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.68 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.70 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.65 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.68 Got a valid response for probe (type: OFP_TECN subid: 0) from xx.yy.zz.67 Got a valid response for probe (type: OFP_TECN subid: 0) from xx.yy.zz.70 Got a valid response for probe (type: OFP_TUDP subid: 0) from xx.yy.zz.70 Got a valid response for probe (type: OFP_TECN subid: 0) from xx.yy.zz.66 Time to sleep 869. Sleeping. Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.65 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.68 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.70 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.68 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.65 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.65 Send probe (type: OFP_T1_7, subid: 3) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 3) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 3) to xx.yy.zz.70 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.65 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.68 Got a valid response for probe (type: OFP_T1_7 subid: 2) from xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 2) from xx.yy.zz.66 Got a valid response for probe (type: OFP_T1_7 subid: 2) from xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.70 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.68 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 3) from xx.yy.zz.66 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 3) from xx.yy.zz.70 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.70 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.66 Got a valid response for probe (type: OFP_T1_7 subid: 3) from xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.68 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.70 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.65 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.66 Time to sleep 4864. Sleeping. Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.68 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.70 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.70 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.65 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.70 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.68 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.68 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.70 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.68 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.68 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.68 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.68 OS detection timingRatio() == (1199674369.034 - 1199674368.526) * 1000 / 500 == 1.016 OS detection timingRatio() == (1199674369.038 - 1199674368.526) * 1000 / 500 == 1.024 OS detection timingRatio() == (1199674369.038 - 1199674368.526) * 1000 / 500 == 1.024 Retrying OS detection (try #2) against 3 hosts Send probe (type: OFP_TSEQ, subid: 0) to xx.yy.zz.70 Send probe (type: OFP_TSEQ, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 0) to xx.yy.zz.67 Got a valid response for probe (type: OFP_TSEQ subid: 0) from xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 0) from xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_TSEQ, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 1) to xx.yy.zz.67 Got a valid response for probe (type: OFP_TSEQ subid: 1) from xx.yy.zz.66 Got a valid response for probe (type: OFP_TSEQ subid: 1) from xx.yy.zz.70 Send probe (type: OFP_TSEQ, subid: 2) to xx.yy.zz.70 Send probe (type: OFP_TSEQ, subid: 2) to xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 2) to xx.yy.zz.67 Got a valid response for probe (type: OFP_TSEQ subid: 2) from xx.yy.zz.66 Got a valid response for probe (type: OFP_TSEQ subid: 2) from xx.yy.zz.70 TCP packet: xx.yy.zz.67:53 -> src.src.src.157:36563 (total: 60 bytes) Flags: SYN ACK ipid: 0 ttl: 54 Seq: 3060142870 Ack: 3299642200 Probe doesn't exist! Probe type: 1. Probe subid: 3 Sleep 6076us for next sequence probe Send probe (type: OFP_TSEQ, subid: 3) to xx.yy.zz.70 Send probe (type: OFP_TSEQ, subid: 3) to xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 3) to xx.yy.zz.67 TCP packet: xx.yy.zz.67:53 -> src.src.src.157:36561 (total: 60 bytes) Flags: SYN ACK ipid: 0 ttl: 54 Seq: 3066854067 Ack: 3299642198 Probe doesn't exist! Probe type: 1. Probe subid: 1 Got a valid response for probe (type: OFP_TSEQ subid: 3) from xx.yy.zz.66 Got a valid response for probe (type: OFP_TSEQ subid: 3) from xx.yy.zz.70 Sleep 8us for next sequence probe Send probe (type: OFP_TSEQ, subid: 4) to xx.yy.zz.70 Send probe (type: OFP_TSEQ, subid: 4) to xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 4) to xx.yy.zz.67 Got a valid response for probe (type: OFP_TSEQ subid: 4) from xx.yy.zz.70 Got a valid response for probe (type: OFP_TSEQ subid: 4) from xx.yy.zz.66 Sleep 508us for next sequence probe Send probe (type: OFP_TSEQ, subid: 5) to xx.yy.zz.70 Send probe (type: OFP_TSEQ, subid: 5) to xx.yy.zz.66 Send probe (type: OFP_TSEQ, subid: 5) to xx.yy.zz.67 Got a valid response for probe (type: OFP_TSEQ subid: 5) from xx.yy.zz.66 Got a valid response for probe (type: OFP_TSEQ subid: 5) from xx.yy.zz.70 Sleep 559us for next sequence probe Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.70 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.70 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_TECN, subid: 0) to xx.yy.zz.70 Send probe (type: OFP_TECN, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TOPS, subid: 0) to xx.yy.zz.67 Probe doesn't exist! Probe type: 4. Probe subid: 2 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_TOPS, subid: 2) to xx.yy.zz.67 Got a valid response for probe (type: OFP_TUDP subid: 0) from xx.yy.zz.70 Got a valid response for probe (type: OFP_TOPS subid: 0) from xx.yy.zz.67 Got a valid response for probe (type: OFP_TECN subid: 0) from xx.yy.zz.70 Got a valid response for probe (type: OFP_TECN subid: 0) from xx.yy.zz.66 Time to sleep 1018. Sleeping. Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.66 Send probe (type: OFP_TOPS, subid: 4) to xx.yy.zz.67 Got a valid response for probe (type: OFP_TOPS subid: 2) from xx.yy.zz.67 Time to sleep 1758. Sleeping. Send probe (type: OFP_T1_7, subid: 3) to xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 3) to xx.yy.zz.66 Send probe (type: OFP_TOPS, subid: 5) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.66 Send probe (type: OFP_TECN, subid: 0) to xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 2) from xx.yy.zz.66 Got a valid response for probe (type: OFP_TOPS subid: 4) from xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 3) from xx.yy.zz.66 Time to sleep 5548. Sleeping. Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.70 Got a valid response for probe (type: OFP_T1_7 subid: 3) from xx.yy.zz.70 Time to sleep 49. Sleeping. Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 0) to xx.yy.zz.67 Got a valid response for probe (type: OFP_TOPS subid: 5) from xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.70 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.66 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.66 Got a valid response for probe (type: OFP_T1_7 subid: 0) from xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.70 Time to sleep 1020. Sleeping. Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.70 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.67 Got a valid response for probe (type: OFP_TECN subid: 0) from xx.yy.zz.67 TCP packet: xx.yy.zz.67:53 -> src.src.src.157:36562 (total: 60 bytes) Flags: SYN ACK ipid: 0 ttl: 54 Seq: 3051688225 Ack: 3299642199 Probe doesn't exist! Probe type: 1. Probe subid: 2 Time to sleep 251. Sleeping. Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.70 TCP packet: xx.yy.zz.67:53 -> src.src.src.157:36560 (total: 60 bytes) Flags: SYN ACK ipid: 0 ttl: 54 Seq: 3057102636 Ack: 3299642197 Probe doesn't exist! Probe type: 1. Probe subid: 0 TCP packet: xx.yy.zz.67:53 -> src.src.src.157:36564 (total: 60 bytes) Flags: SYN ACK ipid: 0 ttl: 54 Seq: 3062547909 Ack: 3299642201 Probe doesn't exist! Probe type: 1. Probe subid: 4 Time to sleep 1848. Sleeping. Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 3) to xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.66 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 3) from xx.yy.zz.67 Time to sleep 1031. Sleeping. Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.70 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.67 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.67 Time to sleep 1451. Sleeping. Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.70 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.70 Time to sleep 1028. Sleeping. Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.70 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.70 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.66 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.67 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.67 OS detection timingRatio() == (1199674372.230 - 1199674371.727) * 1000 / 500 == 1.008 OS detection timingRatio() == (1199674372.231 - 1199674371.727) * 1000 / 500 == 1.008 OS detection timingRatio() == (1199674372.230 - 1199674371.727) * 1000 / 500 == 1.008 No OS matches for xx.yy.zz.66 by new os scan system. TCP/IP fingerprint: SCAN(V=4.52%D=1/7%OT=80%CT=21%CU=%PV=N%G=Y%TM=47819406%P=i686-pc-linux-gnu) SEQ(SP=CC%GCD=1%ISR=CB%TI=Z%TS=A) OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M5B4ST11NW0%O6=M5B4ST11) WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0) ECN(R=Y%DF=Y%TG=40%W=16D0%O=M5B4NNSNW0%CC=N%Q=) T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%TG=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW0%RD=0%Q=) T3(R=Y%DF=Y%TG=40%W=16A0%S=O%A=O%F=A%O=NNT11%RD=0%Q=) T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%TG=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=N) IE(R=N) No OS matches for xx.yy.zz.67 by new os scan system. TCP/IP fingerprint: SCAN(V=4.52%D=1/7%OT=53%CT=21%CU=%PV=N%G=Y%TM=47819406%P=i686-pc-linux-gnu) SEQ(SP=CB%GCD=1%ISR=D3%TI=Z%TS=7) SEQ(SP=CD%GCD=1%ISR=D3%TI=Z%TS=9) OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M5B4ST11NW0%O6=M5B4ST11) WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0) ECN(R=Y%DF=Y%TG=40%W=16D0%O=M5B4NNSNW0%CC=N%Q=) T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%TG=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW0%RD=0%Q=) T3(R=N) T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%TG=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=N) IE(R=N) No OS matches for xx.yy.zz.70 by new os scan system. TCP/IP fingerprint: SCAN(V=4.52%D=1/7%OT=80%CT=21%CU=33008%PV=N%DS=8%G=Y%TM=47819406%P=i686-pc-linux-gnu) SEQ(SP=105%GCD=1%ISR=107%TI=I%TS=0) SEQ(SP=106%GCD=2%ISR=108%TI=I%TS=0) OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS) WIN(W1=4470%W2=41A0%W3=4100%W4=40E8%W5=40E8%W6=402E) ECN(R=Y%DF=Y%T=7E%W=4470%O=M5B4NW0NNS%CC=N%Q=) T1(R=Y%DF=Y%T=7E%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=7E%W=402E%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=) T3(R=Y%DF=Y%T=7E%W=402E%S=O%A=O%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=) T4(R=Y%DF=N%T=7E%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=FE%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=FE%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=FE%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=Y%DF=N%T=FE%TOS=0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G) IE(R=N) Interesting ports on xx.yy.zz.65.ttt-ttt-ttt (xx.yy.zz.65): Not shown: 1274 closed ports Reason: 1274 resets PORT STATE SERVICE REASON 179/tcp filtered bgp admin-prohibited from rr.ee.ff.41 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: switch|router|WAP Running: Cisco IOS 12.X OS details: Cisco 2924M-XL switch (IOS 12.0), Cisco 2960G switch (IOS 12.2), Cisco 3548XL switch (IOS 12.0), Cisco Catalyst C2900-series or C3750 switch, or 4500 router (IOS 12.1 - 12.2), Cisco Aironet 1200 WAP (IOS 12.3) OS Fingerprint: OS:SCAN(V=4.52%D=1/7%OT=%CT=1%CU=%PV=N%G=N%TM=47819458%P=i686-pc-linux-gnu) OS:T5(R=Y%DF=N%TG=FF%W=0%S=A%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%TG=FF%W=0%S=A OS:%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%TG=FF%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)U1(R=N OS:)IE(R=Y%DFI=S%TG=FF%TOSI=Z%CD=S%SI=S%DLI=S) TRACEROUTE (using port 1/tcp) HOP RTT ADDRESS 1 ... 2 40.32 qq.ww.ee.89 3 ... 4 ... 5 19.86 aaa-aaa-aaa-aaa (dd.hh.nn.42) 6 46.66 bbb-bbb-bbb (rr.ee.ff.18) 7 47.26 nn.mm.pp.37 8 73.28 xx.yy.zz.65.ttt-ttt-ttt (xx.yy.zz.65) Interesting ports on xx.yy.zz.66.ttt-ttt-ttt (xx.yy.zz.66): Not shown: 1270 filtered ports Reason: 1269 no-responses and 1 admin-prohibited PORT STATE SERVICE REASON 21/tcp closed ftp reset 80/tcp open http syn-ack 113/tcp closed auth reset 222/tcp closed rsh-spx reset 8080/tcp closed http-proxy reset Device type: general purpose|WAP|broadband router|media device|VoIP gateway|switch|PDA Running (JUST GUESSING) : Linux 2.6.X|2.4.X (98%), D-Link Linux 2.4.X (95%), Netgear embedded (95%), QLogic embedded (95%), Sharp Linux 2.4.X (95%) OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU Aggressive OS guesses: Linux 2.6.5 - 2.6.18 (98%), Linux 2.6.8 (98%), D-Link DSL-G624T wireless ADSL router (Linux 2.4.17) (95%), Linux 2.4.9 - 2.4.18 (95%), Netgear DG834G WAP (firmware 4.01.19) (95%), QLogic SANbox2-8 FC switch or Sharp Zaurus PDA (Linux 2.4.18) (95%), Linux 2.6.5 - 2.6.9 (94%), Inventel Livebox wireless broadband router or USRobotics SureConnect 9105 ADSL modem (94%), MicroTik RouterOS 2.9.46 (94%), Linux 2.4.18 - 2.4.32 (likely embedded) (94%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint by osscan system #2: SCAN(V=4.52%D=1/7%OT=80%CT=21%CU=%PV=N%G=N%TM=47819458%P=i686-pc-linux-gnu) SEQ(SP=CC%GCD=1%ISR=CB%TI=Z%TS=A) OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M5B4ST11NW0%O6=M5B4ST11) WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0) ECN(R=Y%DF=Y%TG=40%W=16D0%O=M5B4NNSNW0%CC=N%Q=) T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%TG=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW0%RD=0%Q=) T3(R=Y%DF=Y%TG=40%W=16A0%S=O%A=O%F=A%O=NNT11%RD=0%Q=) T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%TG=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=N) IE(R=N) Uptime: 5.245 days (since Tue Jan 1 19:01:48 2008) TCP Sequence Prediction: Difficulty=204 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 2 -- qq.ww.ee.89 3 -- 200-42-50-41.prima.net.ar (rr.ee.ff.41) 4 -- rbp-lima2-te7-4.prima.net.ar (dd.hh.nn.29) 5 -- aaa-aaa-aaa-aaa (dd.hh.nn.42) 6 -- bbb-bbb-bbb (rr.ee.ff.18) 7 -- nn.mm.pp.37 8 ... 9 ... 10 55.35 xx.yy.zz.66.ttt-ttt-ttt (xx.yy.zz.66) Interesting ports on xx.yy.zz.67.ttt-ttt-ttt (xx.yy.zz.67): Not shown: 1269 filtered ports Reason: 1268 no-responses and 1 admin-prohibited PORT STATE SERVICE REASON 21/tcp closed ftp reset 53/tcp open domain syn-ack 80/tcp closed http reset 113/tcp closed auth reset 222/tcp closed rsh-spx reset 8080/tcp closed http-proxy reset Device type: WAP|broadband router|media device|VoIP gateway|general purpose|switch|PDA|VoIP phone Running (JUST GUESSING) : D-Link Linux 2.4.X (99%), Linux 2.4.X (99%), Netgear embedded (99%), QLogic embedded (99%), Sharp Linux 2.4.X (99%), WebVOIZE embedded (98%) OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU Aggressive OS guesses: D-Link DSL-G624T wireless ADSL router (Linux 2.4.17) (99%), Linux 2.4.9 - 2.4.18 (99%), Netgear DG834G WAP (firmware 4.01.19) (99%), QLogic SANbox2-8 FC switch or Sharp Zaurus PDA (Linux 2.4.18) (99%), Linux 2.4.18 - 2.4.32 (likely embedded) (98%), Linux 2.4.21 - 2.4.33 (98%), WebVOIZE 120 IP phone (98%), Linux 2.4.31 (Slackware v10.2) (97%), Linux 2.4.2 (Red Hat 7.1) (97%), MicroTik RouterOS 2.9.46 (97%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint by osscan system #2: SCAN(V=4.52%D=1/7%OT=53%CT=21%CU=%PV=N%G=N%TM=47819458%P=i686-pc-linux-gnu) SEQ(SP=CB%GCD=1%ISR=D3%TI=Z%TS=7) SEQ(SP=CD%GCD=1%ISR=D3%TI=Z%TS=9) OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M5B4ST11NW0%O6=M5B4ST11) WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0) ECN(R=Y%DF=Y%TG=40%W=16D0%O=M5B4NNSNW0%CC=N%Q=) T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%TG=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW0%RD=0%Q=) T3(R=N) T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%TG=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=N) IE(R=N) Uptime: 1.028 days (since Sun Jan 6 00:14:40 2008) TCP Sequence Prediction: Difficulty=205 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE (using port 53/tcp) HOP RTT ADDRESS 2 -- qq.ww.ee.89 3 -- 200-42-50-41.prima.net.ar (rr.ee.ff.41) 4 -- rbp-lima2-te7-4.prima.net.ar (dd.hh.nn.29) 5 -- aaa-aaa-aaa-aaa (dd.hh.nn.42) 6 -- bbb-bbb-bbb (rr.ee.ff.18) 7 -- nn.mm.pp.37 8 ... 9 ... 10 54.50 xx.yy.zz.67.ttt-ttt-ttt (xx.yy.zz.67) Interesting ports on xx.yy.zz.68.ttt-ttt-ttt (xx.yy.zz.68): Not shown: 1270 filtered ports Reason: 1268 no-responses, 1 admin-prohibited and 1 host-unreach PORT STATE SERVICE REASON 21/tcp closed ftp reset 80/tcp closed http reset 113/tcp closed auth reset 222/tcp closed rsh-spx reset 8080/tcp closed http-proxy reset Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS details: Aruba 800 wireless LAN switch, Avocent DSR1030 KVM over IP switch, Cisco MARS 50 firewall version 4.2.1, D-Link DSL-G624T wireless ADSL router (Linux 2.4.17), FON La Fonera WAP running OpenWrt w/Linux kernel 2.4.32, Inventel Livebox wireless broadband router or USRobotics SureConnect 9105 ADSL modem, Lexmark T522 or E332n printer, Lexmark T632/C750 printer, Linux 2.4.9 - 2.4.18, Linux 2.4.2 (Red Hat 7.1), Linux 2.6.20-15-generic (x86, SMP), Linux 2.6.8 (Debian Sarge), Linux 2.6.8 (Debian, x86), Netgear DG834G WAP (firmware 4.01.19), QLogic SANbox2-8 FC switch or Sharp Zaurus PDA (Linux 2.4.18), Siemens Gigaset SE515dsl wireless broadband router, Toshiba Magnia SG10 server appliance OS Fingerprint: OS:SCAN(V=4.52%D=1/7%OT=%CT=21%CU=%PV=N%G=N%TM=47819458%P=i686-pc-linux-gnu OS:)T5(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=FF%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R OS:=N)IE(R=N) TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 2 -- qq.ww.ee.89 3 -- 200-42-50-41.prima.net.ar (rr.ee.ff.41) 4 -- rbp-lima2-te7-4.prima.net.ar (dd.hh.nn.29) 5 -- aaa-aaa-aaa-aaa (dd.hh.nn.42) 6 -- bbb-bbb-bbb (rr.ee.ff.18) 7 -- nn.mm.pp.37 8 ... 9 46.36 xx.yy.zz.68.ttt-ttt-ttt (xx.yy.zz.68) Interesting ports on xx.yy.zz.70.ttt-ttt-ttt (xx.yy.zz.70): Not shown: 1270 filtered ports Reason: 1269 no-responses and 1 admin-prohibited PORT STATE SERVICE REASON 21/tcp closed ftp reset 80/tcp open http syn-ack 113/tcp closed auth reset 222/tcp closed rsh-spx reset 8080/tcp closed http-proxy reset Device type: general purpose|printer|PBX Running (JUST GUESSING) : Microsoft Windows 2000|XP|2003|Me (88%), Lexmark embedded (86%), Vodavi embedded (85%) OS fingerprint not ideal because: Host distance (8 network hops) is greater than five Aggressive OS guesses: Microsoft Windows 2000 Server SP3 or SP4 (88%), Microsoft Windows XP SP2 or Windows Server 2003 SP0/SP1 (88%), Microsoft Windows 2000 SP4 (87%), Microsoft Windows XP SP 2 (87%), Microsoft Windows 2000 SP0/SP2/SP4 or Windows XP SP0/SP1 (87%), Microsoft Windows Millennium Edition (Me) (87%), Microsoft Windows XP SP2 (87%), Microsoft Windows Server 2003 (87%), Microsoft Windows XP Professional SP2 (86%), Microsoft Windows 2000 SP4 or Windows XP SP2 (86%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint by osscan system #2: SCAN(V=4.52%D=1/7%OT=80%CT=21%CU=33008%PV=N%DS=8%G=N%TM=47819458%P=i686-pc-linux-gnu) SEQ(SP=105%GCD=1%ISR=107%TI=I%TS=0) SEQ(SP=106%GCD=2%ISR=108%TI=I%TS=0) OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS) WIN(W1=4470%W2=41A0%W3=4100%W4=40E8%W5=40E8%W6=402E) ECN(R=Y%DF=Y%T=7E%W=4470%O=M5B4NW0NNS%CC=N%Q=) T1(R=Y%DF=Y%T=7E%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=7E%W=402E%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=) T3(R=Y%DF=Y%T=7E%W=402E%S=O%A=O%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=) T4(R=Y%DF=N%T=7E%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=FE%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=FE%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=FE%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=Y%DF=N%T=FE%TOS=0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G) IE(R=N) Network Distance: 8 hops TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: Incremental TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 ... 2 26.09 qq.ww.ee.89 3 19.96 200-42-50-41.prima.net.ar (rr.ee.ff.41) 4 56.64 rbp-lima2-te7-4.prima.net.ar (dd.hh.nn.29) 5 21.94 aaa-aaa-aaa-aaa (dd.hh.nn.42) 6 51.55 bbb-bbb-bbb (rr.ee.ff.18) 7 42.11 nn.mm.pp.37 8 ... 9 ... 10 41.85 xx.yy.zz.70.ttt-ttt-ttt (xx.yy.zz.70) Changing ping technique for xx.yy.zz.78 to TCP Changing ping technique for xx.yy.zz.77 to TCP Changing ping technique for xx.yy.zz.72 to TCP Changing ping technique for xx.yy.zz.81 to TCP Changing ping technique for xx.yy.zz.76 to TCP Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan PING SENT to xx.yy.zz.72 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.77 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.78 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan PING SENT to xx.yy.zz.72 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.77 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.78 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan PING SENT to xx.yy.zz.72 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.77 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.78 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan PING SENT to xx.yy.zz.72 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.78 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan PING SENT to xx.yy.zz.77 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan PING SENT to xx.yy.zz.72 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.78 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan PING SENT to xx.yy.zz.72 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.77 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.78 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.72 detected Ultrascan DROPPED probe packet to xx.yy.zz.81 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan DROPPED probe packet to xx.yy.zz.76 detected Ultrascan PING SENT to xx.yy.zz.77 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.78 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.72 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.76 detected processData took 63ms processData took 82ms Ultrascan PING SENT to xx.yy.zz.72 [tcp to port 21; flags: S] Ultrascan DROPPED probe packet to xx.yy.zz.72 detected Ultrascan PING SENT to xx.yy.zz.72 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.72 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.72 [tcp to port 21; flags: S] Ultrascan PING SENT to xx.yy.zz.72 [tcp to port 21; flags: S] processData took 108ms Initiating OS detection (try #1) against 5 hosts Sleep 20us for next sequence probe Send probe (type: OFP_TSEQ, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_TSEQ, subid: 0) to xx.yy.zz.76 Got a valid response for probe (type: OFP_TSEQ subid: 0) from xx.yy.zz.76 Got a valid response for probe (type: OFP_TSEQ subid: 0) from xx.yy.zz.72 Send probe (type: OFP_TSEQ, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_TSEQ, subid: 1) to xx.yy.zz.76 Got a valid response for probe (type: OFP_TSEQ subid: 1) from xx.yy.zz.76 Got a valid response for probe (type: OFP_TSEQ subid: 1) from xx.yy.zz.72 Send probe (type: OFP_TSEQ, subid: 2) to xx.yy.zz.72 Send probe (type: OFP_TSEQ, subid: 2) to xx.yy.zz.76 Got a valid response for probe (type: OFP_TSEQ subid: 2) from xx.yy.zz.72 Got a valid response for probe (type: OFP_TSEQ subid: 2) from xx.yy.zz.76 Send probe (type: OFP_TSEQ, subid: 3) to xx.yy.zz.72 Send probe (type: OFP_TSEQ, subid: 3) to xx.yy.zz.76 Got a valid response for probe (type: OFP_TSEQ subid: 3) from xx.yy.zz.72 Got a valid response for probe (type: OFP_TSEQ subid: 3) from xx.yy.zz.76 Send probe (type: OFP_TSEQ, subid: 4) to xx.yy.zz.72 Send probe (type: OFP_TSEQ, subid: 4) to xx.yy.zz.76 Got a valid response for probe (type: OFP_TSEQ subid: 4) from xx.yy.zz.76 Got a valid response for probe (type: OFP_TSEQ subid: 4) from xx.yy.zz.72 Send probe (type: OFP_TSEQ, subid: 5) to xx.yy.zz.72 Send probe (type: OFP_TSEQ, subid: 5) to xx.yy.zz.76 Got a valid response for probe (type: OFP_TSEQ subid: 5) from xx.yy.zz.72 Got a valid response for probe (type: OFP_TSEQ subid: 5) from xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.77 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.78 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.81 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.77 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.78 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.81 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.76 Got a valid response for probe (type: OFP_TICMP subid: 0) from xx.yy.zz.81 Got a valid response for probe (type: OFP_TICMP subid: 0) from xx.yy.zz.76 Time to sleep 930. Sleeping. Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.77 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.78 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.81 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.76 Got a valid response for probe (type: OFP_TICMP subid: 1) from xx.yy.zz.81 Got a valid response for probe (type: OFP_TICMP subid: 1) from xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.77 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.78 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.81 Send probe (type: OFP_TECN, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_TECN, subid: 0) to xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.77 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.78 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.81 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.76 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.81 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.78 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.77 Got a valid response for probe (type: OFP_TUDP subid: 0) from xx.yy.zz.76 Got a valid response for probe (type: OFP_TECN subid: 0) from xx.yy.zz.72 Got a valid response for probe (type: OFP_TECN subid: 0) from xx.yy.zz.76 Time to sleep 928. Sleeping. Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.77 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.78 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.81 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.76 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.77 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.77 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.78 Time to sleep 668. Sleeping. Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.78 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.81 Send probe (type: OFP_T1_7, subid: 3) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 3) to xx.yy.zz.76 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.81 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.78 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.77 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.81 Got a valid response for probe (type: OFP_T1_7 subid: 2) from xx.yy.zz.72 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.77 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.78 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.76 Got a valid response for probe (type: OFP_T1_7 subid: 3) from xx.yy.zz.72 Got a valid response for probe (type: OFP_T1_7 subid: 3) from xx.yy.zz.76 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.77 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.78 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.76 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.72 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.76 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.78 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.81 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.72 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.77 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.78 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.72 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.77 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.78 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.76 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.77 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.78 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.81 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.78 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.78 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.77 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.77 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.76 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.77 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.76 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.72 OS detection timingRatio() == (1199674526.962 - 1199674526.442) * 1000 / 500 == 1.038 OS detection timingRatio() == (1199674526.962 - 1199674526.442) * 1000 / 500 == 1.038 Retrying OS detection (try #2) against 2 hosts Send probe (type: OFP_TSEQ, subid: 0) to xx.yy.zz.76 Send probe (type: OFP_TSEQ, subid: 0) to xx.yy.zz.72 Got a valid response for probe (type: OFP_TSEQ subid: 0) from xx.yy.zz.76 Got a valid response for probe (type: OFP_TSEQ subid: 0) from xx.yy.zz.72 Sleep 58291us for next sequence probe Send probe (type: OFP_TSEQ, subid: 1) to xx.yy.zz.76 Send probe (type: OFP_TSEQ, subid: 1) to xx.yy.zz.72 Got a valid response for probe (type: OFP_TSEQ subid: 1) from xx.yy.zz.76 Got a valid response for probe (type: OFP_TSEQ subid: 1) from xx.yy.zz.72 Sleep 65856us for next sequence probe Send probe (type: OFP_TSEQ, subid: 2) to xx.yy.zz.76 Send probe (type: OFP_TSEQ, subid: 2) to xx.yy.zz.72 Got a valid response for probe (type: OFP_TSEQ subid: 2) from xx.yy.zz.72 Got a valid response for probe (type: OFP_TSEQ subid: 2) from xx.yy.zz.76 Sleep 68993us for next sequence probe Send probe (type: OFP_TSEQ, subid: 3) to xx.yy.zz.76 Send probe (type: OFP_TSEQ, subid: 3) to xx.yy.zz.72 Got a valid response for probe (type: OFP_TSEQ subid: 3) from xx.yy.zz.72 Got a valid response for probe (type: OFP_TSEQ subid: 3) from xx.yy.zz.76 Sleep 30812us for next sequence probe Send probe (type: OFP_TSEQ, subid: 4) to xx.yy.zz.76 Send probe (type: OFP_TSEQ, subid: 4) to xx.yy.zz.72 Got a valid response for probe (type: OFP_TSEQ subid: 4) from xx.yy.zz.72 Got a valid response for probe (type: OFP_TSEQ subid: 4) from xx.yy.zz.76 Sleep 30269us for next sequence probe Send probe (type: OFP_TSEQ, subid: 5) to xx.yy.zz.76 Send probe (type: OFP_TSEQ, subid: 5) to xx.yy.zz.72 Got a valid response for probe (type: OFP_TSEQ subid: 5) from xx.yy.zz.76 Got a valid response for probe (type: OFP_TSEQ subid: 5) from xx.yy.zz.72 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.72 Got a valid response for probe (type: OFP_TICMP subid: 0) from xx.yy.zz.76 Time to sleep 1051. Sleeping. Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.76 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.72 Got a valid response for probe (type: OFP_TICMP subid: 1) from xx.yy.zz.76 Send probe (type: OFP_TECN, subid: 0) to xx.yy.zz.76 Send probe (type: OFP_TECN, subid: 0) to xx.yy.zz.72 Got a valid response for probe (type: OFP_TUDP subid: 0) from xx.yy.zz.76 Time to sleep 1105. Sleeping. Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.72 Got a valid response for probe (type: OFP_TECN subid: 0) from xx.yy.zz.72 Got a valid response for probe (type: OFP_TECN subid: 0) from xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.72 Got a valid response for probe (type: OFP_T1_7 subid: 2) from xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 3) to xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 3) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 4) to xx.yy.zz.72 Got a valid response for probe (type: OFP_T1_7 subid: 3) from xx.yy.zz.76 Got a valid response for probe (type: OFP_T1_7 subid: 3) from xx.yy.zz.72 Time to sleep 1022. Sleeping. Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.72 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.72 Got a valid response for probe (type: OFP_T1_7 subid: 4) from xx.yy.zz.76 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.72 Got a valid response for probe (type: OFP_T1_7 subid: 6) from xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 5) to xx.yy.zz.76 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.72 Got a valid response for probe (type: OFP_T1_7 subid: 5) from xx.yy.zz.76 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.76 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_TICMP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_TICMP, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.76 Send probe (type: OFP_TUDP, subid: 0) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.72 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 1) to xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 2) to xx.yy.zz.76 Send probe (type: OFP_T1_7, subid: 6) to xx.yy.zz.76 OS detection timingRatio() == (1199674529.938 - 1199674529.416) * 1000 / 500 == 1.042 OS detection timingRatio() == (1199674529.938 - 1199674529.416) * 1000 / 500 == 1.042 No OS matches for xx.yy.zz.72 by new os scan system. TCP/IP fingerprint: SCAN(V=4.52%D=1/7%OT=25%CT=21%CU=%PV=N%G=Y%TM=478194A3%P=i686-pc-linux-gnu) SEQ(SP=FD%GCD=1%ISR=10D%TS=0) SEQ(SP=FB%GCD=1%ISR=10D%TI=I%TS=0) OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS) WIN(W1=4470%W2=41A0%W3=4100%W4=40E8%W5=40E8%W6=402E) ECN(R=Y%DF=Y%TG=80%W=4470%O=M5B4NW0NNS%CC=N%Q=) T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%TG=80%W=402E%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=) T3(R=Y%DF=Y%TG=80%W=402E%S=O%A=O%F=A%O=NNT11%RD=0%Q=) T4(R=Y%DF=N%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%TG=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=N) IE(R=N) No OS matches for xx.yy.zz.76 by new os scan system. TCP/IP fingerprint: SCAN(V=4.52%D=1/7%OT=9%CT=1%CU=32198%PV=N%DS=9%G=Y%TM=478194A3%P=i686-pc-linux-gnu) SEQ(SP=CB%GCD=1%ISR=CE%TI=Z%II=I%TS=7) OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M5B4ST11NW0%O6=M5B4ST11) WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0) ECN(R=Y%DF=Y%T=3F%W=16D0%O=M5B4NNSNW0%CC=Y%Q=) T1(R=Y%DF=Y%T=3F%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=N) T4(R=Y%DF=Y%T=3F%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3F%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=N) U1(R=Y%DF=N%T=3F%TOS=0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G) IE(R=Y%DFI=N%T=3F%TOSI=Z%CD=S%SI=S%DLI=S) Interesting ports on xx.yy.zz.72.ttt-ttt-ttt (xx.yy.zz.72): Not shown: 1268 filtered ports Reason: 1267 no-responses and 1 admin-prohibited PORT STATE SERVICE REASON 21/tcp closed ftp reset 25/tcp open smtp syn-ack 80/tcp open http syn-ack 113/tcp closed auth reset 222/tcp closed rsh-spx reset 443/tcp open https syn-ack 8080/tcp closed http-proxy reset Device type: general purpose Running (JUST GUESSING) : Microsoft Windows XP|2003|2000|Me (91%) OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU Aggressive OS guesses: Microsoft Windows XP SP2 or Windows Server 2003 SP0/SP1 (91%), Microsoft Windows 2000 Server SP3 or SP4 (89%), Microsoft Windows XP Professional SP2 (89%), Microsoft Windows XP SP 2 (89%), Microsoft Windows 2003 Small Business Server (88%), Microsoft Windows 2000 SP0/SP2/SP4 or Windows XP SP0/SP1 (87%), Microsoft Windows Millennium Edition (Me) (87%), Microsoft Windows 2000 SP4 or Windows XP SP2 (87%), Microsoft Windows XP SP2 (87%), Microsoft Windows 2000 SP4 (86%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint by osscan system #2: SCAN(V=4.52%D=1/7%OT=25%CT=21%CU=%PV=N%G=N%TM=47819500%P=i686-pc-linux-gnu) SEQ(SP=FD%GCD=1%ISR=10D%TS=0) SEQ(SP=FB%GCD=1%ISR=10D%TI=I%TS=0) OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS) WIN(W1=4470%W2=41A0%W3=4100%W4=40E8%W5=40E8%W6=402E) ECN(R=Y%DF=Y%TG=80%W=4470%O=M5B4NW0NNS%CC=N%Q=) T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%TG=80%W=402E%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=) T3(R=Y%DF=Y%TG=80%W=402E%S=O%A=O%F=A%O=NNT11%RD=0%Q=) T4(R=Y%DF=N%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%TG=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=N) IE(R=N) TCP Sequence Prediction: Difficulty=251 (Good luck!) IP ID Sequence Generation: Incremental TRACEROUTE (using port 25/tcp) HOP RTT ADDRESS 1 ... 2 21.21 qq.ww.ee.89 3 ... 4 ... 5 54.42 aaa-aaa-aaa-aaa (dd.hh.nn.42) 6 50.42 bbb-bbb-bbb (rr.ee.ff.18) 7 21.33 nn.mm.pp.37 8 ... 9 ... 10 57.41 xx.yy.zz.72.ttt-ttt-ttt (xx.yy.zz.72) Interesting ports on xx.yy.zz.76.ttt-ttt-ttt (xx.yy.zz.76): Not shown: 1256 closed ports Reason: 1256 resets PORT STATE SERVICE REASON 9/tcp open discard syn-ack 13/tcp open daytime syn-ack 21/tcp filtered ftp no-response 22/tcp open ssh syn-ack 23/tcp open telnet syn-ack 25/tcp filtered smtp host-unreach 37/tcp open time syn-ack 53/tcp open domain syn-ack 79/tcp open finger syn-ack 80/tcp filtered http host-unreach 110/tcp open pop3 syn-ack 111/tcp open rpcbind syn-ack 113/tcp open auth syn-ack 179/tcp filtered bgp admin-prohibited from rr.ee.ff.41 443/tcp filtered https host-unreach 515/tcp open printer syn-ack 1024/tcp open kdm syn-ack 3128/tcp open squid-http syn-ack 8080/tcp filtered http-proxy no-response OS fingerprint not ideal because: Host distance (9 network hops) is greater than five Aggressive OS guesses: Fortinet FortiGate-60 firewall, Linksys NSLU2 NAS device running Unslung 5.8 (Linux 2.4.22), Netgear SPH200D VoIP phone, Secure Computing SnapGear SG565 firewall (Linux 2.4.31-uc0), or Adaptec Snap Server 520 NAS device (92%), Linux 2.4.22 (Fedora Core 1, x86) (92%), Linux 2.4.31 (Slackware 10.2) (92%), Secure Computing SG560 Firewall (Linux 2.4.31-uc0 based) (91%), Check Point VPN-1 UTM appliance (91%), MikroTik RouterOS software router 3.0beta5 (90%), Buffalo WHR-HP-G54 WAP or Linksys WRT54GL WAP running DD-WRT Linux 2.4.20 - 2.4.34 (90%), Aladdin eSafe security gateway (runs Linux 2.4.21) (89%), Linux 2.6.5 - 2.6.9 (89%), Linux 2.4.21 - 2.4.33 (89%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint by osscan system #2: SCAN(V=4.52%D=1/7%OT=9%CT=1%CU=32198%PV=N%DS=9%G=N%TM=47819500%P=i686-pc-linux-gnu) SEQ(SP=CB%GCD=1%ISR=CE%TI=Z%II=I%TS=7) OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M5B4ST11NW0%O6=M5B4ST11) WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0) ECN(R=Y%DF=Y%T=3F%W=16D0%O=M5B4NNSNW0%CC=Y%Q=) T1(R=Y%DF=Y%T=3F%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=N) T4(R=Y%DF=Y%T=3F%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3F%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=N) U1(R=Y%DF=N%T=3F%TOS=0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G) IE(R=Y%DFI=N%T=3F%TOSI=Z%CD=S%SI=S%DLI=S) Uptime: 87.585 days (since Thu Oct 11 09:54:25 2007) Network Distance: 9 hops TCP Sequence Prediction: Difficulty=203 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE (using port 9/tcp) HOP RTT ADDRESS 1 ... 2 43.20 qq.ww.ee.89 3 ... 4 24.44 rbp-lima2-te7-4.prima.net.ar (dd.hh.nn.29) 5 28.77 aaa-aaa-aaa-aaa (dd.hh.nn.42) 6 29.64 bbb-bbb-bbb (rr.ee.ff.18) 7 31.93 nn.mm.pp.37 8 ... 9 31.96 xx.yy.zz.76.ttt-ttt-ttt (xx.yy.zz.76) Interesting ports on xx.yy.zz.77.ttt-ttt-ttt (xx.yy.zz.77): Not shown: 1270 filtered ports Reason: 1269 no-responses and 1 admin-prohibited PORT STATE SERVICE REASON 21/tcp closed ftp reset 80/tcp closed http reset 113/tcp closed auth reset 222/tcp closed rsh-spx reset 8080/tcp closed http-proxy reset Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS details: Aruba 800 wireless LAN switch, Avocent DSR1030 KVM over IP switch, Cisco MARS 50 firewall version 4.2.1, D-Link DSL-G624T wireless ADSL router (Linux 2.4.17), FON La Fonera WAP running OpenWrt w/Linux kernel 2.4.32, Inventel Livebox wireless broadband router or USRobotics SureConnect 9105 ADSL modem, Lexmark T522 or E332n printer, Lexmark T632/C750 printer, Linux 2.4.9 - 2.4.18, Linux 2.4.2 (Red Hat 7.1), Linux 2.6.20-15-generic (x86, SMP), Linux 2.6.8 (Debian Sarge), Linux 2.6.8 (Debian, x86), Netgear DG834G WAP (firmware 4.01.19), QLogic SANbox2-8 FC switch or Sharp Zaurus PDA (Linux 2.4.18), Siemens Gigaset SE515dsl wireless broadband router, Toshiba Magnia SG10 server appliance OS Fingerprint: OS:SCAN(V=4.52%D=1/7%OT=%CT=21%CU=%PV=N%DS=9%G=N%TM=47819500%P=i686-pc-linu OS:x-gnu)T5(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=FF%W OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q= OS:)U1(R=N)IE(R=N) Network Distance: 9 hops TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 ... 2 43.20 qq.ww.ee.89 3 ... 4 ... 5 35.03 aaa-aaa-aaa-aaa (dd.hh.nn.42) 6 58.21 bbb-bbb-bbb (rr.ee.ff.18) 7 26.04 nn.mm.pp.37 8 ... 9 32.94 xx.yy.zz.77.ttt-ttt-ttt (xx.yy.zz.77) Interesting ports on conicet.citefa.gov.ar (xx.yy.zz.78): Not shown: 1270 filtered ports Reason: 1270 no-responses PORT STATE SERVICE REASON 21/tcp closed ftp reset 80/tcp closed http reset 113/tcp closed auth reset 222/tcp closed rsh-spx reset 8080/tcp closed http-proxy reset Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS details: Aruba 800 wireless LAN switch, Avocent DSR1030 KVM over IP switch, Cisco MARS 50 firewall version 4.2.1, D-Link DSL-G624T wireless ADSL router (Linux 2.4.17), FON La Fonera WAP running OpenWrt w/Linux kernel 2.4.32, Inventel Livebox wireless broadband router or USRobotics SureConnect 9105 ADSL modem, Lexmark T522 or E332n printer, Lexmark T632/C750 printer, Linux 2.4.9 - 2.4.18, Linux 2.4.2 (Red Hat 7.1), Linux 2.6.20-15-generic (x86, SMP), Linux 2.6.8 (Debian Sarge), Linux 2.6.8 (Debian, x86), Netgear DG834G WAP (firmware 4.01.19), QLogic SANbox2-8 FC switch or Sharp Zaurus PDA (Linux 2.4.18), Siemens Gigaset SE515dsl wireless broadband router, Toshiba Magnia SG10 server appliance OS Fingerprint: OS:SCAN(V=4.52%D=1/7%OT=%CT=21%CU=%PV=N%DS=9%G=N%TM=47819500%P=i686-pc-linu OS:x-gnu)T5(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=FF%W OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q= OS:)U1(R=N)IE(R=N) Network Distance: 9 hops TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 ... 2 43.20 qq.ww.ee.89 3 ... 4 ... 5 36.61 aaa-aaa-aaa-aaa (dd.hh.nn.42) 6 49.47 bbb-bbb-bbb (rr.ee.ff.18) 7 22.52 nn.mm.pp.37 8 ... 9 42.92 conicet.citefa.gov.ar (xx.yy.zz.78) Interesting ports on xx.yy.zz.81.ttt-ttt-ttt (xx.yy.zz.81): Not shown: 1274 closed ports Reason: 1274 resets PORT STATE SERVICE REASON 179/tcp filtered bgp admin-prohibited from rr.ee.ff.41 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: switch|router|WAP Running: Cisco IOS 12.X OS details: Cisco 2924M-XL switch (IOS 12.0), Cisco 2960G switch (IOS 12.2), Cisco 3548XL switch (IOS 12.0), Cisco Catalyst C2900-series or C3750 switch, or 4500 router (IOS 12.1 - 12.2), Cisco Aironet 1200 WAP (IOS 12.3) OS Fingerprint: OS:SCAN(V=4.52%D=1/7%OT=%CT=1%CU=%PV=N%DS=9%G=N%TM=47819500%P=i686-pc-linux OS:-gnu)T5(R=Y%DF=N%TG=FF%W=0%S=A%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%TG=FF%W= OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%TG=FF%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)U OS:1(R=N)IE(R=Y%DFI=S%TG=FF%TOSI=Z%CD=S%SI=S%DLI=S) Network Distance: 9 hops TRACEROUTE (using port 1/tcp) HOP RTT ADDRESS 1 ... 2 43.20 qq.ww.ee.89 3 ... 4 ... 5 31.66 aaa-aaa-aaa-aaa (dd.hh.nn.42) 6 39.20 bbb-bbb-bbb (rr.ee.ff.18) 7 23.60 nn.mm.pp.37 8 32.33 xx.yy.zz.81.ttt-ttt-ttt (xx.yy.zz.81) Read from /usr/local/share/nmap: nmap-os-db nmap-protocols nmap-services. OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . # Nmap done at Mon Jan 7 00:57:04 2008 -- 32 IP addresses (10 hosts up) scanned in 336.843 seconds