Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: IPhone and nmap scan on wireless network
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 10 Apr 2008 22:29:31 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Standard iPhones shows up, they just don't have port 22 (SSH) running.
Nothing special is required to scan them, I'm not sure why they aren't
showing up for you.

The script snippit I sent along is perl.

You might try doing something like:

nmap -A -v -p- -T5 -P0 <ip>

I can't remember if all their ports (except 62078) are closed or
filtered but I'm leaning towards closed.  As far as I know, they all
have port 62078 open (but tcpwrapped if you try to fingerprint it).

Brandon


On Thu, 10 Apr 2008 15:06:24 -0700
"Jaime Reza" <turinreza () gmail com> wrote:

Ah..
but what about normal Locked Iphones...
anyway that they can show up on an nmap scan?

just use this script? is this a lua script?

thanks
turin

On Thu, Apr 10, 2008 at 2:55 PM, Brandon Enright <bmenrigh () ucsd edu>
wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 10 Apr 2008 13:08:10 -0700
"Jaime Reza" <turinreza () gmail com> wrote:

hiya
anyone tried to fingerprint /scan an iphone that is hooked up to
a wireless network?
i can see my iphone on the wireless network and it has an ip
address but it's not being picked up by nmap (no packets received)

-PN

turin


Sure; do it all the time.  We have so many of these on campus that
we have to really stay on top of unlocked iPhones with OpenSSH
installed that still have the default root password.

I don't have any example scans for you right now but here is the
logic in one of my scripts that finds iPhones and alerts me when
they are running SSH:

   # iPhone (based on port open and weak TCP Sequence Prediction)
   if ((exists $misc{'TCPSeqPred'}) &&
       ($misc{'TCPSeqPred'} == 0) &&
       (exists $port{62078}) &&
       ($port{62078}{'Service'} eq 'tcpwrapped')) {
       push @warning, {('name'=>'IPHONE',
                        'severity'=>2,
                        'text'=>'iPhone (weak TCP sequence'
                        . ' is easily hackable)')};

       # Detect possible SSH on iPhone
       if ((exists $port{22}) &&
           ($port{22}{'Service'} eq 'ssh')) {
           push @warning, {('name'=>'IPHONE_SSH',
                            'severity'=>3,
                            'text'=>'iPhone may have known '
                            . 'default root password
(\'alpine\')')}; }
   }


Note that the check for TCPSeqPred == 0 requires -O or -A and the
port 62078 eq 'tcpwrapped' requires -sV or -A.  This code was
written before the OS DB had a iPhone fingerprint so you'd probably
do better now to check the OS Nmap says it is running.

It would be very easy to turn the above code into a hostrule NSE
script.  I haven't because while the check works, it's a hack.

How often does someone run OpenSSH on their phone without changing
the root password, you ask?  All the ****ing time.  We've found the
check to be _very_ valuable.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFH/ozbqaGPzAsl94IRAkhxAKC/UaHlqbLTpvxp/eyDLbGuZrwSvQCfcNcG
XPIZbCD7Eo7y0SanTEst0FA=
=IsO2
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFH/pTaqaGPzAsl94IRAgcgAJ48AgvoJK9hQbUOnkIWsu3qdISqQwCgvnyN
J6TcrQ/FNzJMwuC1IXqY0Bo=
=Isur
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]