more beta30/Darwin tests

[Paul Tod Rieger <prie () abl com>]

Testing nmap/AppleBSD on a larger /24 network (and hoping to
develop a "test suite" eventually):

# nmap -n -sP 172.16.100.0/24
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
[...]
Nmap run completed -- 256 IP addresses (128 hosts up) scanned in 8 seconds

# nmap -n -sS -O -p'80,113,139' 172.16.100.0/24
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
[...]
Nmap run completed -- 256 IP addresses (135 hosts up) scanned in 431 seconds


Most are M$ boxes, with a few exceptions:

1) nmap only identified 2 of 3 Cisco switches:

Interesting ports on  (172.16.100.91):
(The 2 ports scanned but not shown below are in state: closed)
Port       State       Service
80/tcp     open        http                    
Remote OS guesses: AS5200, Cisco 2501/5260/5300 terminal server IOS 11.3.6(T1), Cisco IOS 11.3 - 12.0(11)

Interesting ports on  (172.16.100.94):
(The 2 ports scanned but not shown below are in state: closed)
Port       State       Service
80/tcp     open        http                    
Remote OS guesses: AS5200, Cisco 2501/5260/5300 terminal server IOS 11.3.6(T1), Cisco IOS 11.3 - 12.0(11)


even though the 3rd switch:

Interesting ports on  (172.16.100.1):
(The 2 ports scanned but not shown below are in state: closed)
Port       State       Service
80/tcp     open        http                    
No exact OS matches for host (If you know what OS is running on it, see 
http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=2.54BETA30%P=powerpc-apple-darwin1.4%D=11/1%Time=3BE1EA95%O=80%C=113)
TSeq(Class=TR%IPID=Z%TS=U)
T1(Resp=Y%DF=N%W=1020%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=1020%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 3 scanned ports on  (172.16.100.13) are: closed
Too many fingerprints match this host for me to give an accurate OS guess


has an admin webpage:

# telnet 172.16.100.1 80
[...]
Date: Wed, 05 May 1993 10:56:33 UTC
Server: cisco-IOS/12.0 HTTP-server/1.0(1)
TITLE>Switch Home Page
H1>Cisco Systems
H2>Accessing Cisco WS-C2924-XL "Switch"
[...]


nearly identical to the other 2, which barely differ:

# telnet 172.16.100.91 80
[...]
Date: Sat, 20 Mar 1993 00:23:10 UTC
Server: cisco-IOS/12.0 HTTP-server/1.0(1)
TITLE>WS-C2924-XL Home Page
H1>Cisco Systems
H2>Accessing Cisco WS-C2924-XL "WS-C2924-XL"

# telnet 172.16.100.94 80
[...]
Date: Sat, 20 Mar 1993 00:24:58 UTC
Server: cisco-IOS/12.0 HTTP-server/1.0(1)
TITLE>WS-C2924-XL Home Page
H1>Cisco Systems
H2>Accessing Cisco WS-C2924-XL "WS-C2924-XL"


Why might the 3rd switch look different?  Would another
type of scan give some insight?



2) Another box wasn't identified:

# nmap -n -sS -O -F 172.16.100.25
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on  (172.16.100.25):
(The 1110 ports scanned but not shown below are in state: closed)
Port       State       Service
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
427/tcp    open        svrloc                  
No exact OS matches for host (If you know what OS is running on it, see 
http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=2.54BETA30%P=powerpc-apple-darwin1.4%D=11/1%Time=3BE1EABB%O=139%C=80)
TSeq(Class=TD%gcd=1%SI=1%IPID=BI%TS=0)
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds


Is there another way nmap might identify this system's OS?



3) Curiously, .115 didn't show up in the ping scan, then
looked filtered in the network scan:

Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on  (172.16.100.115):
Port       State       Service
80/tcp     filtered    http                    
113/tcp    filtered    auth                    
139/tcp    filtered    netbios-ssn             
Too many fingerprints match this host for me to give an accurate OS guess


but then opened up:

# nmap -n -sS -O -F 172.16.100.115
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on  (172.16.100.115):
(The 1108 ports scanned but not shown below are in state: closed)
Port       State       Service
80/tcp     open        http                    
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
443/tcp    open        https                   
1026/tcp   open        nterm                   
Remote operating system guess: Windows NT4 / Win95 / Win98
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds


Is there a reason for this "flakiness"?  (Maybe the
system was booting up?)



4) Some were probably behind "personal firewalls":

# nmap -n -sS -O -F 172.16.100.39
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1113 scanned ports on  (172.16.100.39) are: closed
Too many fingerprints match this host for me to give an accurate OS guess
Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds


Any scans that might work on these?

Thanks!

Tod
abl.com

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).