Security Basics mailing list archives
RE: Re[2]: Finding web servers with nmap
From: "Burton Strauss" <Burton.Strauss () comcast net>
Date: Thu, 1 Dec 2005 07:32:50 -0600
Well, you CAN use port 80 for anything - just because it's assigned to http doesn't mean it HAS to be used that way. If you read the nmap man page, -PS and -PA don't actually 'connect' to the server, rather they work at the tcp/ip level by mucking around with the 3-way handshake. So the difference could be that nmap is finding servers which are using port 80, but don't actually have web servers there. Or it could be that the extras are web servers responding in a way that wotweb just doesn't understand. I don't know - Robin doesn't really say what his program is looking for in the wotweb readme. The next step would be to use a program such as Microsoft's Fiddler (or Aman's webbug - http://www.cyberspyder.com/webbug.html) to see what the response to a normal http get is from one of the mystery hosts. -----Burton PS: I've BCCed Robin on this - that way he'll know we are saying nice things about his program! -----Original Message----- From: Denis Shestakov [mailto:da_shestakov () myrealbox com] Sent: Thursday, December 01, 2005 4:00 AM To: security-basics () securityfocus com; BStrauss () acm org Subject: Re[2]: Finding web servers with nmap Thanks for the answer! I've checked the WotWeb. It's really nice tool and it is faster than nmap (at least if executed with options I mentioned)! But ... I did a scan for a list of randomly selected IPs. Nmap (with -PS80 -PA80 -p 80) returns more hosts with open port 80 than WotWeb. I understand that nmap does more 'general' job and detects, for instance, hosts behind firewalls (that is, discovers hosts with non-publicly available services which are not interesting for me since I seek for 'available-for-all' web servers). However, I wonder what other services may be provided by machines with open port 80? BR, Denis ---------------------------------------------------------------------------- - Wednesday, November 30, 2005, 8:16:25 PM, you wrote: BS> Robin Keir (keir.net) has a free Windows program available, wotweb, BS> which does a simple scan for a range of IPs. It's preloaded with BS> checkboxes for all the usual and many unusual web server ports. BS> -----Burton BS> -----Original Message----- BS> From: Denis [mailto:da_shestakov () myrealbox com] BS> Sent: Wednesday, November 30, 2005 11:01 AM BS> To: security-basics () securityfocus com BS> Subject: Finding web servers with nmap BS> Hi, BS> I have a task to "relatively quickly" find all web servers (all BS> hosts with open port 80) in some particular network. It seems it can BS> be done with the nmap program. Could you advice me concerning the BS> best options for running nmap to accomplish this task? In BS> particular, does the following command do it right? BS> nmap -v -sS -PS80 -PA80 -p 80 -oG my.log -iL x.x.0-255.0-255 I am BS> asking that because I have a concern that the above command may miss some hosts. BS> However, it works faster than the command with "-P0 -p 80" ...
Current thread:
- RE: Finding web servers with nmap Burton Strauss (Dec 01)
- Re[2]: Finding web servers with nmap Denis Shestakov (Dec 02)
- RE: Re[2]: Finding web servers with nmap Burton Strauss (Dec 02)
- Re: Finding web servers with nmap Robin Keir (Dec 01)
- Re: Finding web servers with nmap Jeffrey F. Bloss (Dec 05)
- RE: Re[2]: Finding web servers with nmap Burton Strauss (Dec 02)
- RE: Finding web servers with nmap Jonathan Loh (Dec 02)
- Re: Finding web servers with nmap Gaddis, Jeremy L. (Dec 05)
- Re: Finding web servers with nmap Balaji Prasad (Dec 06)
- <Possible follow-ups>
- RE: Finding web servers with nmap tom . farrar (Dec 02)
- RE: Finding web servers with nmap Jonathan Loh (Dec 05)
- Re: Finding web servers with nmap y0 (Dec 02)
- RE: Finding web servers with nmap Steve McLaughlin (Dec 07)
- RE[4]: Finding web servers with nmap Denis (Dec 12)
- Re[2]: Finding web servers with nmap Denis Shestakov (Dec 02)