Nmap Development mailing list archives
Re: Nmap - Under the hood
From: Fyodor <fyodor () insecure org>
Date: Sun, 12 Dec 2004 02:24:01 -0800
On Sun, Dec 12, 2004 at 03:43:41AM -0600, skill2die4 () secguru com wrote:
I am in a process of jotting down the various options available with NMAP while doing port scanning, collecting ethereal packets for various scans_types and also doing discussing on which scan works best under what circumstances. Results at : http://www.secguru.com/forum/viewtopic.php?t=68
Neat. I'm sure people will find that useful. So I'm CCing this response to the nmap-dev list.
However, when i started fiddling with the -sF, -sX and -sN ... I tried these scan options against M$oft, Fedora and Solaris ; but it reported all ports 'open' which i know aint true.
The scan doesn't work against MS, but I believe that it should have against the Fedora Core and Solaris boxes. Are you sure that the ports aren't being filtered by a firewall? The default port state ("The xx ports scanned but not shown below are in state:") should be closed, and not filtered. Here is how the FIN scan looks against a Linux box on my home network: # nmap -sF -T4 para Starting nmap 3.76 ( http://www.insecure.org/nmap/ ) Interesting ports on para (192.168.10.191): (The 1658 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open|filtered ssh 53/tcp open|filtered domain 111/tcp open|filtered rpcbind 515/tcp open|filtered printer 6000/tcp open|filtered X11 MAC Address: 00:60:1D:38:32:90 (Lucent Technologies) Nmap run completed -- 1 IP address (1 host up) scanned in 4.644 seconds The best feature of this scan is bypassing poorly designed firewalls and packet filters.
I got the idea about the scan , but dont have any live example.
Whenever I need an example of utter incompetence, I always try SCO/Caldera first. They rarely disappoint. Lets start with a SYN scan against docsrv.caldera.com: # nmap -sS -O -T4 docsrv.caldera.com Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2004-12-12 02:05 PST Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1660 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 113/tcp closed auth 507/tcp open crs Device type: general purpose Running: SCO UnixWare OS details: SCO UnixWare 7.1.0 x86 Uptime 176.811 days (since Fri Jun 18 07:37:50 2004) Nmap run completed -- 1 IP address (1 host up) scanned in 30.638 seconds Hmm. So we only see 2 open ports and 1 closed port. The rest are filtered, so we don't know whether they are open or closed. Maybe we can bypass their silly excuse for a firewall with the FIN scan, and learn about more open ports in the process! # nmap -sF -T4 docsrv.caldera.com Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2004-12-12 02:10 PST Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1624 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 7/tcp open|filtered echo 9/tcp open|filtered discard 11/tcp open|filtered systat 13/tcp open|filtered daytime 15/tcp open|filtered netstat 19/tcp open|filtered chargen 21/tcp open|filtered ftp 22/tcp open|filtered ssh 23/tcp open|filtered telnet 25/tcp open|filtered smtp 37/tcp open|filtered time 79/tcp open|filtered finger 80/tcp open|filtered http 110/tcp open|filtered pop3 111/tcp open|filtered rpcbind 135/tcp open|filtered msrpc 143/tcp open|filtered imap 360/tcp open|filtered scoi2odialog 389/tcp open|filtered ldap 465/tcp open|filtered smtps 507/tcp open|filtered crs 512/tcp open|filtered exec 513/tcp open|filtered login 514/tcp open|filtered shell 515/tcp open|filtered printer 636/tcp open|filtered ldapssl 712/tcp open|filtered unknown 955/tcp open|filtered unknown 993/tcp open|filtered imaps 995/tcp open|filtered pop3s 1434/tcp open|filtered ms-sql-m 2000/tcp open|filtered callbook 2766/tcp open|filtered listen 3000/tcp open|filtered ppp 3306/tcp open|filtered mysql 6112/tcp open|filtered dtspc 32770/tcp open|filtered sometimes-rpc3 32771/tcp open|filtered sometimes-rpc5 32772/tcp open|filtered sometimes-rpc7 Nmap run completed -- 1 IP address (1 host up) scanned in 7.683 seconds Wow! Look at all of these interesting ports. Most of them are probably open as the port pattern does look like a default UnixWare install. But how do we know for sure? Let's try another obscure but useful scan type: Window scan: # nmap -sW -T4 docsrv.caldera.com Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2004-12-12 02:12 PST Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1624 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 7/tcp open echo 9/tcp open discard 11/tcp open systat 13/tcp open daytime 15/tcp open netstat 19/tcp open chargen 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 135/tcp filtered msrpc 143/tcp open imap 360/tcp open scoi2odialog 389/tcp open ldap 465/tcp open smtps 507/tcp open crs 512/tcp open exec 513/tcp open login 514/tcp open shell 515/tcp open printer 636/tcp open ldapssl 712/tcp open unknown 955/tcp open unknown 993/tcp open imaps 995/tcp open pop3s 1434/tcp filtered ms-sql-m 2000/tcp open callbook 2766/tcp open listen 3000/tcp open ppp 3306/tcp open mysql 6112/tcp open dtspc 32770/tcp open sometimes-rpc3 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 Nmap run completed -- 1 IP address (1 host up) scanned in 7.664 seconds Now those are the results we want! As expected, almost all of the "open|filtered" ports identified by FIN scan are open. Only MS-RPC and MS-SQL are filtered. And those may be filtered by my ISP as opposed to their firewall. That is certainly a tempting target! Unfortunately, SCO's filters prevent you from reaching those ports with packets containing the SYN flag. So opening connections to them is the next challenge. But I'm already a bit off-topic. I hope the FIN examples helped. They are from my upcoming Nmap book, which should be released early next summer. Cheers, Fyodor PS: The version of Nmap (3.78) used in this post has not been formally released, but you can find it at http://www.insecure.org/nmap/dist/?C=M&O=D --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- Re: Nmap - Under the hood Fyodor (Dec 12)