Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RPC over HTTP

From: "Jon-Erik" <jonerik () myway com>
Date: Fri, 4 Mar 2005 21:16:51 -0500 (EST)

I was going to work on something if it hadn't been already addressed, so I just wanted to make sure that was correct. 
As for the build, I built it today from the source distro on insecure.org, v. 3.81. I'll post the full output below. 

More information about RPC over HTTP can be found at http://www.msexchange.org/tutorials/outlookrpchttp.html

This is a realtively new thing, and, since it requires Outlook 2003 SP1, it may not be widely deployed. Yet. But since 
it is a form of RPC and it provides full MAPI access, and...er, it's from Microsoft, something tells me we'll be 
hearing about this sooner or later in a not so good way.


Beware: long text follows

------------------------------------------------------------
root () vidar hrith com:[ /usr/share ]18:12:22 > nmap -sV -v -v -O 24.180.0.170

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-03-04 18:13 PST
Initiating SYN Stealth Scan against odin.hrith.com (24.180.0.170) [1663 ports] at 18:13
Discovered open port 443/tcp on 24.180.0.170
Discovered open port 636/tcp on 24.180.0.170
Discovered open port 3389/tcp on 24.180.0.170
Discovered open port 21/tcp on 24.180.0.170
Discovered open port 53/tcp on 24.180.0.170
Discovered open port 80/tcp on 24.180.0.170
Discovered open port 25/tcp on 24.180.0.170
Discovered open port 389/tcp on 24.180.0.170
Discovered open port 2105/tcp on 24.180.0.170
Discovered open port 1026/tcp on 24.180.0.170
Discovered open port 5000/tcp on 24.180.0.170
Discovered open port 593/tcp on 24.180.0.170
Discovered open port 9/tcp on 24.180.0.170
Discovered open port 3269/tcp on 24.180.0.170
Discovered open port 445/tcp on 24.180.0.170
Discovered open port 19/tcp on 24.180.0.170
Discovered open port 88/tcp on 24.180.0.170
Discovered open port 17/tcp on 24.180.0.170
Discovered open port 1025/tcp on 24.180.0.170
Discovered open port 3268/tcp on 24.180.0.170
Discovered open port 135/tcp on 24.180.0.170
Discovered open port 464/tcp on 24.180.0.170
Discovered open port 13/tcp on 24.180.0.170
Discovered open port 6004/tcp on 24.180.0.170
Discovered open port 6001/tcp on 24.180.0.170
Discovered open port 3052/tcp on 24.180.0.170
Discovered open port 6002/tcp on 24.180.0.170
Discovered open port 5002/tcp on 24.180.0.170
Discovered open port 139/tcp on 24.180.0.170
Discovered open port 7/tcp on 24.180.0.170
The SYN Stealth Scan took 3.22s to scan 1663 total ports.
Initiating service scan against 30 services on odin.hrith.com (24.180.0.170) at 18:13
Service scan Timing: About 60.00% done; ETC: 18:14 (0:00:30 remaining)
The service scan took 125.86s to scan 30 services on 1 host.
For OSScan assuming port 7 is open, 1 is closed, and neither are firewalled
For OSScan assuming port 7 is open, 1 is closed, and neither are firewalled
For OSScan assuming port 7 is open, 1 is closed, and neither are firewalled
Host odin.hrith.com (24.180.0.170) appears to be up ... good.
Interesting ports on odin.hrith.com (24.180.0.170):
(The 1631 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE         VERSION
7/tcp    open     echo
9/tcp    open     discard?
13/tcp   open     daytime         Microsoft Windows USA daytime
17/tcp   open     qotd            Windows qotd
19/tcp   open     chargen
21/tcp   open     ftp             Microsoft ftpd
25/tcp   open     smtp            Microsoft ESMTP 6.0.3790.211
53/tcp   open     domain          Microsoft DNS
80/tcp   open     http            Microsoft IIS webserver 6.0
88/tcp   open     kerberos-sec    Microsoft Windows kerberos-sec
135/tcp  open     msrpc?
139/tcp  open     netbios-ssn
389/tcp  open     ldap            Microsoft LDAP server
443/tcp  open     ssl/http        Microsoft IIS webserver 6.0
445/tcp  open     microsoft-ds    Microsoft Windows 2003 microsoft-ds
464/tcp  open     kpasswd5?
593/tcp  open     http-rpc-epmap?
636/tcp  open     ssl/ldap        Microsoft LDAP server
1025/tcp open     msrpc           Microsoft Windows msrpc
1026/tcp open     msrpc           Microsoft Windows msrpc
1755/tcp filtered wms
2105/tcp open     msrpc           Microsoft Windows msrpc
3052/tcp open     msrpc           Microsoft Windows msrpc
3268/tcp open     ldap            Microsoft LDAP server
3269/tcp open     ssl/ldap        Microsoft LDAP server
3389/tcp open     microsoft-rdp   Microsoft Terminal Service
5000/tcp open     msrpc           Microsoft Windows msrpc
5002/tcp open     msrpc           Microsoft Windows msrpc
6001/tcp open     X11:1?
6002/tcp open     X11:2?
6004/tcp open     X11:4?
7070/tcp filtered realserver
4 services unrecognized despite returning data. If you know the service/version, please submit the following 
fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port593-TCP:V=3.81%D=3/4%Time=422915C8%P=i386-unknown-freebsd5.3%r(NULL
SF:,E,"ncacn_http/1\.0")%r(GenericLines,E,"ncacn_http/1\.0")%r(GetRequest,
SF:E,"ncacn_http/1\.0")%r(HTTPOptions,E,"ncacn_http/1\.0")%r(RTSPRequest,E
SF:,"ncacn_http/1\.0")%r(RPCCheck,E,"ncacn_http/1\.0")%r(DNSVersionBindReq
SF:,E,"ncacn_http/1\.0")%r(DNSStatusRequest,E,"ncacn_http/1\.0")%r(Help,E,
SF:"ncacn_http/1\.0")%r(SSLSessionReq,E,"ncacn_http/1\.0")%r(SMBProgNeg,26
SF:,"ncacn_http/1\.0\x05\0\r\x03\x10\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\
SF:x05\0\0\0\0")%r(X11Probe,E,"ncacn_http/1\.0")%r(LPDString,E,"ncacn_http
SF:/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_http/1
SF:\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1\.0")%
SF:r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")%r(ora
SF:cle-tns,E,"ncacn_http/1\.0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6001-TCP:V=3.81%D=3/4%Time=422915F0%P=i386-unknown-freebsd5.3%r(NUL
SF:L,E,"ncacn_http/1\.0")%r(X11Probe,E,"ncacn_http/1\.0")%r(GenericLines,E
SF:,"ncacn_http/1\.0")%r(GetRequest,E,"ncacn_http/1\.0")%r(HTTPOptions,E,"
SF:ncacn_http/1\.0")%r(RTSPRequest,E,"ncacn_http/1\.0")%r(RPCCheck,E,"ncac
SF:n_http/1\.0")%r(DNSVersionBindReq,E,"ncacn_http/1\.0")%r(DNSStatusReque
SF:st,E,"ncacn_http/1\.0")%r(Help,E,"ncacn_http/1\.0")%r(SSLSessionReq,E,"
SF:ncacn_http/1\.0")%r(SMBProgNeg,26,"ncacn_http/1\.0\x05\0\r\x03\x10\0\0\
SF:0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\0\0\0")%r(LPDString,E,"ncacn_htt
SF:p/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_http/
SF:1\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1\.0")
SF:%r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")%r(or
SF:acle-tns,E,"ncacn_http/1\.0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6002-TCP:V=3.81%D=3/4%Time=422915F0%P=i386-unknown-freebsd5.3%r(NUL
SF:L,E,"ncacn_http/1\.0")%r(X11Probe,E,"ncacn_http/1\.0")%r(GenericLines,E
SF:,"ncacn_http/1\.0")%r(GetRequest,E,"ncacn_http/1\.0")%r(HTTPOptions,E,"
SF:ncacn_http/1\.0")%r(RTSPRequest,E,"ncacn_http/1\.0")%r(RPCCheck,E,"ncac
SF:n_http/1\.0")%r(DNSVersionBindReq,E,"ncacn_http/1\.0")%r(DNSStatusReque
SF:st,E,"ncacn_http/1\.0")%r(Help,E,"ncacn_http/1\.0")%r(SSLSessionReq,E,"
SF:ncacn_http/1\.0")%r(SMBProgNeg,26,"ncacn_http/1\.0\x05\0\r\x03\x10\0\0\
SF:0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\0\0\0")%r(LPDString,E,"ncacn_htt
SF:p/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_http/
SF:1\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1\.0")
SF:%r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")%r(or
SF:acle-tns,E,"ncacn_http/1\.0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6004-TCP:V=3.81%D=3/4%Time=422915F1%P=i386-unknown-freebsd5.3%r(NUL
SF:L,E,"ncacn_http/1\.0")%r(X11Probe,E,"ncacn_http/1\.0")%r(GenericLines,E
SF:,"ncacn_http/1\.0")%r(GetRequest,E,"ncacn_http/1\.0")%r(HTTPOptions,E,"
SF:ncacn_http/1\.0")%r(RTSPRequest,E,"ncacn_http/1\.0")%r(RPCCheck,E,"ncac
SF:n_http/1\.0")%r(DNSVersionBindReq,E,"ncacn_http/1\.0")%r(DNSStatusReque
SF:st,E,"ncacn_http/1\.0")%r(Help,E,"ncacn_http/1\.0")%r(SSLSessionReq,E,"
SF:ncacn_http/1\.0")%r(SMBProgNeg,26,"ncacn_http/1\.0\x05\0\r\x03\x10\0\0\
SF:0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\0\0\0")%r(LPDString,E,"ncacn_htt
SF:p/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_http/
SF:1\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1\.0")
SF:%r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")%r(or
SF:acle-tns,E,"ncacn_http/1\.0");
MAC Address: 00:11:95:1E:E0:6F (Alpha Networks)
No exact OS matches for host (If you know what OS is running on it, see 
http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.81%P=i386-unknown-freebsd5.3%D=3/4%Tm=42291649%O=7%C=1%M=001195)
TSeq(Class=TR%IPID=I%TS=0)
T1(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=N)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)


TCP Sequence Prediction: Class=truly random
                         Difficulty=9999999 (Good luck!)
TCP ISN Seq. Numbers: 8093B5CF 935EC84D 2CBFA739 44C2AECA 1420983D 84BEB014
IPID Sequence Generation: Incremental

Nmap finished: 1 IP address (1 host up) scanned in 143.060 seconds
               Raw packets sent: 1728 (70.2KB) | Rcvd: 1691 (78.5KB)
root () vidar hrith com:[ /usr/share ]18:15:37 > 


_______________________________________________
No banners. No pop-ups. No kidding.
Make My Way your home on the Web - http://www.myway.com

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org
Previous By Date Next
Previous By Thread Next

Current thread: