Nmap Development mailing list archives
Re: RPC over HTTP
From: "Jon-Erik" <jonerik () myway com>
Date: Fri, 4 Mar 2005 21:16:51 -0500 (EST)
I was going to work on something if it hadn't been already addressed, so I just wanted to make sure that was correct. As for the build, I built it today from the source distro on insecure.org, v. 3.81. I'll post the full output below. More information about RPC over HTTP can be found at http://www.msexchange.org/tutorials/outlookrpchttp.html This is a realtively new thing, and, since it requires Outlook 2003 SP1, it may not be widely deployed. Yet. But since it is a form of RPC and it provides full MAPI access, and...er, it's from Microsoft, something tells me we'll be hearing about this sooner or later in a not so good way. Beware: long text follows ------------------------------------------------------------ root () vidar hrith com:[ /usr/share ]18:12:22 > nmap -sV -v -v -O 24.180.0.170 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-03-04 18:13 PST Initiating SYN Stealth Scan against odin.hrith.com (24.180.0.170) [1663 ports] at 18:13 Discovered open port 443/tcp on 24.180.0.170 Discovered open port 636/tcp on 24.180.0.170 Discovered open port 3389/tcp on 24.180.0.170 Discovered open port 21/tcp on 24.180.0.170 Discovered open port 53/tcp on 24.180.0.170 Discovered open port 80/tcp on 24.180.0.170 Discovered open port 25/tcp on 24.180.0.170 Discovered open port 389/tcp on 24.180.0.170 Discovered open port 2105/tcp on 24.180.0.170 Discovered open port 1026/tcp on 24.180.0.170 Discovered open port 5000/tcp on 24.180.0.170 Discovered open port 593/tcp on 24.180.0.170 Discovered open port 9/tcp on 24.180.0.170 Discovered open port 3269/tcp on 24.180.0.170 Discovered open port 445/tcp on 24.180.0.170 Discovered open port 19/tcp on 24.180.0.170 Discovered open port 88/tcp on 24.180.0.170 Discovered open port 17/tcp on 24.180.0.170 Discovered open port 1025/tcp on 24.180.0.170 Discovered open port 3268/tcp on 24.180.0.170 Discovered open port 135/tcp on 24.180.0.170 Discovered open port 464/tcp on 24.180.0.170 Discovered open port 13/tcp on 24.180.0.170 Discovered open port 6004/tcp on 24.180.0.170 Discovered open port 6001/tcp on 24.180.0.170 Discovered open port 3052/tcp on 24.180.0.170 Discovered open port 6002/tcp on 24.180.0.170 Discovered open port 5002/tcp on 24.180.0.170 Discovered open port 139/tcp on 24.180.0.170 Discovered open port 7/tcp on 24.180.0.170 The SYN Stealth Scan took 3.22s to scan 1663 total ports. Initiating service scan against 30 services on odin.hrith.com (24.180.0.170) at 18:13 Service scan Timing: About 60.00% done; ETC: 18:14 (0:00:30 remaining) The service scan took 125.86s to scan 30 services on 1 host. For OSScan assuming port 7 is open, 1 is closed, and neither are firewalled For OSScan assuming port 7 is open, 1 is closed, and neither are firewalled For OSScan assuming port 7 is open, 1 is closed, and neither are firewalled Host odin.hrith.com (24.180.0.170) appears to be up ... good. Interesting ports on odin.hrith.com (24.180.0.170): (The 1631 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 7/tcp open echo 9/tcp open discard? 13/tcp open daytime Microsoft Windows USA daytime 17/tcp open qotd Windows qotd 19/tcp open chargen 21/tcp open ftp Microsoft ftpd 25/tcp open smtp Microsoft ESMTP 6.0.3790.211 53/tcp open domain Microsoft DNS 80/tcp open http Microsoft IIS webserver 6.0 88/tcp open kerberos-sec Microsoft Windows kerberos-sec 135/tcp open msrpc? 139/tcp open netbios-ssn 389/tcp open ldap Microsoft LDAP server 443/tcp open ssl/http Microsoft IIS webserver 6.0 445/tcp open microsoft-ds Microsoft Windows 2003 microsoft-ds 464/tcp open kpasswd5? 593/tcp open http-rpc-epmap? 636/tcp open ssl/ldap Microsoft LDAP server 1025/tcp open msrpc Microsoft Windows msrpc 1026/tcp open msrpc Microsoft Windows msrpc 1755/tcp filtered wms 2105/tcp open msrpc Microsoft Windows msrpc 3052/tcp open msrpc Microsoft Windows msrpc 3268/tcp open ldap Microsoft LDAP server 3269/tcp open ssl/ldap Microsoft LDAP server 3389/tcp open microsoft-rdp Microsoft Terminal Service 5000/tcp open msrpc Microsoft Windows msrpc 5002/tcp open msrpc Microsoft Windows msrpc 6001/tcp open X11:1? 6002/tcp open X11:2? 6004/tcp open X11:4? 7070/tcp filtered realserver 4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port593-TCP:V=3.81%D=3/4%Time=422915C8%P=i386-unknown-freebsd5.3%r(NULL SF:,E,"ncacn_http/1\.0")%r(GenericLines,E,"ncacn_http/1\.0")%r(GetRequest, SF:E,"ncacn_http/1\.0")%r(HTTPOptions,E,"ncacn_http/1\.0")%r(RTSPRequest,E SF:,"ncacn_http/1\.0")%r(RPCCheck,E,"ncacn_http/1\.0")%r(DNSVersionBindReq SF:,E,"ncacn_http/1\.0")%r(DNSStatusRequest,E,"ncacn_http/1\.0")%r(Help,E, SF:"ncacn_http/1\.0")%r(SSLSessionReq,E,"ncacn_http/1\.0")%r(SMBProgNeg,26 SF:,"ncacn_http/1\.0\x05\0\r\x03\x10\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\ SF:x05\0\0\0\0")%r(X11Probe,E,"ncacn_http/1\.0")%r(LPDString,E,"ncacn_http SF:/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_http/1 SF:\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1\.0")% SF:r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")%r(ora SF:cle-tns,E,"ncacn_http/1\.0"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port6001-TCP:V=3.81%D=3/4%Time=422915F0%P=i386-unknown-freebsd5.3%r(NUL SF:L,E,"ncacn_http/1\.0")%r(X11Probe,E,"ncacn_http/1\.0")%r(GenericLines,E SF:,"ncacn_http/1\.0")%r(GetRequest,E,"ncacn_http/1\.0")%r(HTTPOptions,E," SF:ncacn_http/1\.0")%r(RTSPRequest,E,"ncacn_http/1\.0")%r(RPCCheck,E,"ncac SF:n_http/1\.0")%r(DNSVersionBindReq,E,"ncacn_http/1\.0")%r(DNSStatusReque SF:st,E,"ncacn_http/1\.0")%r(Help,E,"ncacn_http/1\.0")%r(SSLSessionReq,E," SF:ncacn_http/1\.0")%r(SMBProgNeg,26,"ncacn_http/1\.0\x05\0\r\x03\x10\0\0\ SF:0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\0\0\0")%r(LPDString,E,"ncacn_htt SF:p/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_http/ SF:1\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1\.0") SF:%r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")%r(or SF:acle-tns,E,"ncacn_http/1\.0"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port6002-TCP:V=3.81%D=3/4%Time=422915F0%P=i386-unknown-freebsd5.3%r(NUL SF:L,E,"ncacn_http/1\.0")%r(X11Probe,E,"ncacn_http/1\.0")%r(GenericLines,E SF:,"ncacn_http/1\.0")%r(GetRequest,E,"ncacn_http/1\.0")%r(HTTPOptions,E," SF:ncacn_http/1\.0")%r(RTSPRequest,E,"ncacn_http/1\.0")%r(RPCCheck,E,"ncac SF:n_http/1\.0")%r(DNSVersionBindReq,E,"ncacn_http/1\.0")%r(DNSStatusReque SF:st,E,"ncacn_http/1\.0")%r(Help,E,"ncacn_http/1\.0")%r(SSLSessionReq,E," SF:ncacn_http/1\.0")%r(SMBProgNeg,26,"ncacn_http/1\.0\x05\0\r\x03\x10\0\0\ SF:0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\0\0\0")%r(LPDString,E,"ncacn_htt SF:p/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_http/ SF:1\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1\.0") SF:%r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")%r(or SF:acle-tns,E,"ncacn_http/1\.0"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port6004-TCP:V=3.81%D=3/4%Time=422915F1%P=i386-unknown-freebsd5.3%r(NUL SF:L,E,"ncacn_http/1\.0")%r(X11Probe,E,"ncacn_http/1\.0")%r(GenericLines,E SF:,"ncacn_http/1\.0")%r(GetRequest,E,"ncacn_http/1\.0")%r(HTTPOptions,E," SF:ncacn_http/1\.0")%r(RTSPRequest,E,"ncacn_http/1\.0")%r(RPCCheck,E,"ncac SF:n_http/1\.0")%r(DNSVersionBindReq,E,"ncacn_http/1\.0")%r(DNSStatusReque SF:st,E,"ncacn_http/1\.0")%r(Help,E,"ncacn_http/1\.0")%r(SSLSessionReq,E," SF:ncacn_http/1\.0")%r(SMBProgNeg,26,"ncacn_http/1\.0\x05\0\r\x03\x10\0\0\ SF:0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\0\0\0")%r(LPDString,E,"ncacn_htt SF:p/1\.0")%r(LDAPBindReq,E,"ncacn_http/1\.0")%r(LANDesk-RC,E,"ncacn_http/ SF:1\.0")%r(TerminalServer,E,"ncacn_http/1\.0")%r(NCP,E,"ncacn_http/1\.0") SF:%r(NotesRPC,E,"ncacn_http/1\.0")%r(WMSRequest,E,"ncacn_http/1\.0")%r(or SF:acle-tns,E,"ncacn_http/1\.0"); MAC Address: 00:11:95:1E:E0:6F (Alpha Networks) No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=3.81%P=i386-unknown-freebsd5.3%D=3/4%Tm=42291649%O=7%C=1%M=001195) TSeq(Class=TR%IPID=I%TS=0) T1(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT) T2(Resp=N) T3(Resp=N) T4(Resp=N) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=N) T7(Resp=N) PU(Resp=Y%DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) TCP ISN Seq. Numbers: 8093B5CF 935EC84D 2CBFA739 44C2AECA 1420983D 84BEB014 IPID Sequence Generation: Incremental Nmap finished: 1 IP address (1 host up) scanned in 143.060 seconds Raw packets sent: 1728 (70.2KB) | Rcvd: 1691 (78.5KB) root () vidar hrith com:[ /usr/share ]18:15:37 > _______________________________________________ No banners. No pop-ups. No kidding. Make My Way your home on the Web - http://www.myway.com --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- RPC over HTTP Jon-Erik (Mar 03)
- Re: RPC over HTTP Martin Mačok (Mar 03)
- <Possible follow-ups>
- Re: RPC over HTTP Jon-Erik (Mar 04)
- Re: RPC over HTTP Martin Mačok (Mar 04)
- Re: RPC over HTTP Jon-Erik (Mar 04)
- Re: RPC over HTTP (ncacn_http) Martin Mačok (Mar 05)
- Re: RPC over HTTP Alan Jones (Mar 06)
- Re: RPC over HTTP Martin Mačok (Mar 07)
- Re: RPC over HTTP Jon-Erik (Mar 06)