Instructor: Dr. A. Aggarwal




Дата канвертавання24.04.2016
Памер248.49 Kb.

Nmap -- Network Security Scanner

0360592 Project 2

Ahsaan Arefeen

Srabanti Dey

Mingyue Yu

Instructor: Dr. A. Aggarwal

Contents




  1. Introduction ……………………………………………………………2

  2. Option Observation…………………………………………………….4

II.1 Scan type..…………………………………………………………....4

-sT………………………………………………………………….4

-sS………………………………………………………………….6

-sF………………………………………………………………….8

–sX…………………………………………………………………9

-sN………………………………………………………………...11

-sP…………………………………………………………………16

-sO


-sA

-sW


II.2 General option

-PT


-PS

-PI


-O

-I

-v



-h

-p

-F



-M

  1. Conclusion

I. Introduction


Nmap is a network exploration tool and security scanner. It is designed to allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering. Nmap supports a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN,ACK sweep, Xmas Tree, SYN sweep, IP Protocol, and Null scan. nmap also offers a number of advanced features such as remote OS detection via TCP/IP fingerprinting, stealth scanning, dynamic delay and retransmission calculations, parallel scanning, detection of down hosts via parallel pings, decoy scanning, port filtering detection, direct (non-portmapper) RPC scanning, fragmentation scanning, and flexible target and port specification.
The result of running nmap is usually a list of ports on the machine being scanned. Nmap always gives the port's "well known" service name, number, state, and protocol. The state is either 'open', 'filtered', or 'unfiltered'. Open means that the target machine will accept() connections on that port. Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. Unfiltered means that the port is known by nmap to be closed and no fire wall/filter seems to be interfering with nmap's attempts to determine this. Unfiltered ports are the common case and are only shown when most of the scanned ports are in the filtered state.
Depending on options used, nmap may also report the following characteristics of the remote host: OS in use, TCP sequence ability, usernames running the programs which have bound to each port, the DNS name, whether the host is a smurf address, and a few others.

Nmap has the following features:




  • Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, pings sweeps, and more.

  • Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.

  • Portable: Most operating systems are supported, including Linux, Open/Free/Net BSD, Solaris, IRIX, Mac OS X, HP-UX, Sun OS, and more. Windows support is in beta and we are not distributing binaries yet..

  • Easy: Both traditional command line and graphical (GUI) versions are available to suit preference. Binaries are available for those who do not wish to compile Nmap from source.

  • Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free, and also comes with full source code that you may modify and redistribute under the terms of the GNU General Public License (GPL).

  • Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, and tutorials.

  • Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by both Info World and Codetalker Digest. It has been featured in hundreds of magazine articles..

  • Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, FreeBSD, OpenBSD, etc). It is among the top ten (out of 15,000) downloads at the Freshmeat repository. This is important because it lends Nmap its vibrant development and user support communities.


II. Option Observation


Nmap has two kinds of options, one is to define the scan type and using that type option to scan the ports, and the other is general option.
II.1. Scan type
-sT

TCP connect() scan: the most basic form of TCP scanning. It is based on the method of establishing a connection in the TCP protocol, known as a three way handshake.



  1. The server must be ready to receive a connection (usually using the socket, bind and listen functions)

  2. The client starts an active connection - a call to connect (). This sends a SYN segment to the server to inform about the initial sequence number of the data that client will send during connection. The SYN usually contains an IP Header - a TCP Header and maybe some TCP option.

  3. The server should acknowledge the SYN sending with an ACK and a SYN with its sequence number (within the same TCP package).

  4. The client should acknowledge the server SYN with an ACK

This way of scanning has two advantages:

  • it is fast (nmap even has options that we will not analyze to make it faster on slow connections)

  • special privileges are not needed on the machine that launches the scanning

but it has a big disadvantage. It is very simple to detect and easy to filter.

The follow is the output of nmap –sT davinci.newcs.uindsor.ca

saturn.cspc1.uwindsor.ca# nmap -sT davinci.newcs.uwindsor.ca

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 1489 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

42/tcp open nameserver

53/tcp open domain

80/tcp open http

111/tcp open sunrpc

135/tcp open loc-srv

139/tcp open netbios-ssn

143/tcp open imap2

389/tcp open ldap

491/tcp open go-login

514/tcp open shell

515/tcp open printer

587/tcp open submission

900/tcp open unknown

993/tcp open imaps

1112/tcp open msql

1357/tcp open pegboard

1358/tcp open connlcli

2040/tcp open lam

2049/tcp open nfs

2766/tcp open listen

3000/tcp open ppp

3001/tcp open nessusd

4045/tcp open lockd

6000/tcp open X11

6002/tcp open X11:2

6003/tcp open X11:3

6004/tcp open X11:4

6005/tcp open X11:5

6006/tcp open X11:6

6007/tcp open X11:7

6008/tcp open X11:8

6009/tcp open X11:9

6050/tcp open arcserve

6112/tcp open dtspc

6666/tcp open irc-serv

6667/tcp open irc

7001/tcp open afs3-callback

7002/tcp open afs3-prserver

7007/tcp open afs3-bos

7008/tcp open afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

8080/tcp open http-proxy

8081/tcp open blackice-icecap

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds

-sS

TCP SYN scan: This technique is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and you wait for a response. A SYN|ACK indicates the port is listening. If we receive an RST instead of an ACK, then the scanned port is not active. This scanning procedure has the drawback that root privileges are needed to execute it. But it has the advantage that is difficult to detect in the scanned machine.


Let's see a similar analysis of the actions done by nmap with this option
saturn.cspc1.uwindsor.ca# nmap -sS davinci.newcs.uwindsor.ca
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 1489 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

42/tcp open nameserver

53/tcp open domain

80/tcp open http

111/tcp open sunrpc

135/tcp open loc-srv

139/tcp open netbios-ssn

143/tcp open imap2

389/tcp open ldap

491/tcp open go-login

514/tcp open shell

515/tcp open printer

587/tcp open submission

900/tcp open unknown

993/tcp open imaps

1112/tcp open msql

1357/tcp open pegboard

1358/tcp open connlcli

2040/tcp open lam

2049/tcp open nfs

2766/tcp open listen

3000/tcp open ppp

3001/tcp open nessusd

4045/tcp open lockd

6000/tcp open X11

6002/tcp open X11:2

6003/tcp open X11:3

6004/tcp open X11:4

6005/tcp open X11:5

6006/tcp open X11:6

6007/tcp open X11:7

6008/tcp open X11:8

6009/tcp open X11:9

6050/tcp open arcserve

6112/tcp open dtspc

6666/tcp open irc-serv

6667/tcp open irc

7001/tcp open afs3-callback

7002/tcp open afs3-prserver

7007/tcp open afs3-bos

7008/tcp open afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

8080/tcp open http-proxy

8081/tcp open blackice-icecap

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

Nmap run completed -- 1 IP address (1 host up) scanned in 26 seconds


-sF -sX -sN

Stealth FIN, Xmas Tree, or Null scan modes: This scanning is based on the fact that inactive ports on the target machine respond to a FIN package with a RST package. On the other hand, active ports simply ignore those packets. Therefore the list of interesting active ports is obtained by observing which are those that have not answered. Hosts running Microsoft operating systems can not be scanned with this method since they have a non standards-conforming implementation of the TCP protocol. –sF, -sX, -sN are three types of this scan mode, and we will test all these three options as following:

-sF

saturn.cspc1.uwindsor.ca# nmap -sF davinci.newcs.uwindsor.ca



Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 1489 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

53/tcp open domain

80/tcp open http

111/tcp open sunrpc

135/tcp open loc-srv

139/tcp open netbios-ssn

143/tcp open imap2

369/tcp filtered rpc2portmap

389/tcp open ldap

491/tcp open go-login

514/tcp open shell

515/tcp open printer

587/tcp open submission

900/tcp open unknown

993/tcp open imaps

1112/tcp open msql

1357/tcp open pegboard

1358/tcp open connlcli

2040/tcp open lam

2049/tcp open nfs

2766/tcp open listen

3000/tcp open ppp

3001/tcp open nessusd

4045/tcp open lockd

6000/tcp open X11

6002/tcp open X11:2

6003/tcp open X11:3

6004/tcp open X11:4

6005/tcp open X11:5

6006/tcp open X11:6

6007/tcp open X11:7

6008/tcp open X11:8

6009/tcp open X11:9

6050/tcp open arcserve

6112/tcp open dtspc

6666/tcp open irc-serv

6667/tcp open irc

7001/tcp open afs3-callback

7002/tcp open afs3-prserver

7007/tcp open afs3-bos

7008/tcp open afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

8080/tcp open http-proxy

8081/tcp open blackice-icecap

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

Nmap run completed -- 1 IP address (1 host up) scanned in 292 seconds


-sX

saturn.cspc1.uwindsor.ca# nmap -sX -F davinci.newcs.uwindsor.ca

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 1036 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

53/tcp open domain

80/tcp open http

111/tcp open sunrpc

135/tcp open loc-srv

139/tcp open netbios-ssn

143/tcp open imap2

389/tcp open ldap

491/tcp open go-login

514/tcp open shell

515/tcp open printer

587/tcp open submission

993/tcp open imaps

1112/tcp open msql

1357/tcp open pegboard

1358/tcp open connlcli

2040/tcp open lam

2049/tcp open nfs

2766/tcp open listen

3000/tcp open ppp

3001/tcp open nessusd

4045/tcp open lockd

6000/tcp open X11

6002/tcp open X11:2

6003/tcp open X11:3

6004/tcp open X11:4

6005/tcp open X11:5

6006/tcp open X11:6

6007/tcp open X11:7

6008/tcp open X11:8

6009/tcp open X11:9

6050/tcp open arcserve

6112/tcp open dtspc

6666/tcp open irc-serv

6667/tcp open irc

7001/tcp open afs3-callback

7002/tcp open afs3-prserver

7007/tcp open afs3-bos

7008/tcp open afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

8080/tcp open http-proxy

8081/tcp open blackice-icecap

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

Nmap run completed -- 1 IP address (1 host up) scanned in 39 seconds

Notice: -sX option is combined with –F option, which is a fast mode scan.
-sN

saturn.cspc1.uwindsor.ca# nmap -sN davinci.newcs.uwindsor.ca

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 1323 ports scanned but not shown below are in state: closed)

Port State Service

11/tcp filtered systat

19/tcp filtered chargen

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

29/tcp filtered msg-icp

37/tcp open time

46/tcp filtered mpm-snd

53/tcp open domain

56/tcp filtered xns-auth

58/tcp filtered xns-mail

59/tcp filtered priv-file

80/tcp open http

85/tcp filtered mit-ml-dev

86/tcp filtered mfcobol

88/tcp filtered kerberos-sec

90/tcp filtered dnsix

111/tcp open sunrpc

115/tcp filtered sftp

116/tcp filtered ansanotify

125/tcp filtered locus-map

132/tcp filtered cisco-sys

135/tcp open loc-srv

139/tcp open netbios-ssn

143/tcp open imap2

146/tcp filtered iso-tp0

147/tcp filtered iso-ip

152/tcp filtered bftp

172/tcp filtered cl-1

173/tcp filtered xyplex-mux

186/tcp filtered kis

198/tcp filtered dls-mon

213/tcp filtered ipx

218/tcp filtered mpp

219/tcp filtered uarps

220/tcp filtered imap3

232/tcp filtered unknown

233/tcp filtered unknown

235/tcp filtered unknown

241/tcp filtered unknown

265/tcp filtered unknown

269/tcp filtered unknown

272/tcp filtered unknown

277/tcp filtered unknown

281/tcp filtered personal-link

288/tcp filtered unknown

317/tcp filtered zannet

344/tcp filtered pdap

345/tcp filtered pawserv

346/tcp filtered zserv

352/tcp filtered dtag-ste-sb

354/tcp filtered bh611

359/tcp filtered tenebris_nts

362/tcp filtered srssend

372/tcp filtered ulistserv

375/tcp filtered hassle

377/tcp filtered tnETOS

389/tcp open ldap

391/tcp filtered synotics-relay

399/tcp filtered iso-tsap-c2

409/tcp filtered prm-nm

418/tcp filtered hyper-g

423/tcp filtered opc-job-start

431/tcp filtered utmpcd

432/tcp filtered iasd

438/tcp filtered dsfgw

458/tcp filtered appleqtc

459/tcp filtered ampr-rcmd

464/tcp filtered kpasswd5

473/tcp filtered hybrid-pop

482/tcp filtered bgs-nsi

490/tcp filtered micom-pfs

491/tcp open go-login

494/tcp filtered pov-ray

513/tcp filtered login

514/tcp open shell

515/tcp open printer

516/tcp filtered videotex

529/tcp filtered irc-serv

532/tcp filtered netnews

539/tcp filtered apertus-ldp

542/tcp filtered commerce

559/tcp filtered teedtap

570/tcp filtered meter

572/tcp filtered sonar

573/tcp filtered banyan-vip

575/tcp filtered vemmi

587/tcp filtered submission

607/tcp filtered nqs

610/tcp filtered npmp-local

630/tcp filtered unknown

651/tcp filtered unknown

657/tcp filtered unknown

659/tcp filtered unknown

664/tcp filtered unknown

668/tcp filtered unknown

687/tcp filtered unknown

711/tcp filtered unknown

716/tcp filtered unknown

718/tcp filtered unknown

726/tcp filtered unknown

739/tcp filtered unknown

740/tcp filtered netcp

745/tcp filtered unknown

747/tcp filtered fujitsu-dev

748/tcp filtered ris-cm

757/tcp filtered unknown

783/tcp filtered hp-alarm-mgr

801/tcp filtered device

810/tcp filtered unknown

811/tcp filtered unknown

821/tcp filtered unknown

824/tcp filtered unknown

847/tcp filtered unknown

858/tcp filtered unknown

874/tcp filtered unknown

876/tcp filtered unknown

883/tcp filtered unknown

885/tcp filtered unknown

900/tcp open unknown

909/tcp filtered unknown

910/tcp filtered unknown

915/tcp filtered unknown

918/tcp filtered unknown

921/tcp filtered unknown

941/tcp filtered unknown

950/tcp filtered oftep-rpc

960/tcp filtered unknown

963/tcp filtered unknown

970/tcp filtered unknown

979/tcp filtered unknown

993/tcp open imaps

994/tcp filtered ircs

1010/tcp filtered unknown

1011/tcp filtered unknown

1030/tcp filtered iad1

1032/tcp filtered iad3

1080/tcp filtered socks

1112/tcp open msql

1248/tcp filtered hermes

1357/tcp open pegboard

1358/tcp filtered connlcli

1362/tcp filtered timeflies

1368/tcp filtered screencast

1374/tcp filtered molly

1378/tcp filtered elan

1388/tcp filtered objective-dbc

1397/tcp filtered audio-activmail

1439/tcp filtered eicon-x25

1445/tcp filtered proxima-lm

1451/tcp filtered infoman

1456/tcp filtered dca

1461/tcp filtered ibm_wrless_lan

1469/tcp filtered aal-lm

1470/tcp filtered uaiact

1471/tcp filtered csdmbase

1489/tcp filtered dmdocbroker

1490/tcp filtered insitu-conf

1492/tcp filtered stone-design-1

1511/tcp filtered 3l-l1

1520/tcp filtered atm-zip-office

1523/tcp filtered cichild-lm

1532/tcp filtered miroconnect

1534/tcp filtered micromuse-lm

1535/tcp filtered ampr-info

1669/tcp filtered netview-aix-9

1988/tcp filtered tr-rsrb-p2

1994/tcp filtered stun-port

1996/tcp filtered tr-rsrb-port

2004/tcp filtered mailbox

2020/tcp filtered xinupageserver

2022/tcp filtered down

2025/tcp filtered ellpack

2040/tcp open lam

2041/tcp filtered interbase

2042/tcp filtered isis

2044/tcp filtered rimsl

2049/tcp open nfs

2108/tcp filtered rkinit

2232/tcp filtered ivs-video

2401/tcp filtered cvspserver

2766/tcp open listen

3000/tcp open ppp

3001/tcp open nessusd

3421/tcp filtered bmap

3984/tcp filtered mapper-nodemgr

4045/tcp open lockd

5002/tcp filtered rfe

5300/tcp filtered hacl-hb

5632/tcp filtered pcanywherestat

6000/tcp open X11

6002/tcp open X11:2

6003/tcp open X11:3

6004/tcp open X11:4

6005/tcp open X11:5

6006/tcp open X11:6

6007/tcp open X11:7

6008/tcp open X11:8

6009/tcp open X11:9

6050/tcp open arcserve

6112/tcp open dtspc

6144/tcp filtered statsci1-lm

6666/tcp open irc-serv

6667/tcp open irc

6969/tcp filtered acmsoda

7001/tcp open afs3-callback

7002/tcp open afs3-prserver

7007/tcp open afs3-bos

7008/tcp filtered afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

7201/tcp filtered dlip

8080/tcp open http-proxy

8081/tcp open blackice-icecap

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

Nmap run completed -- 1 IP address (1 host up) scanned in 1176 seconds


-sP

Ping scanning: Sometimes you only want to know which hosts on a network are up. Nmap can do this by sending ICMP echo request packets to every IP address on the networks you specify. Hosts that respond are up. Unfortunately, some sites such as microsoft.com block echo request packets. Thus nmap can also send a TCP ack packet to (by default) port 80. If we get an RST back, that machine is up. A third technique involves sending a SYN packet and waiting for a RST or a SYN/ACK. For non-root users, a connect() method is used.


We tried –PI option which uses a true ping (ICMP echo request) packet to test nmap ping scanning, -PT option which uses tcp ping to determine what hosts are up.

-sO

IP protocol scans: This method is used to determine which IP protocols are supported on a host. The technique is to send raw IP packets without any further protocol header to each specified protocol on the target machine. If we receive an ICMP protocol unreachable message, then the protocol is not in use. Otherwise we assume it is open. Note that some hosts (AIX, HP-UX, Digital UNIX) and firewalls may not send protocol unreachable messages. This causes all of the protocols to appear "open".


saturn.cspc1.uwindsor.ca# nmap -sO davinci.newcs.uwindsor.ca

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Interesting protocols on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 242 protocols scanned but not shown below are in state: closed)

Protocol State Name

1 open unknown

2 open unknown

6 open unknown

17 filtered unknown

57 open unknown

131 open unknown

140 open unknown

141 open unknown

200 open unknown

208 open unknown

214 open unknown

249 open unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 1398 seconds


-sA

ACK scan: This advanced method is usually used to map out firewall rulesets. In particular, it can help determine whether a firewall is stateful or just a simple packet filter that blocks incoming SYN packets.


This scan type sends an ACK packet (with random looking acknowledgement/sequence numbers) to the ports specified. If a RST comes back, the ports is classified as "unfiltered". If nothing comes back (or if an ICMP unreachable is returned), the port is classified as "filtered". Note that nmap usu- ally doesn't print "unfiltered" ports, so getting no ports shown in the output is usually a sign that all the probes got through (and returned RSTs).
saturn.cspc1.uwindsor.ca# nmap -sA www.hotmail.com

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

All 1548 scanned ports on lc2.law5.hotmail.com (64.4.53.7) are: UNfiltered

Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds


saturn.cspc1.uwindsor.ca# nmap -sA davinci.newcs.uwindsor.ca

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

All 1548 scanned ports on davinci.newcs.uwindsor.ca (137.207.76.3) are: UNfiltered

Nmap run completed -- 1 IP address (1 host up) scanned in 104 seconds


-sW

Window scan: This advanced scan is very similar to the ACK scan, except that it can sometimes detect open ports as well as filtered/nonfiltered due to an anomaly in the TCP window size reporting by some operating systems. Systems vulnerable to this include at least some versions of AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, and VxWorks.

saturn.cspc1.uwindsor.ca# nmap -sW davinci.newcs.uwindsor.ca

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

All 1548 scanned ports on davinci.newcs.uwindsor.ca (137.207.76.3) are: closed

Nmap run completed -- 1 IP address (1 host up) scanned in 100 seconds

The above are most important options of nmap, and next we will test some general options of nmap.

II.2. General option
-PT

Use TCP "ping" to determine what hosts are up. Instead of sending ICMP echo request packets and waiting for a response, we spew out TCP ACK packets throughout the target network (or to a single machine) and then wait for responses to trickle back. Hosts that are up should respond with a RST. This option preserves the efficiency of only scanning hosts that are up while still allowing you to scan networks/hosts that block ping packets. For non root users, we use connect(). To set the destination port of the probe packets use -PT


. The default port is 80, since this port is often not filtered out.
saturn.cspc1.uwindsor.ca# nmap -PT davinci.newcs.uwindsor.ca

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 1490 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

53/tcp open domain

80/tcp open http

111/tcp open sunrpc

135/tcp open loc-srv

139/tcp open netbios-ssn

143/tcp open imap2

389/tcp open ldap

491/tcp open go-login

514/tcp open shell

515/tcp open printer

587/tcp open submission

900/tcp open unknown

993/tcp open imaps

1112/tcp open msql

1357/tcp open pegboard

1358/tcp open connlcli

2040/tcp open lam

2049/tcp open nfs

2766/tcp open listen

3000/tcp open ppp

3001/tcp open nessusd

4045/tcp open lockd

6000/tcp open X11

6002/tcp open X11:2

6003/tcp open X11:3

6004/tcp open X11:4

6005/tcp open X11:5

6006/tcp open X11:6

6007/tcp open X11:7

6008/tcp open X11:8

6009/tcp open X11:9

6050/tcp open arcserve

6112/tcp open dtspc

6666/tcp open irc-serv

6667/tcp open irc

7001/tcp open afs3-callback

7002/tcp open afs3-prserver

7007/tcp open afs3-bos

7008/tcp open afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

8080/tcp open http-proxy

8081/tcp open blackice-icecap

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds


-PS

This option uses SYN (connection request) packets instead of ACK packets for root users. Hosts that are up should respond with a RST (or, rarely, a SYN|ACK).


saturn.cspc1.uwindsor.ca# nmap -PS davinci.newcs.uwindsor.ca

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 1490 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

53/tcp open domain

80/tcp open http

111/tcp open sunrpc

135/tcp open loc-srv

139/tcp open netbios-ssn

143/tcp open imap2

389/tcp open ldap

491/tcp open go-login

514/tcp open shell

515/tcp open printer

587/tcp open submission

900/tcp open unknown

993/tcp open imaps

1112/tcp open msql

1357/tcp open pegboard

1358/tcp open connlcli

2040/tcp open lam

2049/tcp open nfs

2766/tcp open listen

3000/tcp open ppp

3001/tcp open nessusd

4045/tcp open lockd

6000/tcp open X11

6002/tcp open X11:2

6003/tcp open X11:3

6004/tcp open X11:4

6005/tcp open X11:5

6006/tcp open X11:6

6007/tcp open X11:7

6008/tcp open X11:8

6009/tcp open X11:9

6050/tcp open arcserve

6112/tcp open dtspc

6666/tcp open irc-serv

6667/tcp open irc

7001/tcp open afs3-callback

7002/tcp open afs3-prserver

7007/tcp open afs3-bos

7008/tcp open afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

8080/tcp open http-proxy

8081/tcp open blackice-icecap

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds


-PI

This option uses a true ping (ICMP echo request) packet. It finds hosts that are up and also looks for subnet-directed broadcast addresses on your network. These are IP addresses which are externally reachable and translate to a broadcast of incoming IP packets to a subnet of computers. These should be eliminated if found as they allow for numerous denial of service attacks (Smurf is the most common).


saturn.cspc1.uwindsor.ca# nmap -PI davinci.newcs.uwindsor.ca

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 1490 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

53/tcp open domain

80/tcp open http

111/tcp open sunrpc

135/tcp open loc-srv

139/tcp open netbios-ssn

143/tcp open imap2

389/tcp open ldap

491/tcp open go-login

514/tcp open shell

515/tcp open printer

587/tcp open submission

900/tcp open unknown

993/tcp open imaps

1112/tcp open msql

1357/tcp open pegboard

1358/tcp open connlcli

2040/tcp open lam

2049/tcp open nfs

2766/tcp open listen

3000/tcp open ppp

3001/tcp open nessusd

4045/tcp open lockd

6000/tcp open X11

6002/tcp open X11:2

6003/tcp open X11:3

6004/tcp open X11:4

6005/tcp open X11:5

6006/tcp open X11:6

6007/tcp open X11:7

6008/tcp open X11:8

6009/tcp open X11:9

6050/tcp open arcserve

6112/tcp open dtspc

6666/tcp open irc-serv

6667/tcp open irc

7001/tcp open afs3-callback

7002/tcp open afs3-prserver

7007/tcp open afs3-bos

7008/tcp open afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

8080/tcp open http-proxy

8081/tcp open blackice-icecap

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds


-O

This option activates remote host identification via TCP/IP fingerprinting. In other words, it uses a bunch of techniques to detect subtleties in the underlying operating system network stack of the computers you are scanning. It uses this information to create a 'fingerprint' which it compares with its database of known OS fingerprints (the nmap-os-fingerprints file) to decide what type of system you are scanning.


The -O option also enables several other tests. One is the "Uptime" measurement, which uses the TCP timestamp option (RFC 1323) to guess when a machine was last rebooted. This is only reported for the machines which provide this information.
Another test enabled by -O is TCP Sequence Pre- dictability Classification. This is a measure that describes approximately how hard it is to establish a forged TCP connection against the remote host. This is useful for exploiting source-IP based trust relationships (rlogin, firewall filters, etc) or for hiding the source of an attack. The actual difficulty number is based on statistical sampling and may fluctuate.
We test this option combined with –sS and –sS. Now we will give the result of command nmap –sS –O davinci.newcs.uwindsor.ca as follows.
saturn.cspc1.uwindsor.ca# nmap -sS -O davinci.newcs.uwindsor.ca/24
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Host (137.207.76.0) seems to be a subnet broadcast address (returned 1 extra pings). Still scanning it due to ping response from its own IP.

Interesting ports on (137.207.76.0):

(The 1546 ports scanned but not shown below are in state: closed)

Port State Service

23/tcp open telnet

616/tcp open unknown
Remote OS guesses: Acorn RiscOS 3.7 using AcornNet TCP/IP stack, FreeBSD 2.2.1 - 4.1, Juniper Router running JUNOS, Mirapoint M1000 (OS v 1.0.0), Cabletron Systems SSR 8000 System Software, Version 3.1.B.16

Uptime 27.096 days (since Sat Feb 16 10:34:39 2002)

Interesting ports on gate.newcs.uwindsor.ca (137.207.76.1):

(The 1546 ports scanned but not shown below are in state: closed)

Port State Service

23/tcp open telnet

616/tcp open unknown
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

TCP/IP fingerprint:

SInfo(V=2.54BETA28%P=sparc-sun-solaris2.8%D=3/15%Time=3C923580%O=23%C=1)

TSeq(Class=RI%gcd=1%SI=BD03%IPID=I%TS=2HZ)

TSeq(Class=RI%gcd=1%SI=C713%IPID=I%TS=2HZ)

TSeq(Class=RI%gcd=1%SI=D0E2%IPID=I%TS=2HZ)

T1(Resp=Y%DF=Y%W=403D%ACK=S++%Flags=AS%Ops=MNWNNT)

T2(Resp=N)

T3(Resp=Y%DF=Y%W=403D%ACK=S++%Flags=AS%Ops=MNWNNT)

T4(Resp=Y%DF=N%W=4000%ACK=O%Flags=R%Ops=)

T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)

T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)

PU(Resp=Y%DF=Y%TOS=0%IPLEN=38%RIPTL=134%RIPCK=F%UCK=0%ULEN=134%DAT=E)


Uptime 27.098 days (since Sat Feb 16 10:34:40 2002)

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 1489 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

42/tcp open nameserver

53/tcp open domain

80/tcp open http

111/tcp open sunrpc

135/tcp open loc-srv

139/tcp open netbios-ssn

143/tcp open imap2

389/tcp open ldap

491/tcp open go-login

514/tcp open shell

515/tcp open printer

587/tcp open submission

900/tcp open unknown

993/tcp open imaps

1112/tcp open msql

1357/tcp open pegboard

1358/tcp open connlcli

2040/tcp open lam

2049/tcp open nfs

2766/tcp open listen

3000/tcp open ppp

3001/tcp open nessusd

4045/tcp open lockd

6000/tcp open X11

6002/tcp open X11:2

6003/tcp open X11:3

6004/tcp open X11:4

6005/tcp open X11:5

6006/tcp open X11:6

6007/tcp open X11:7

6008/tcp open X11:8

6009/tcp open X11:9

6050/tcp open arcserve

6112/tcp open dtspc

6666/tcp open irc-serv

6667/tcp open irc

7001/tcp open afs3-callback

7002/tcp open afs3-prserver

7007/tcp open afs3-bos

7008/tcp open afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

8080/tcp open http-proxy

8081/tcp open blackice-icecap

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19


Remote operating system guess: Solaris 2.6 - 2.7

Uptime 4.125 days (since Mon Mar 11 09:57:58 2002)

Interesting ports on escher.newcs.uwindsor.ca (137.207.76.5):

(The 1510 ports scanned but not shown below are in state: closed)

Port State Service

7/tcp open echo

9/tcp open discard

13/tcp open daytime

19/tcp open chargen

21/tcp open ftp

23/tcp open telnet

25/tcp open smtp

37/tcp open time

79/tcp open finger

111/tcp open sunrpc

389/tcp open ldap

512/tcp open exec

513/tcp open login

514/tcp open shell

515/tcp open printer

540/tcp open uucp

587/tcp open submission

665/tcp open unknown

898/tcp open unknown

1420/tcp open timbuktu-srv4

4045/tcp open lockd

6000/tcp open X11

6112/tcp open dtspc

7007/tcp open afs3-bos

7008/tcp open afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32778/tcp open sometimes-rpc19

32779/tcp open sometimes-rpc21

32786/tcp open sometimes-rpc25

32787/tcp open sometimes-rpc27
Remote operating system guess: Sun Solaris 8 early acces beta through actual release

Uptime 3.938 days (since Mon Mar 11 14:27:34 2002)

Interesting ports on erie8.newcs.uwindsor.ca (137.207.76.6):

(The 1543 ports scanned but not shown below are in state: closed)

Port State Service

7/tcp open echo

79/tcp open finger

80/tcp open http

515/tcp open printer

9100/tcp open jetdirect


No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

TCP/IP fingerprint:

SInfo(V=2.54BETA28%P=sparc-sun-solaris2.8%D=3/15%Time=3C923672%O=7%C=1)

TSeq(Class=TD%gcd=1259D%SI=0%IPID=I%TS=U)

T1(Resp=Y%DF=N%W=3F6%ACK=S++%Flags=AS%Ops=M)

T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)

T3(Resp=Y%DF=N%W=3F6%ACK=S++%Flags=AS%Ops=M)

T4(Resp=Y%DF=N%W=0%ACK=S%Flags=R%Ops=)

T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=N%W=0%ACK=S%Flags=R%Ops=)

T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

PU(Resp=N)


Interesting ports on bach.newcs.uwindsor.ca (137.207.76.7):

(The 1521 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

79/tcp open finger

111/tcp open sunrpc

512/tcp open exec

514/tcp open shell

515/tcp open printer

540/tcp open uucp

2049/tcp open nfs

2766/tcp open listen

4045/tcp open lockd

6000/tcp open X11

6112/tcp open dtspc

7100/tcp open font-service

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

32779/tcp open sometimes-rpc21

32780/tcp open sometimes-rpc23
Remote operating system guess: Solaris 2.6 - 2.7

Uptime 27.149 days (since Sat Feb 16 09:28:03 2002)

Interesting ports on euclid.newcs.uwindsor.ca (137.207.76.8):

(The 1513 ports scanned but not shown below are in state: closed)

Port State Service

7/tcp open echo

9/tcp open discard

13/tcp open daytime

19/tcp open chargen

21/tcp open ftp

23/tcp open telnet

25/tcp open smtp

37/tcp open time

79/tcp open finger

80/tcp open http

111/tcp open sunrpc

512/tcp open exec

513/tcp open login

514/tcp open shell

515/tcp open printer

523/tcp open ibm-db2

540/tcp open uucp

587/tcp open submission

665/tcp open unknown

898/tcp open unknown

4045/tcp open lockd

6000/tcp open X11

6112/tcp open dtspc

7100/tcp open font-service

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

32779/tcp open sometimes-rpc21

32780/tcp open sometimes-rpc23


Remote operating system guess: Sun Solaris 8 early acces beta through actual release

Uptime 15.950 days (since Wed Feb 27 14:16:49 2002)

Interesting ports on symmetra.newcs.uwindsor.ca (137.207.76.15):

(The 1545 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

23/tcp open telnet

80/tcp open http


Remote operating system guess: APC MasterSwitch Network Power Controller

Interesting ports on router-nt.newcs.uwindsor.ca (137.207.76.20):

(The 1540 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

70/tcp open gopher

80/tcp open http

135/tcp open loc-srv

139/tcp open netbios-ssn

515/tcp open printer

1031/tcp open iad2

3389/tcp open msrdp


Remote operating system guess: Microsoft NT 4.0 Server SP5 + 2047 Hotfixes

Interesting ports on (137.207.76.54):

(The 1546 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

23/tcp open telnet


Remote operating system guess: Xylan OmniSwitch 5x/9x ethernet switch, Annex3 Comm server R10.0, or Hitach HI-UX/WE2

Interesting ports on cs-ssr-6th.newcs.uwindsor.ca (137.207.76.250):

(The 1546 ports scanned but not shown below are in state: closed)

Port State Service

23/tcp open telnet

616/tcp open unknown


No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

TCP/IP fingerprint:

SInfo(V=2.54BETA28%P=sparc-sun-solaris2.8%D=3/15%Time=3C923A92%O=23%C=1)

TSeq(Class=RI%gcd=1%SI=B731%IPID=I%TS=2HZ)

TSeq(Class=RI%gcd=1%SI=A917%IPID=I%TS=2HZ)

TSeq(Class=RI%gcd=1%SI=D728%IPID=I%TS=2HZ)

T1(Resp=Y%DF=Y%W=403D%ACK=S++%Flags=AS%Ops=MNWNNT)

T2(Resp=N)

T3(Resp=Y%DF=Y%W=403D%ACK=S++%Flags=AS%Ops=MNWNNT)

T4(Resp=Y%DF=N%W=4000%ACK=O%Flags=R%Ops=)

T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)

T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)

PU(Resp=Y%DF=Y%TOS=0%IPLEN=38%RIPTL=134%RIPCK=F%UCK=0%ULEN=134%DAT=E)


Uptime 27.158 days (since Sat Feb 16 09:29:46 2002)

Interesting ports on cs-ssr-lib.newcs.uwindsor.ca (137.207.76.253):

(The 1546 ports scanned but not shown below are in state: closed)

Port State Service

23/tcp open telnet

616/tcp open unknown
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

TCP/IP fingerprint:

SInfo(V=2.54BETA28%P=sparc-sun-solaris2.8%D=3/15%Time=3C923B89%O=23%C=1)

TSeq(Class=RI%gcd=1%SI=DF55%IPID=I%TS=2HZ)

TSeq(Class=RI%gcd=1%SI=B191%IPID=I%TS=2HZ)

TSeq(Class=RI%gcd=1%SI=C291%IPID=I%TS=2HZ)

T1(Resp=Y%DF=Y%W=403D%ACK=S++%Flags=AS%Ops=MNWNNT)

T2(Resp=N)

T3(Resp=Y%DF=Y%W=403D%ACK=S++%Flags=AS%Ops=MNWNNT)

T4(Resp=Y%DF=N%W=4000%ACK=O%Flags=R%Ops=)

T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)

T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)

PU(Resp=Y%DF=Y%TOS=0%IPLEN=38%RIPTL=134%RIPCK=F%UCK=0%ULEN=134%DAT=E)


Uptime 7.083 days (since Fri Mar 8 11:21:00 2002)

Interesting ports on cs-ssr-main.newcs.uwindsor.ca (137.207.76.254):

(The 1546 ports scanned but not shown below are in state: closed)

Port State Service

23/tcp open telnet

616/tcp open unknown
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

TCP/IP fingerprint:

SInfo(V=2.54BETA28%P=sparc-sun-solaris2.8%D=3/15%Time=3C923C20%O=23%C=1)

TSeq(Class=RI%gcd=1%SI=6CE1%IPID=I%TS=2HZ)

TSeq(Class=RI%gcd=1%SI=B0F4%IPID=I%TS=2HZ)

TSeq(Class=RI%gcd=1%SI=8A10%IPID=I%TS=2HZ)

T1(Resp=Y%DF=Y%W=403D%ACK=S++%Flags=AS%Ops=MNWNNT)

T2(Resp=N)

T3(Resp=Y%DF=Y%W=403D%ACK=S++%Flags=AS%Ops=MNWNNT)

T4(Resp=Y%DF=N%W=4000%ACK=O%Flags=R%Ops=)

T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)

T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)

PU(Resp=Y%DF=Y%TOS=0%IPLEN=38%RIPTL=134%RIPCK=F%UCK=0%ULEN=134%DAT=E)


Uptime 19.583 days (since Sat Feb 23 23:23:37 2002)

Host (137.207.76.255) seems to be a subnet broadcast address (returned 1 extra pings). Still scanning it due to ping response from its own IP.

Interesting ports on (137.207.76.255):

(The 1546 ports scanned but not shown below are in state: closed)

Port State Service

23/tcp open telnet

616/tcp open unknown


Remote OS guesses: Acorn RiscOS 3.7 using AcornNet TCP/IP stack, FreeBSD 2.2.1 - 4.1, Juniper Router running JUNOS, Mirapoint M1000 (OS v 1.0.0), Cabletron Systems SSR 8000 System Software, Version 3.1.B.16

Uptime 27.120 days (since Sat Feb 16 10:34:48 2002)


Nmap run completed -- 256 IP addresses (14 hosts up) scanned in 2443 seconds
-I

This turns on TCP reverse ident scanning. As noted by Dave Goldsmith in a 1996 Bugtraq post, the ident protocol (rfc 1413) allows for the disclosure of the username that owns any process connected via TCP, even if that process didn't initiate the connection. So you can, for example, connect to the http port and then use identd to find out whether the server is running as root. This can only be done with a full TCP connection to the target port (i.e. the -sT scanning option). When -I is used, the remote host's identd is queried for each open port found. Obviously this won't work if the host is not running identd.


saturn.cspc1.uwindsor.ca# nmap -I davinci.newcs.uwindsor.ca

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 1490 ports scanned but not shown below are in state: closed)

Port State Service Owner

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

53/tcp open domain

80/tcp open http

111/tcp open sunrpc

135/tcp open loc-srv

139/tcp open netbios-ssn

143/tcp open imap2

389/tcp open ldap

491/tcp open go-login

514/tcp open shell

515/tcp open printer

587/tcp open submission

900/tcp open unknown

993/tcp open imaps

1112/tcp open msql

1357/tcp open pegboard

1358/tcp open connlcli

2040/tcp open lam

2049/tcp open nfs

2766/tcp open listen

3000/tcp open ppp

3001/tcp open nessusd

4045/tcp open lockd

6000/tcp open X11

6002/tcp open X11:2

6003/tcp open X11:3

6004/tcp open X11:4

6005/tcp open X11:5

6006/tcp open X11:6

6007/tcp open X11:7

6008/tcp open X11:8

6009/tcp open X11:9

6050/tcp open arcserve

6112/tcp open dtspc

6666/tcp open irc-serv

6667/tcp open irc

7001/tcp open afs3-callback

7002/tcp open afs3-prserver

7007/tcp open afs3-bos

7008/tcp open afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

8080/tcp open http-proxy

8081/tcp open blackice-icecap

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds


-v

Verbose mode. This is a highly recommended option and it gives out more information about what is going on. You can use it twice for greater effect.


saturn.cspc1.uwindsor.ca# nmap -v davinci.newcs.uwindsor.ca
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).

Host davinci.newcs.uwindsor.ca (137.207.76.3) appears to be up ... good.

Initiating Connect() Scan against davinci.newcs.uwindsor.ca (137.207.76.3)

Adding open port 6006/tcp

Adding open port 4045/tcp

Adding open port 6003/tcp

Adding open port 515/tcp

Adding open port 6002/tcp

Adding open port -32763/tcp

Adding open port -32765/tcp

Adding open port 6004/tcp

Adding open port 42/tcp

Adding open port 389/tcp

Adding open port 3000/tcp

Adding open port 135/tcp

Adding open port 587/tcp

Adding open port 6007/tcp

Adding open port 2766/tcp

Adding open port 1112/tcp

Adding open port 143/tcp

Adding open port 53/tcp

Adding open port 8888/tcp

Adding open port 7010/tcp

Adding open port 7007/tcp

Adding open port 6005/tcp

Adding open port 6112/tcp

Adding open port -32762/tcp

Adding open port 111/tcp

Adding open port -32758/tcp

Adding open port 8081/tcp

Adding open port 1358/tcp

Adding open port 23/tcp

Adding open port 6008/tcp

Adding open port 491/tcp

Adding open port 6050/tcp

Adding open port -32760/tcp

Adding open port 80/tcp

Adding open port 7001/tcp

Adding open port 2040/tcp

Adding open port 2049/tcp

Adding open port -32759/tcp

Adding open port 7002/tcp

Adding open port 6009/tcp

Adding open port 7100/tcp

Adding open port 7008/tcp

Adding open port 993/tcp

Adding open port 3001/tcp

Adding open port 6666/tcp

Adding open port 139/tcp

Adding open port 1357/tcp

Adding open port 6000/tcp

Adding open port 514/tcp

Adding open port 6667/tcp

Adding open port 37/tcp

Adding open port -32761/tcp

Adding open port 900/tcp

Adding open port 22/tcp

Adding open port 8080/tcp

Adding open port 7009/tcp

Adding open port 25/tcp

Adding open port -32764/tcp

Adding open port 21/tcp

The Connect() Scan took 3 seconds to scan 1548 ports.

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 1489 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

42/tcp open nameserver

53/tcp open domain

80/tcp open http

111/tcp open sunrpc

135/tcp open loc-srv

139/tcp open netbios-ssn

143/tcp open imap2

389/tcp open ldap

491/tcp open go-login

514/tcp open shell

515/tcp open printer

587/tcp open submission

900/tcp open unknown

993/tcp open imaps

1112/tcp open msql

1357/tcp open pegboard

1358/tcp open connlcli

2040/tcp open lam

2049/tcp open nfs

2766/tcp open listen

3000/tcp open ppp

3001/tcp open nessusd

4045/tcp open lockd

6000/tcp open X11

6002/tcp open X11:2

6003/tcp open X11:3

6004/tcp open X11:4

6005/tcp open X11:5

6006/tcp open X11:6

6007/tcp open X11:7

6008/tcp open X11:8

6009/tcp open X11:9

6050/tcp open arcserve

6112/tcp open dtspc

6666/tcp open irc-serv

6667/tcp open irc

7001/tcp open afs3-callback

7002/tcp open afs3-prserver

7007/tcp open afs3-bos

7008/tcp open afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

8080/tcp open http-proxy

8081/tcp open blackice-icecap

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds
-h

This handy option display a quick reference screen of nmap usage options.


saturn.cspc1.uwindsor.ca# nmap -h davinci.newcs.uwindsor.ca

Nmap V. 2.54BETA28 Usage: nmap [Scan Type(s)] [Options]

Some Common Scan Types ('*' options require root privileges)

-sT TCP connect() port scan (default)

* -sS TCP SYN stealth port scan (best all-around TCP scan)

* -sU UDP port scan

-sP ping scan (Find any reachable machines)

* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)

-sR/-I RPC/Identd scan (use with other scan types)

Some Common Options (none are required, most can be combined):

* -O Use TCP/IP fingerprinting to guess remote operating system

-p ports to scan. Example range: '1-1024,1080,6666,31337'

-F Only scans ports listed in nmap-services

-v Verbose. Its use is recommended. Use twice for greater effect.

-P0 Don't ping hosts (needed to scan www.microsoft.com and others)

* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys

-T
General timing policy

-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]

-oN/-oX/-oG Output normal/XML/grepable scan logs to

-iL Get targets from file; Use '-' for stdin

* -S /-e Specify source address or network interface

--interactive Go into interactive mode (then press h for help)

Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'

SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES


-p
ranges>

This option specifies what ports you want to specify. For example '-p 23' will only try port 23 of the target host(s). '-p 20-30,139,60000-' scans ports between 20 and 30, port 139, and all ports greater than 60000. The default is to scan all ports between 1 and 1024 as well as any ports listed in the services file which comes with nmap. For IP protocol scanning (-sO), this specifies the protocol number you wish to scan for (0-255).


saturn.cspc1.uwindsor.ca# nmap davinci.newcs.uwindsor.ca -p "-100,200-1024,3000-4000,60000-"

Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 7437 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

42/tcp open nameserver

53/tcp open domain

80/tcp open http

389/tcp open ldap

491/tcp open go-login

514/tcp open shell

515/tcp open printer

587/tcp open submission

900/tcp open unknown

993/tcp open imaps

3000/tcp open ppp

3001/tcp open nessusd

60073/tcp open unknown

61179/tcp open unknown

62563/tcp open unknown

62626/tcp open unknown

63419/tcp open unknown

64460/tcp open unknown

64690/tcp open unknown

64986/tcp open unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 17 seconds
-F Fast scan mode.

Specifies that you only wish to scan for ports listed in the services file which comes with nmap (or the protocols file for -sO). This is obviously much faster than scanning all 65535 ports on a host.


saturn.cspc1.uwindsor.ca# nmap -F davinci.newcs.uwindsor.ca
Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

Interesting ports on davinci.newcs.uwindsor.ca (137.207.76.3):

(The 1035 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

37/tcp open time

42/tcp open nameserver

53/tcp open domain

80/tcp open http

111/tcp open sunrpc

135/tcp open loc-srv

139/tcp open netbios-ssn

143/tcp open imap2

389/tcp open ldap

491/tcp open go-login

514/tcp open shell

515/tcp open printer

587/tcp open submission

993/tcp open imaps

1112/tcp open msql

1357/tcp open pegboard

1358/tcp open connlcli

2040/tcp open lam

2049/tcp open nfs

2766/tcp open listen

3000/tcp open ppp

3001/tcp open nessusd

4045/tcp open lockd

6000/tcp open X11

6002/tcp open X11:2

6003/tcp open X11:3

6004/tcp open X11:4

6005/tcp open X11:5

6006/tcp open X11:6

6007/tcp open X11:7

6008/tcp open X11:8

6009/tcp open X11:9

6050/tcp open arcserve

6112/tcp open dtspc

6666/tcp open irc-serv

6667/tcp open irc

7001/tcp open afs3-callback

7002/tcp open afs3-prserver

7007/tcp open afs3-bos

7008/tcp open afs3-update

7009/tcp open afs3-rmtsys

7010/tcp open ups-onlinet

7100/tcp open font-service

8080/tcp open http-proxy

8081/tcp open blackice-icecap

8888/tcp open sun-answerbook

32771/tcp open sometimes-rpc5

32772/tcp open sometimes-rpc7

32773/tcp open sometimes-rpc9

32774/tcp open sometimes-rpc11

32775/tcp open sometimes-rpc13

32776/tcp open sometimes-rpc15

32777/tcp open sometimes-rpc17

32778/tcp open sometimes-rpc19

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
-M sockets>

Set the maximum number of sockets that will be used in parallel for a TCP connect() scan (the default). This is useful to slow down the scan a little bit and avoid crashing remote machines. Another approach is to use -sS, which is generally easier for machines to handle.


saturn.cspc1.uwindsor.ca# nmap -M 5000

Warning: You are limited to MAX_SOCKETS_ALLOWED (1025) parallel sockets. If you really need more, change the #define and recompile.


Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )

WARNING: Your specified max_parallel_sockets of 1025, but your system says it might only give us 250. Trying anyway



WARNING: No targets were specified, so 0 hosts scanned.
There are other options in nmap, here we just involved some of them to show the most important functions supported by nmap. To be a good network analyst, one must be familiar with all the options and try on the network to invest the status of the network.


III. Conclusion


Programs such as nmap are very useful to improve the system security by looking at networks through the eyes of a potential cracker. We have shown the operation of a rather small part of the options, but still it helps to understand us to observe how to scan networks very closely. Unfortunately, nmap should be run on root directory.

 



База данных защищена авторским правом ©shkola.of.by 2016
звярнуцца да адміністрацыі

    Галоўная старонка