Re: Finding web servers with nmap

[Robin Keir <robin () keir net>]

Hi,

I think the problem here is your use of the nmap option -PA80. This 
sends a TCP 'ACK' packet to the target host(s) on port 80. It is totally 
dependent upon the remote operating system how it responds, although it 
is usual to respond with a RST-ACK. It may (and most likely *will*) 
respond in this manner both when the tested port (80 in this case) is 
open and when it is closed if there is a live host at the address you're 
testing, so it cannot be used as a reliable test for an open port 80.

Try removing the -PA80 option and the results you should get may be more 
in line with what WotWeb produces.

The nice thing about WotWeb is that you can see what responses are being 
retrieved from the remote systems and more easily identify systems that 
have port 80 (or whatever port you choose) open but may not actually be 
running a web server on that port.

Hope this helps.


Burton Strauss wrote:
> Well, you CAN use port 80 for anything - just because it's assigned to http
> doesn't mean it HAS to be used that way.
>
> If you read the nmap man page, -PS and -PA don't actually 'connect' to the
> server, rather they work at the tcp/ip level by mucking around with the
> 3-way handshake.  So the difference could be that nmap is finding servers
> which are using port 80, but don't actually have web servers there.
>
> Or it could be that the extras are web servers responding in a way that
> wotweb just doesn't understand.  I don't know - Robin doesn't really say
> what his program is looking for in the wotweb readme.
>
> The next step would be to use a program such as Microsoft's Fiddler (or
> Aman's webbug - http://www.cyberspyder.com/webbug.html) to see what the
> response to a normal http get is from one of the mystery hosts.
>
>
> -----Burton
>
> PS: I've BCCed Robin on this - that way he'll know we are saying nice things
> about his program!
>
> -----Original Message-----
> From: Denis Shestakov [mailto:da_shestakov () myrealbox com] 
> Sent: Thursday, December 01, 2005 4:00 AM
> To: security-basics () securityfocus com; BStrauss () acm org
> Subject: Re[2]: Finding web servers with nmap
>
> Thanks for the answer!
>
> I've checked the WotWeb. It's really nice tool and it is faster than nmap
> (at least if executed with options I mentioned)!
> But ... I did a scan for a list of randomly selected IPs. Nmap (with -PS80
> -PA80 -p 80) returns more hosts with open port 80 than WotWeb. I understand
> that nmap does more 'general' job and detects, for instance, hosts behind
> firewalls (that is, discovers hosts with non-publicly available services
> which are not interesting for me since I seek for 'available-for-all' web
> servers). However, I wonder what other services may be provided by machines
> with open port 80?
>
>
> BR,
>   Denis
>
>
> ----------------------------------------------------------------------------
> -
> Wednesday, November 30, 2005, 8:16:25 PM, you wrote:
> BS> Robin Keir (keir.net) has a free Windows program available, wotweb, 
> BS> which does a simple scan for a range of IPs.  It's preloaded with 
> BS> checkboxes for all the usual and many unusual web server ports.
>
> BS> -----Burton
>
> BS> -----Original Message-----
> BS> From: Denis [mailto:da_shestakov () myrealbox com]
> BS> Sent: Wednesday, November 30, 2005 11:01 AM
> BS> To: security-basics () securityfocus com
> BS> Subject: Finding web servers with nmap
>
> BS> Hi,
>
> BS> I have a task to "relatively quickly" find all web servers (all 
> BS> hosts with open port 80) in some particular network. It seems it can 
> BS> be done with the nmap program. Could you advice me concerning the 
> BS> best options for running nmap to accomplish this task? In 
> BS> particular, does the following command do it right?
> BS> nmap -v -sS -PS80 -PA80 -p 80 -oG my.log -iL x.x.0-255.0-255 I am 
> BS> asking that because I have a concern that the above command may miss
> some hosts.
> BS> However, it works faster than the command with "-P0 -p 80" ... 

--
Robin