RE: Re[2]: Finding web servers with nmap

["Burton Strauss" <Burton.Strauss () comcast net>]

Well, you CAN use port 80 for anything - just because it's assigned to http
doesn't mean it HAS to be used that way.

If you read the nmap man page, -PS and -PA don't actually 'connect' to the
server, rather they work at the tcp/ip level by mucking around with the
3-way handshake.  So the difference could be that nmap is finding servers
which are using port 80, but don't actually have web servers there.

Or it could be that the extras are web servers responding in a way that
wotweb just doesn't understand.  I don't know - Robin doesn't really say
what his program is looking for in the wotweb readme.

The next step would be to use a program such as Microsoft's Fiddler (or
Aman's webbug - http://www.cyberspyder.com/webbug.html) to see what the
response to a normal http get is from one of the mystery hosts.


-----Burton

PS: I've BCCed Robin on this - that way he'll know we are saying nice things
about his program!

-----Original Message-----
From: Denis Shestakov [mailto:da_shestakov () myrealbox com] 
Sent: Thursday, December 01, 2005 4:00 AM
To: security-basics () securityfocus com; BStrauss () acm org
Subject: Re[2]: Finding web servers with nmap

Thanks for the answer!

I've checked the WotWeb. It's really nice tool and it is faster than nmap
(at least if executed with options I mentioned)!
But ... I did a scan for a list of randomly selected IPs. Nmap (with -PS80
-PA80 -p 80) returns more hosts with open port 80 than WotWeb. I understand
that nmap does more 'general' job and detects, for instance, hosts behind
firewalls (that is, discovers hosts with non-publicly available services
which are not interesting for me since I seek for 'available-for-all' web
servers). However, I wonder what other services may be provided by machines
with open port 80?


BR,
  Denis


----------------------------------------------------------------------------
-
Wednesday, November 30, 2005, 8:16:25 PM, you wrote:
BS> Robin Keir (keir.net) has a free Windows program available, wotweb, 
BS> which does a simple scan for a range of IPs.  It's preloaded with 
BS> checkboxes for all the usual and many unusual web server ports.

BS> -----Burton

BS> -----Original Message-----
BS> From: Denis [mailto:da_shestakov () myrealbox com]
BS> Sent: Wednesday, November 30, 2005 11:01 AM
BS> To: security-basics () securityfocus com
BS> Subject: Finding web servers with nmap

BS> Hi,

BS> I have a task to "relatively quickly" find all web servers (all 
BS> hosts with open port 80) in some particular network. It seems it can 
BS> be done with the nmap program. Could you advice me concerning the 
BS> best options for running nmap to accomplish this task? In 
BS> particular, does the following command do it right?
BS> nmap -v -sS -PS80 -PA80 -p 80 -oG my.log -iL x.x.0-255.0-255 I am 
BS> asking that because I have a concern that the above command may miss
some hosts.
BS> However, it works faster than the command with "-P0 -p 80" ...