Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nmap port name question?

From: ToddAndMargo <ToddAndMargo () zoho com>
Date: Wed, 18 Sep 2013 15:19:49 -0700
2013/9/17 ToddAndMargo <ToddAndMargo () zoho com
<mailto:ToddAndMargo () zoho com>>

    Hi All,

    When nmap tells you a service associated with a
    port, for example,

        137/tcp closed netbios-ns reset

    does nmap get the name of the port from my /etc/services,
    or is the name hard coded into nmap?

    Many thansk,
    -T


On 09/18/2013 02:19 PM, Molinero wrote:

"While Nmap does many things, its most fundamental feature is port
scanning. Point Nmap at a remote machine, and it might tell you that
ports |25/tcp|, |80/tcp|, and |53/udp| are open. Using its
|nmap-services| database of more than 2,200 well-known services, Nmap
would report that those ports probably correspond to a mail server
(SMTP), web server (HTTP), and name server (DNS) respectively..."



Hi Molinero,

My main focus was that nmap was using its own updates tables.
My /etc/services comes from RHEL, which, by Red Hat's design, is
purposfully "out-of-date".  I wanted to make sure I was
not missing any new services.  Thank you for the help!

This is what blew my mind:

# nmap --reason  192.168.255.112

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:42 PDT
Nmap scan report for KVM-W7.rent-a-nerd.local (192.168.255.112)
Host is up, received arp-response (0.00044s latency).
Not shown: 989 closed ports
Reason: 989 resets
PORT      STATE    SERVICE      REASON
135/tcp   open     msrpc        syn-ack
139/tcp   open     netbios-ssn  syn-ack
445/tcp   open     microsoft-ds syn-ack
1110/tcp  filtered nfsd-status  no-response
5357/tcp  open     wsdapi       syn-ack
49152/tcp open     unknown      syn-ack
49153/tcp open     unknown      syn-ack
49154/tcp open     unknown      syn-ack
49155/tcp open     unknown      syn-ack
49156/tcp open     unknown      syn-ack
49157/tcp open     unknown      syn-ack

What were all these 4915x ports?  Turned out they were
all M$ RPC ports.
Reference: http://serverfault.com/questions/526607/what-is-msrpc-needed-for-on-a-windows-7-workstation 

Port   Serv  Process name
49152, msrpc [wininit.exe]
49153, msrpc [svchost.exe, Eventlog]
49154, msrpc [svchost.exe, Schedule]
49155, msrpc [lsass.exe]
49157, msrpc [services.exe]
49159, msrpc [svchost.exe, PolicyAgent]

Many thanks,
-T


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computers are like air conditioners.
They malfunction when you open windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: