Nmap Development mailing list archives
Re: IPhone and nmap scan on wireless network
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 10 Apr 2008 22:29:31 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Standard iPhones shows up, they just don't have port 22 (SSH) running. Nothing special is required to scan them, I'm not sure why they aren't showing up for you. The script snippit I sent along is perl. You might try doing something like: nmap -A -v -p- -T5 -P0 <ip> I can't remember if all their ports (except 62078) are closed or filtered but I'm leaning towards closed. As far as I know, they all have port 62078 open (but tcpwrapped if you try to fingerprint it). Brandon On Thu, 10 Apr 2008 15:06:24 -0700 "Jaime Reza" <turinreza () gmail com> wrote:
Ah.. but what about normal Locked Iphones... anyway that they can show up on an nmap scan? just use this script? is this a lua script? thanks turin On Thu, Apr 10, 2008 at 2:55 PM, Brandon Enright <bmenrigh () ucsd edu> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 10 Apr 2008 13:08:10 -0700 "Jaime Reza" <turinreza () gmail com> wrote:hiya anyone tried to fingerprint /scan an iphone that is hooked up to a wireless network? i can see my iphone on the wireless network and it has an ip address but it's not being picked up by nmap (no packets received) -PN turinSure; do it all the time. We have so many of these on campus that we have to really stay on top of unlocked iPhones with OpenSSH installed that still have the default root password. I don't have any example scans for you right now but here is the logic in one of my scripts that finds iPhones and alerts me when they are running SSH: # iPhone (based on port open and weak TCP Sequence Prediction) if ((exists $misc{'TCPSeqPred'}) && ($misc{'TCPSeqPred'} == 0) && (exists $port{62078}) && ($port{62078}{'Service'} eq 'tcpwrapped')) { push @warning, {('name'=>'IPHONE', 'severity'=>2, 'text'=>'iPhone (weak TCP sequence' . ' is easily hackable)')}; # Detect possible SSH on iPhone if ((exists $port{22}) && ($port{22}{'Service'} eq 'ssh')) { push @warning, {('name'=>'IPHONE_SSH', 'severity'=>3, 'text'=>'iPhone may have known ' . 'default root password (\'alpine\')')}; } } Note that the check for TCPSeqPred == 0 requires -O or -A and the port 62078 eq 'tcpwrapped' requires -sV or -A. This code was written before the OS DB had a iPhone fingerprint so you'd probably do better now to check the OS Nmap says it is running. It would be very easy to turn the above code into a hostrule NSE script. I haven't because while the check works, it's a hack. How often does someone run OpenSSH on their phone without changing the root password, you ask? All the ****ing time. We've found the check to be _very_ valuable. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFH/ozbqaGPzAsl94IRAkhxAKC/UaHlqbLTpvxp/eyDLbGuZrwSvQCfcNcG XPIZbCD7Eo7y0SanTEst0FA= =IsO2 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFH/pTaqaGPzAsl94IRAgcgAJ48AgvoJK9hQbUOnkIWsu3qdISqQwCgvnyN J6TcrQ/FNzJMwuC1IXqY0Bo= =Isur -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- IPhone and nmap scan on wireless network Jaime Reza (Apr 10)
- Re: IPhone and nmap scan on wireless network Brandon Enright (Apr 10)
- Message not available
- Re: IPhone and nmap scan on wireless network Brandon Enright (Apr 10)
- Message not available
- Re: IPhone and nmap scan on wireless network Jaime Reza (Apr 10)
- Re: IPhone and nmap scan on wireless network Jaime Reza (Apr 10)
- Re: IPhone and nmap scan on wireless network Brandon Enright (Apr 10)