Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nmap - Under the hood

From: Fyodor <fyodor () insecure org>
Date: Sun, 12 Dec 2004 02:24:01 -0800
On Sun, Dec 12, 2004 at 03:43:41AM -0600, skill2die4 () secguru com wrote:


I am in a process of jotting down the various options available with NMAP
while doing port scanning, collecting ethereal packets for various
scans_types and also doing discussing on which scan works best under what
circumstances.

Results at :  http://www.secguru.com/forum/viewtopic.php?t=68


Neat.  I'm sure people will find that useful.  So I'm CCing this
response to the nmap-dev list.


However, when i started fiddling with the -sF, -sX and -sN ...
I tried these scan options against M$oft, Fedora and Solaris ;
but it reported all ports 'open' which i know aint true.


The scan doesn't work against MS, but I believe that it should have
against the Fedora Core and Solaris boxes.  Are you sure that the
ports aren't being filtered by a firewall?  The default port state
("The xx ports scanned but not shown below are in state:") should be
closed, and not filtered.  Here is how the FIN scan looks against a
Linux box on my home network:

# nmap -sF -T4 para

Starting nmap 3.76 ( http://www.insecure.org/nmap/ )
Interesting ports on para (192.168.10.191):
(The 1658 ports scanned but not shown below are in state: closed)
PORT     STATE         SERVICE
22/tcp   open|filtered ssh
53/tcp   open|filtered domain
111/tcp  open|filtered rpcbind
515/tcp  open|filtered printer
6000/tcp open|filtered X11
MAC Address: 00:60:1D:38:32:90 (Lucent Technologies)

Nmap run completed -- 1 IP address (1 host up) scanned in 4.644 seconds

The best feature of this scan is bypassing poorly designed firewalls
and packet filters.


I got the idea about the scan , but dont have any live example.


Whenever I need an example of utter incompetence, I always try
SCO/Caldera first.  They rarely disappoint.  Lets start with a SYN
scan against docsrv.caldera.com:

# nmap -sS -O -T4 docsrv.caldera.com

Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2004-12-12 02:05 PST
Interesting ports on docsrv.caldera.com (216.250.128.247):
(The 1660 ports scanned but not shown below are in state: filtered)
PORT    STATE  SERVICE
80/tcp  open   http
113/tcp closed auth
507/tcp open   crs
Device type: general purpose
Running: SCO UnixWare
OS details: SCO UnixWare 7.1.0 x86
Uptime 176.811 days (since Fri Jun 18 07:37:50 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 30.638 seconds

Hmm.  So we only see 2 open ports and 1 closed port.  The rest are
filtered, so we don't know whether they are open or closed.  Maybe we
can bypass their silly excuse for a firewall with the FIN scan, and
learn about more open ports in the process!

# nmap -sF -T4 docsrv.caldera.com

Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2004-12-12 02:10 PST
Interesting ports on docsrv.caldera.com (216.250.128.247):
(The 1624 ports scanned but not shown below are in state: closed)
PORT      STATE         SERVICE
7/tcp     open|filtered echo
9/tcp     open|filtered discard
11/tcp    open|filtered systat
13/tcp    open|filtered daytime
15/tcp    open|filtered netstat
19/tcp    open|filtered chargen
21/tcp    open|filtered ftp
22/tcp    open|filtered ssh
23/tcp    open|filtered telnet
25/tcp    open|filtered smtp
37/tcp    open|filtered time
79/tcp    open|filtered finger
80/tcp    open|filtered http
110/tcp   open|filtered pop3
111/tcp   open|filtered rpcbind
135/tcp   open|filtered msrpc
143/tcp   open|filtered imap
360/tcp   open|filtered scoi2odialog
389/tcp   open|filtered ldap
465/tcp   open|filtered smtps
507/tcp   open|filtered crs
512/tcp   open|filtered exec
513/tcp   open|filtered login
514/tcp   open|filtered shell
515/tcp   open|filtered printer
636/tcp   open|filtered ldapssl
712/tcp   open|filtered unknown
955/tcp   open|filtered unknown
993/tcp   open|filtered imaps
995/tcp   open|filtered pop3s
1434/tcp  open|filtered ms-sql-m
2000/tcp  open|filtered callbook
2766/tcp  open|filtered listen
3000/tcp  open|filtered ppp
3306/tcp  open|filtered mysql
6112/tcp  open|filtered dtspc
32770/tcp open|filtered sometimes-rpc3
32771/tcp open|filtered sometimes-rpc5
32772/tcp open|filtered sometimes-rpc7

Nmap run completed -- 1 IP address (1 host up) scanned in 7.683 seconds

Wow!  Look at all of these interesting ports.  Most of them are
probably open as the port pattern does look like a default UnixWare
install.  But how do we know for sure?  Let's try another obscure but
useful scan type: Window scan:

# nmap -sW -T4 docsrv.caldera.com

Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2004-12-12 02:12 PST
Interesting ports on docsrv.caldera.com (216.250.128.247):
(The 1624 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE
7/tcp     open     echo
9/tcp     open     discard
11/tcp    open     systat
13/tcp    open     daytime
15/tcp    open     netstat
19/tcp    open     chargen
21/tcp    open     ftp
22/tcp    open     ssh
23/tcp    open     telnet
25/tcp    open     smtp
37/tcp    open     time
79/tcp    open     finger
80/tcp    open     http
110/tcp   open     pop3
111/tcp   open     rpcbind
135/tcp   filtered msrpc
143/tcp   open     imap
360/tcp   open     scoi2odialog
389/tcp   open     ldap
465/tcp   open     smtps
507/tcp   open     crs
512/tcp   open     exec
513/tcp   open     login
514/tcp   open     shell
515/tcp   open     printer
636/tcp   open     ldapssl
712/tcp   open     unknown
955/tcp   open     unknown
993/tcp   open     imaps
995/tcp   open     pop3s
1434/tcp  filtered ms-sql-m
2000/tcp  open     callbook
2766/tcp  open     listen
3000/tcp  open     ppp
3306/tcp  open     mysql
6112/tcp  open     dtspc
32770/tcp open     sometimes-rpc3
32771/tcp open     sometimes-rpc5
32772/tcp open     sometimes-rpc7

Nmap run completed -- 1 IP address (1 host up) scanned in 7.664 seconds

Now those are the results we want!  As expected, almost all of the
"open|filtered" ports identified by FIN scan are open.  Only MS-RPC
and MS-SQL are filtered.  And those may be filtered by my ISP as
opposed to their firewall.

That is certainly a tempting target!  Unfortunately, SCO's filters
prevent you from reaching those ports with packets containing the SYN
flag.  So opening connections to them is the next challenge.  But I'm
already a bit off-topic.  I hope the FIN examples helped.  They are
from my upcoming Nmap book, which should be released early next
summer.

Cheers,
Fyodor

PS: The version of Nmap (3.78) used in this post has not been formally
    released, but you can find it at http://www.insecure.org/nmap/dist/?C=M&O=D
Previous By Date Next
Previous By Thread Next

Current thread: