Security Basics mailing list archives

Re: help interpreting the nmap output

From: miguel.dilaj () pharma novartis com
Date: Fri, 17 Dec 2004 09:37:57 +0100

Hi Ivan,

Good! Yes, you guess correctly, it seems that Apache was setup to show 
only its name.
For other ports, like services that don't have a text banner, you've 2 
very nice options:

a) use the -sV option in nmap. Read The Fine Manual, and also the article 
at http://www.insecure.org/nmap/versionscan.html
Take into account that this is not stealth (like -sS), it establishes the 
full TCP connection.
Be sure to use latest nmap, this option is quite new (>=3.45).
There's also a good article by Brian Hatch at InfoSec News: 
http://lists.virus.org/isn-0310/msg00030.html

b) use amap (http://www.thc.org/releases.php)
Amap is a next-generation scanning tool, which identifies applications and 
services even if they are not listening on the default port by creating a 
bogus-communication and analyzing the responses. Changes: more 
identifications, SSL bugix. Voted into the top-50 security tool list!

There're other tools out there to do the identification, Nessus for 
example can do some detection, but the 2 tools above are the preferred 
ones by most people (in my case: plain nmap, but I recognize the merits of 
amap as well).

Cheers,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG







"Ivan Fratric" <hacky_2001 () hotmail com>
16/12/2004 19:57

 
        To:     Miguel Dilaj/PH/Novartis@PH, security-basics () securityfocus com
        cc: 
        Subject:        Re: help interpreting the nmap output


Thanks for the reply. I tried using netcat, and I get the following

nc -vv xxx.xxx.xxx.xxx 80
xxxxxxxxxxxx.com [xxx.xxx.xxx.xxx] 80 (http) open
HEAD / HTTP/1.1
Host: www.xxxxxxxxxxx.com

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2004 19:41:45 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

So I guess the apache is configured not to show its version? When I try 
using netcat on the other mentioned ports I get something like

nc -vv xxx.xxx.xxx.xxx 23
xxxxxxxxxxxx.com [xxx.xxx.xxx.xxx] 23 (telnet) open
sent 0, rcvd 0: NOTSOCK

Is there anything else that can be done regarding the ports giving output 
like this?

Current thread:

help interpreting the nmap output Ivan Fratric (Dec 14)
- RE: help interpreting the nmap output Harshul Nayak (Dec 17)
- <Possible follow-ups>
- Re: help interpreting the nmap output miguel . dilaj (Dec 15)
  - Re: help interpreting the nmap output Corey LeBleu (Dec 16)
    - Re: help interpreting the nmap output Corey LeBleu (Dec 16)
- Re: help interpreting the nmap output miguel . dilaj (Dec 17)