RE: help interpreting the nmap output

["Harshul Nayak" <harshul.nayak () patni com>]

Hello Ivan,
what ever results u got were as per the nmap's expected behaviour.. why not
try tools like superscan or nessus .. who use banner grabbing techniques to
recognise applications.

-regs
Harshul

-----Original Message-----
From: Ivan Fratric [mailto:hacky_2001 () hotmail com]
Sent: Wednesday, December 15, 2004 12:13 AM
To: security-basics () securityfocus com
Subject: help interpreting the nmap output


Hi,

I'm running nmap on Windows XP. Normally, it works fine (when I use it to
scan a computer for which I know what services it's running) and returns
detailed info on the services installed.
However, I tried to run it on a web server on the Internet and I have
trouble getting all the info.
Using -A -T4 options on a server and I receive the following reply

(The 1441 ports scanned but not shown below are in state: filtered)
PORT      STATE  SERVICE          VERSION
5/tcp     closed rje
14/tcp    closed unknown
21/tcp    open   ftp?
22/tcp    closed ssh
23/tcp    open   telnet?
26/tcp    closed unknown
44/tcp    closed mpm-flags
53/tcp    closed domain
61/tcp    closed ni-mail
63/tcp    closed via-ftp
66/tcp    closed sql*net
79/tcp    closed finger
80/tcp    open   http?
93/tcp    closed dcp
107/tcp   closed rtelnet
113/tcp   closed auth
131/tcp   closed cisco-tna
143/tcp   closed imap
144/tcp   closed news
166/tcp   closed s-net
168/tcp   closed rsvd
169/tcp   closed send
176/tcp   closed genrad-mux
177/tcp   closed xdmcp
179/tcp   closed bgp
188/tcp   closed mumps
194/tcp   closed irc
199/tcp   closed smux
200/tcp   closed src
204/tcp   closed at-echo
207/tcp   closed at-7
209/tcp   closed tam
210/tcp   closed z39.50
220/tcp   closed imap3
222/tcp   closed rsh-spx
225/tcp   closed unknown
227/tcp   closed unknown
228/tcp   closed unknown
234/tcp   closed unknown
245/tcp   closed link
256/tcp   closed FW1-secureremote
260/tcp   closed openport
265/tcp   closed maybeFW1
272/tcp   closed unknown
276/tcp   closed unknown
277/tcp   closed unknown
279/tcp   closed unknown
281/tcp   closed personal-link
307/tcp   closed unknown
308/tcp   closed novastorbakcup
320/tcp   closed unknown
321/tcp   closed pip
325/tcp   closed unknown
332/tcp   closed unknown
348/tcp   closed csi-sgwp
355/tcp   closed datex-asn
359/tcp   closed tenebris_nts
360/tcp   closed scoi2odialog
364/tcp   closed aurora-cmgr
389/tcp   closed ldap
404/tcp   closed nced
411/tcp   closed rmt
418/tcp   closed hyper-g
423/tcp   closed opc-job-start
426/tcp   closed smartsdp
434/tcp   closed mobileip-agent
436/tcp   closed dna-cml
437/tcp   closed comscm
442/tcp   closed cvc_hostd
443/tcp   open   https?
449/tcp   closed as-servermap
472/tcp   closed ljk-login
487/tcp   closed saft
496/tcp   closed pim-rp-disc
504/tcp   closed citadel
506/tcp   closed ohimsrv
509/tcp   closed snare
524/tcp   closed ncp
533/tcp   closed netwall
537/tcp   closed nmsp
547/tcp   closed dhcpv6-server
554/tcp   closed rtsp
560/tcp   closed rmonitor
575/tcp   closed vemmi
578/tcp   closed ipdd
582/tcp   closed scc-security
586/tcp   closed password-chg
601/tcp   closed unknown
612/tcp   closed unknown
623/tcp   closed unknown
626/tcp   closed unknown
630/tcp   closed unknown
635/tcp   closed unknown
636/tcp   closed ldapssl
638/tcp   closed unknown
644/tcp   closed unknown
659/tcp   closed unknown
675/tcp   closed unknown
677/tcp   closed unknown
678/tcp   closed unknown
686/tcp   closed unknown
688/tcp   closed unknown
714/tcp   closed unknown
716/tcp   closed unknown
721/tcp   closed unknown
724/tcp   closed unknown
725/tcp   closed unknown
729/tcp   closed netviewdm1
743/tcp   closed unknown
766/tcp   closed unknown
781/tcp   closed hp-collector
790/tcp   closed unknown
793/tcp   closed unknown
795/tcp   closed unknown
803/tcp   closed unknown
805/tcp   closed unknown
819/tcp   closed unknown
844/tcp   closed unknown
847/tcp   closed unknown
848/tcp   closed unknown
852/tcp   closed unknown
857/tcp   closed unknown
884/tcp   closed unknown
888/tcp   closed accessbuilder
901/tcp   closed samba-swat
904/tcp   closed unknown
914/tcp   closed unknown
933/tcp   closed unknown
949/tcp   closed unknown
950/tcp   closed oftep-rpc
976/tcp   closed unknown
984/tcp   closed unknown
985/tcp   closed unknown
993/tcp   closed imaps
995/tcp   closed pop3s
999/tcp   closed garcon
1006/tcp  closed unknown
1009/tcp  closed unknown
1011/tcp  closed unknown
1013/tcp  closed unknown
1017/tcp  closed unknown
1040/tcp  closed netsaint
1068/tcp  closed instl_bootc
1084/tcp  closed ansoft-lm-2
1347/tcp  closed bbn-mmc
1352/tcp  closed lotusnotes
1370/tcp  closed us-gv
1374/tcp  closed molly
1376/tcp  closed ibm-pps
1400/tcp  closed cadkey-tablet
1402/tcp  closed prm-sm-np
1410/tcp  closed hiq
1415/tcp  closed dbstar
1419/tcp  closed timbuktu-srv3
1420/tcp  closed timbuktu-srv4
1445/tcp  closed proxima-lm
1450/tcp  closed dwf
1457/tcp  closed valisys-lm
1459/tcp  closed proshare1
1460/tcp  closed proshare2
1481/tcp  closed airs
1483/tcp  closed afs
1484/tcp  closed confluent
1494/tcp  closed citrix-ica
1496/tcp  closed liberty-lm
1499/tcp  closed fhc
1513/tcp  closed fujitsu-dtc
1516/tcp  closed vpad
1527/tcp  closed tlisrv
1534/tcp  closed micromuse-lm
1535/tcp  closed ampr-info
1542/tcp  closed gridgen-elmd
1552/tcp  closed pciarray
1662/tcp  closed netview-aix-2
1665/tcp  closed netview-aix-5
1672/tcp  closed netview-aix-12
1680/tcp  closed CarbonCopy
1720/tcp  closed H.323/Q.931
1723/tcp  closed pptp
1755/tcp  closed wms
1986/tcp  closed licensedaemon
1988/tcp  closed tr-rsrb-p2
1993/tcp  closed snmp-tcp-port
1997/tcp  closed gdp-port
2003/tcp  closed cfingerd
2008/tcp  closed conf
2042/tcp  closed isis
2046/tcp  closed sdfunc
2047/tcp  closed dls
2401/tcp  closed cvspserver
2603/tcp  closed ripngd
2784/tcp  closed www-dev
3000/tcp  closed ppp
3389/tcp  closed ms-term-serv
4333/tcp  closed msql
4672/tcp  closed rfa
4998/tcp  closed maybeveritas
5010/tcp  closed telelpathstart
5145/tcp  closed rmonitor_secure
5191/tcp  closed aol-1
5232/tcp  closed sgi-dgl
5236/tcp  closed padl2sim
5405/tcp  closed pcduo
5530/tcp  closed sdserv
5680/tcp  closed canna
6003/tcp  closed X11:3
6105/tcp  closed isdninfo
6111/tcp  closed spc
6141/tcp  closed meta-corp
6142/tcp  closed aspentec-lm
6588/tcp  closed analogx
7007/tcp  closed afs3-bos
8007/tcp  closed ajp12
8892/tcp  closed seosload
13701/tcp closed VeritasNetbackup
13717/tcp closed VeritasNetbackup
19150/tcp closed gkrellmd
22289/tcp closed wnn6_Cn
31337/tcp closed Elite
32773/tcp closed sometimes-rpc9
32786/tcp closed sometimes-rpc25
65301/tcp closed pcanywhere
Too many fingerprints match this host to give specific OS details

So, why the question marks next to the open protocols? Next I tried
connecting to the telnet and ftp, but I get disconnected straight away. So I
tried to get more info on the http and https by calling nmap with -sV -p 80
or -sV -p 443 options. Since it's a web server it is certainly running those
services. I get something like

80/tcp    open   Apache httpd

Anyway, no sign of the Apache version. So, how can I find out what version
of the Apache a server is running? What is the best way to proceed from
here? TIA

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.com/


http://www.patni.com
World-Wide Partnerships. World-Class Solutions.
_____________________________________________________________________

This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to
whom this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete  this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at netadmin () patni com and delete this mail. 
_____________________________________________________________________