Security Basics mailing list archives
Re: Finding web servers with nmap
From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
Date: Sun, 4 Dec 2005 10:23:31 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 01 December 2005 05:00 am, Denis Shestakov wrote:
Thanks for the answer! I've checked the WotWeb. It's really nice tool and it is faster than nmap (at least if executed with options I mentioned)! But ... I did a scan for a list of randomly selected IPs. Nmap (with -PS80 -PA80 -p 80) returns more hosts with open port 80 than WotWeb. I understand that nmap does more 'general' job and detects, for instance, hosts behind firewalls (that is, discovers hosts with non-publicly available services which are not interesting for me since I seek for 'available-for-all' web servers). However, I wonder what other services may be provided by machines with open port 80?
The two most typical non-WWW services you're going to find doing random port 80 scans of IP blocks are misconfigured routers and printers. More routers than printers, and most of the printers will probably be HP lasers. That's just my experience, don't really have a reason why it is but I can make some guesses. FWIW, here's the important parts of the command line I use to ferret out web sites from IP blocks. It's sort of a hobby of mine to take country specific IP blocks found at... http://www.completewhois.com/statistics/data/ips-bycountry/rirstats/ ...and scan them. What can I say, it's a "let's see what random sites we can find in Iraq today" thing. ;) nmap -n -P0 -sT -p 80 -oG webscan.log --randomize_hosts xxx.xxx.xxx.xxx/xx The -n switch tells nmap not to do RDNS. This speeds things up considerably. It also doesn't hammer your DNS server. It might also let you find sites you wouldn't otherwise find due to DNS problems/errors/ehatever. The -P0 is almost necessaryfor random scans, as a lot of sites and providers are dropping ICMP packets these days. It's a "stealth" thing. Which by the way sort of points out the idea that "stealth" is a bit snake oily. Dropping pings certainly *won't* keep you from being discovered. ;) I like the --randomize_hosts switch because I like to do a lot of country IP blocks. This way I'm not accidentally hitting sequential ports on some government server cluster somewhere or something. Not that I'm *really* trying to hide anything mind you, but since you're finding routers and stuff someone might misinterpret things. HTH! - -- Hand crafted on December 04, 2005 at 09:38:52 -0500 Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read. -Groucho Marx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDkwn/RHqalLqKnCkRAv9oAJ9NAOYrSO0SnY40W7vyVc7IyDWrugCcD8x2 cIBG4BDAeOivzO5caLyzN0o= =Nr8a -----END PGP SIGNATURE-----
Current thread:
- RE: Finding web servers with nmap Burton Strauss (Dec 01)
- Re[2]: Finding web servers with nmap Denis Shestakov (Dec 02)
- RE: Re[2]: Finding web servers with nmap Burton Strauss (Dec 02)
- Re: Finding web servers with nmap Robin Keir (Dec 01)
- Re: Finding web servers with nmap Jeffrey F. Bloss (Dec 05)
- RE: Re[2]: Finding web servers with nmap Burton Strauss (Dec 02)
- RE: Finding web servers with nmap Jonathan Loh (Dec 02)
- Re: Finding web servers with nmap Gaddis, Jeremy L. (Dec 05)
- Re: Finding web servers with nmap Balaji Prasad (Dec 06)
- <Possible follow-ups>
- RE: Finding web servers with nmap tom . farrar (Dec 02)
- RE: Finding web servers with nmap Jonathan Loh (Dec 05)
- Re: Finding web servers with nmap y0 (Dec 02)
- RE: Finding web servers with nmap Steve McLaughlin (Dec 07)
- RE[4]: Finding web servers with nmap Denis (Dec 12)
- Re[2]: Finding web servers with nmap Denis Shestakov (Dec 02)