Re: scanning for a specific service with nmap

[Tim <tim-pentest () sentinelchicken org>]

On Wed, Jul 30, 2008 at 01:39:41AM -0400, Jorge L. Vazquez wrote:
> guys I how could I use nmap to scan the network for a specific  
> server/service without having every single host alive coming back in the  
> scan but only that machine in which the service is running... for  
> example, let's say I want to scan the network to find only MSSQL server  
> which by default uses port 1433, in that case I would use nmap with  
> something like this...
>
> nmap -sSV -P0 -p T:1433 192.168.10.0/24
>
>
> this scan eventually will detect the machine that is running the SQL  
> server, the only problem is that it returns every single host alive,  
> only that port status is close as it should be expected, but I wonder if  
> it is possible to only have returned the host running SQL service.

Try switching '-P0' with '-PS 1433' or somethign similar.  Instead of
turning off ping and assuming all hosts are alive (-P0 behavior), this
will use port 1433 to test whether or not a host is alive.   Of course
it will probably then proceed to re-scan the same port redundantly, but
at least it should get the output you desire.

tim