Re: An Operating Systems Survey, of sorts...

[White Cap <whitecap () dreams res cmu edu>]

On Thu, 11 Feb 1999, Fyodor wrote:

> nmap -i <iplist> -m output_file -n -O -sS -p21,22,23,25,80,139

Especially for unix systems, to maximize the chance you'll get three open
ports, I'd add:

7, 53, 79, 88, 110, 111, 137, 143, 513, 515

For things like kerberos v5 (88), usually the realm servers aren't running
much else, so it's to your advantage to scrape together all ports you can
find for the 3 port os ID to be effective.

I would agree however that adding all of the above might not be wise if
your hosts or you are on a slow link, and perhaps just adding a few
or none at all might be best.  They are just ports I've found that are
commonly open or are open on hosts that have very few others open (k-v5).

Obviously if you're scanning more sensitive hosts, you should drop ports
with known vulnerable daemons like pop3, imap, maybe lpd, etc.  That way
if someone does pick up the syn or fin scan, they'll have less of a reason
to get paranoid, which is generally a bad thing.

whitecap