Nmap Development mailing list archives
Re: Identifying BeOS DR9?
From: Edhel <edhel () bigfoot com>
Date: Sat, 13 Sep 2003 16:41:51 -0400
Bo Cato wrote:
Those are very odd results. It's appears the open ports are being discovered as expected. I would suspect a problem with nmap getting the needed response from a closed port (ie a rst packet or a rare syn|ack). I'm guessing either nmap is not processing the reset packet correctly for a closed port (possibly a compile problem),
I compiled very plainly, just ./configure, make, and make install. This message came out of stderr a few times, though: configure: WARNING: netinet/if_ether.h: present but cannot be compiled configure: WARNING: netinet/if_ether.h: check for missing prerequisite headers? configure: WARNING: netinet/if_ether.h: proceeding with the preprocessor's result configure: WARNING: ## ------------------------------------ ## configure: WARNING: ## Report this to bug-autoconf () gnu org. ## configure: WARNING: ## ------------------------------------ ## Perhaps this is related to my problem? My FreeBSD is version 4.7. The same thing happens when I compile it in NetBSD 1.6.
the machine being scanned has a problem with it's tcp/ip stack for closed ports,
I find this to be a distinct possibility: BeOS always had a notoriously inefficient TCP/IP stack, so I think it stands to reason that this "Preview Release" may have a TCP/IP stack that's actually so broken that it's out-of-spec. As an experiment, I tried to telnet from my FreeBSD box to some random closed port on my BeOS DR9 box. The connection timed out. When I tried to telnet from my FreeBSD box to a random closed port on itself, I got "connection refused". I then rebooted the Mac into BeOS 5.0.3 and telnetted to a closed port on it again; I got "connection refused". Nmap also seems confused when scanning BeOS 5.0.3. I suppose I should install BeOS 5.0.3 on my Athlon PC to make sure the PPC versions aren't wacky.
or the machine you are running nmap on (freebsd?) is having a tcp/ip stack problem. Or.. I could be completely off on all accounts. You may want to post this back to the list again (instead of just to me)
Whoops! I thought that's where I sent it to :)
and possibly run tcpdump while scanning "tcpdump -nn -vvv -s 0 -w nmap_dump". Also nmap has options for packet tracing. The confusing thing to me is that nmap is displaying open ports but yet states the test condition is not ideal. If nmap is able to determine at least 1 open port the condition is supposed to be "good".
I think it's an utter lack of properly closed ports that's confusing nmap :-/ [spatchtower:root] ~ > strings /usr/local/bin/nmap | grep "1 closed" Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Do you have this problem when scanning any other OS beside BeOS with nmap 3.30 from the same freebsd box?
I scanned my NetBSD box, and re-scanned my Mac after I rebooted it into MacOS 9. Both of these scans went fine. The only thing that seemed odd to me is the scans (when done with -vv -O) always say "OS Fingerprint: (None)" just after saying "OS Details: Apple Mac OS 9.04 or HP-UX B.11.00" or "OS details: NetBSD 1.3I through 1.6"
Hello Edhel, Friday, September 12, 2003, 11:56:01 PM, you wrote: E> Bo Cato wrote: E> > You want to -vv and change -sW to -sS or -sT then submit the E> > fingerprint to http://www.insecure.org/cgi-bin/nmap-submit.cgi E> I did so, but it still looks like BeOS DR9 is the OS to use if E> you want to evade nmap -O ;) I even recompiled my FreeBSD kernel E> just in case IPFW or Dummynet was interfering. :-/ Any other E> ideas? E> "New" results follow: E> [spatchtower:root] ~ > nmap -O -vv -sS 10.0.2.2 E> Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-09-12 23:54 EDT E> Host powermacintosh8500 (10.0.2.2) appears to be up ... good. E> Initiating SYN Stealth Scan against powermacintosh8500 (10.0.2.2) at 23:54 E> Adding open port 21/tcp E> Adding open port 80/tcp E> Adding open port 23/tcp E> The SYN Stealth Scan took 26 seconds to scan 1644 ports. E> For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled E> For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled E> Insufficient responses for TCP sequencing (0), OS detection may be less accurate E> For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled E> Insufficient responses for TCP sequencing (0), OS detection may be less accurate E> Interesting ports on powermacintosh8500 (10.0.2.2): E> (The 1641 ports scanned but not shown below are in state: closed) E> Port State Service E> 21/tcp open ftp E> 23/tcp open telnet E> 80/tcp open http E> Device type: general purpose E> Running (JUST GUESSING) : Be BeOS 4.X (88%) E> Aggressive OS guesses: BeOS 4 - 4.5 (88%) E> No exact OS matches for host (test conditions non-ideal). E> TCP/IP fingerprint: E> (None) E> Nmap run completed -- 1 IP address (1 host up) scanned in 52.900 seconds E> ---------------------------------------------------------------------- E> [spatchtower:root] ~ > nmap -O -vv -sT 10.0.2.2 E> Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-09-12 23:34 EDT E> Host powermacintosh8500 (10.0.2.2) appears to be up ... good. E> Initiating Connect() Scan against powermacintosh8500 (10.0.2.2) at 23:34 E> Adding open port 23/tcp E> Adding open port 21/tcp E> Adding open port 80/tcp E> The Connect() Scan took 101 seconds to scan 1644 ports.E> Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 E> closed TCP portE> For OSScan assuming that port 21 is open and port 41137 is closed and neither are firewalled E> For OSScan assuming that port 21 is open and port 35740 is closed and neither are firewalled E> Insufficient responses for TCP sequencing (0), OS detection may be less accurate E> For OSScan assuming that port 21 is open and port 37521 is closed and neither are firewalled E> Insufficient responses for TCP sequencing (0), OS detection may be less accurate E> Interesting ports on powermacintosh8500 (10.0.2.2): E> (The 1641 ports scanned but not shown below are in state: filtered) E> Port State Service E> 21/tcp open ftp E> 23/tcp open telnet E> 80/tcp open http E> Device type: general purpose E> Running (JUST GUESSING) : Be BeOS 4.X (88%) E> Aggressive OS guesses: BeOS 4 - 4.5 (88%) E> No exact OS matches for host (test conditions non-ideal). E> TCP/IP fingerprint: E> (None) E> Nmap run completed -- 1 IP address (1 host up) scanned in 129.179 seconds
---------------------------------------------------------------------For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Identifying BeOS DR9? Edhel (Sep 10)
- Re: Identifying BeOS DR9? Bo Cato (Sep 11)
- Message not available
- Message not available
- Re: Identifying BeOS DR9? Edhel (Sep 13)
- Message not available
- Re: Identifying BeOS DR9? Bo Cato (Sep 11)