Re: Identifying BeOS DR9?

[Edhel <edhel () bigfoot com>]

Bo Cato wrote:
> Those are very odd results. It's appears the open ports are being
> discovered as expected. I would suspect a problem with nmap getting
> the needed response from a closed port (ie a rst packet or a rare
> syn|ack). I'm guessing either nmap is not processing the reset packet
> correctly for a closed port (possibly a compile problem),

I compiled very plainly, just ./configure, make, and make install. This
message came out of stderr a few times, though:

configure: WARNING: netinet/if_ether.h: present but cannot be compiled
configure: WARNING: netinet/if_ether.h: check for missing prerequisite headers?
configure: WARNING: netinet/if_ether.h: proceeding with the preprocessor's result
configure: WARNING:     ## ------------------------------------ ##
configure: WARNING:     ## Report this to bug-autoconf () gnu org. ##
configure: WARNING:     ## ------------------------------------ ##

Perhaps this is related to my problem? My FreeBSD is version 4.7. The
same thing happens when I compile it in NetBSD 1.6.

> the machine
> being scanned has a problem with it's tcp/ip stack for closed ports,

I find this to be a distinct possibility: BeOS always had a notoriously
inefficient TCP/IP stack, so I think it stands to reason that this
"Preview Release" may have a TCP/IP stack that's actually so broken that
it's out-of-spec.

As an experiment, I tried to telnet from my FreeBSD box to some random
closed port on my BeOS DR9 box. The connection timed out. When I tried
to telnet from my FreeBSD box to a random closed port on itself, I got
"connection refused". I then rebooted the Mac into BeOS 5.0.3 and
telnetted to a closed port on it again; I got "connection refused". Nmap
also seems confused when scanning BeOS 5.0.3. I suppose I should install
BeOS 5.0.3 on my Athlon PC to make sure the PPC versions aren't wacky.



> or the machine you are running nmap on (freebsd?) is having a tcp/ip
> stack problem. Or.. I could be completely off on all accounts.
>
> You may want to post this back to the list again (instead of just to
> me)

Whoops! I thought that's where I sent it to :)

> and possibly run tcpdump while scanning "tcpdump -nn -vvv -s 0 -w
> nmap_dump".
>
> Also nmap has options for packet tracing.
>
> The confusing thing to me is that nmap is displaying open ports but
> yet states the test condition is not ideal. If nmap is able to
> determine at least 1 open port the condition is supposed to be "good".

I think it's an utter lack of properly closed ports that's confusing
nmap :-/

[spatchtower:root] ~ > strings /usr/local/bin/nmap | grep "1 closed"
Warning:  OS detection will be MUCH less reliable because we did not find
at least 1 open and 1 closed TCP port

> Do you have this problem when scanning any other OS beside BeOS with
> nmap 3.30 from the same freebsd box?

I scanned my NetBSD box, and re-scanned my Mac after I rebooted it into
MacOS 9. Both of these scans went fine. The only thing that seemed odd to
me is the scans (when done with -vv -O) always say "OS Fingerprint: (None)"
just after saying "OS Details: Apple Mac OS 9.04 or HP-UX B.11.00" or
"OS details: NetBSD 1.3I through 1.6"


> Hello Edhel,
>
> Friday, September 12, 2003, 11:56:01 PM, you wrote:
>
> E> Bo Cato wrote:
> E>  > You want to -vv and change -sW to -sS or -sT then submit the
> E>  > fingerprint to http://www.insecure.org/cgi-bin/nmap-submit.cgi
>
> E> I did so, but it still looks like BeOS DR9 is the OS to use if
> E> you want to evade nmap -O ;) I even recompiled my FreeBSD kernel
> E> just in case IPFW or Dummynet was interfering. :-/ Any other
> E> ideas?
>
> E> "New" results follow:
>
>
> E> [spatchtower:root] ~ > nmap -O -vv -sS 10.0.2.2
>
> E> Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-09-12 23:54 EDT
> E> Host powermacintosh8500 (10.0.2.2) appears to be up ... good.
> E> Initiating SYN Stealth Scan against powermacintosh8500 (10.0.2.2) at 23:54
> E> Adding open port 21/tcp
> E> Adding open port 80/tcp
> E> Adding open port 23/tcp
> E> The SYN Stealth Scan took 26 seconds to scan 1644 ports.
> E> For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
> E> For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
> E> Insufficient responses for TCP sequencing (0), OS detection may be less accurate
> E> For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
> E> Insufficient responses for TCP sequencing (0), OS detection may be less accurate
> E> Interesting ports on powermacintosh8500 (10.0.2.2):
> E> (The 1641 ports scanned but not shown below are in state: closed)
> E> Port       State       Service
> E> 21/tcp     open        ftp
> E> 23/tcp     open        telnet
> E> 80/tcp     open        http
> E> Device type: general purpose
> E> Running (JUST GUESSING) : Be BeOS 4.X (88%)
> E> Aggressive OS guesses: BeOS 4 - 4.5 (88%)
> E> No exact OS matches for host (test conditions non-ideal).
> E> TCP/IP fingerprint:
> E> (None)
>
> E> Nmap run completed -- 1 IP address (1 host up) scanned in 52.900 seconds
>
> E> ----------------------------------------------------------------------
>
> E> [spatchtower:root] ~ > nmap -O -vv -sT 10.0.2.2
>
> E> Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-09-12 23:34 EDT
> E> Host powermacintosh8500 (10.0.2.2) appears to be up ... good.
> E> Initiating Connect() Scan against powermacintosh8500 (10.0.2.2) at 23:34
> E> Adding open port 23/tcp
> E> Adding open port 21/tcp
> E> Adding open port 80/tcp
> E> The Connect() Scan took 101 seconds to scan 1644 ports.
> E> Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 
> E> closed TCP port
> E> For OSScan assuming that port 21 is open and port 41137 is closed and neither are firewalled
> E> For OSScan assuming that port 21 is open and port 35740 is closed and neither are firewalled
> E> Insufficient responses for TCP sequencing (0), OS detection may be less accurate
> E> For OSScan assuming that port 21 is open and port 37521 is closed and neither are firewalled
> E> Insufficient responses for TCP sequencing (0), OS detection may be less accurate
> E> Interesting ports on powermacintosh8500 (10.0.2.2):
> E> (The 1641 ports scanned but not shown below are in state: filtered)
> E> Port       State       Service
> E> 21/tcp     open        ftp
> E> 23/tcp     open        telnet
> E> 80/tcp     open        http
> E> Device type: general purpose
> E> Running (JUST GUESSING) : Be BeOS 4.X (88%)
> E> Aggressive OS guesses: BeOS 4 - 4.5 (88%)
> E> No exact OS matches for host (test conditions non-ideal).
> E> TCP/IP fingerprint:
> E> (None)
>
> E> Nmap run completed -- 1 IP address (1 host up) scanned in 129.179 seconds


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).