Nmap Development mailing list archives

Here's something to ponder...

From: "Craig Humphrey" <Craig.Humphrey () chapmantripp com>
Date: Wed, 6 Jul 2005 10:28:11 +1200
Hi People,

Just came across an interesting result in nmap 3.81 (on WinXPsp2 no
less).

nmap.exe -sSV -O some.computer.net
Interesting ports on some.computer.net (xxx.xxx.xxx.xxx):
(The 1657 ports scanned but not shown below are in state: filtered)
PORT     STATE  SERVICE       VERSION
25/tcp   open   smtp?
80/tcp   closed http
143/tcp  open   imap          Microsoft Exchange 2000 IMAP4rev1 server
6.0.6249.0
1723/tcp open   pptp?
3389/tcp open   microsoft-rdp Microsoft Terminal Service
4444/tcp open   http          Microsoft IIS webserver 5.0
[snip snip]
Device type: general purpose
Running: Microsoft Windows 2003/.NET
OS details: Microsoft Windows Server 2003 Standard Edition

Nmap finished: 1 IP address (1 host up) scanned in 124.183 seconds

Spot the point of interest?  The host reports as Win2k3, yet it's
running IIS5 (which is Win2k) and Exchange2000 (which must be run on a
Win2k server, not 2k3).

The service signature for the SMTP services wasn't recognised (I'll post
the sig below), which is odd, since you'd expect it to be
Exchange2000...

All of which seems to suggest that this box is actually doing some form
of port-forwarding (ISA?) to multiple boxes behind the scenes... Or nmap
got the OS sig wrong.... Which seems a little unlikely.

What would people generally do next to determine if this is actually a
firewall/proxy box.  Firewalk? Packet sniff the packets to/from services
to see if they have the same RTT as a ping to the boxe's IP address?

I guess this would normally be a Friday type question... But the list
has been relativly quiet... [everyone must be "working"]

How does nmap handle unicode/utf-8 responses?  It might explain the odd
SMTP sig.

Later'ish
Craig

SMTP sig:
1 service unrecognized despite returning data. If you know the
service/version,
please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servi
cefp-submit.cgi :
SF-Port25-TCP:V=3.81%D=7/6%Time=42CAFFC2%P=i686-pc-windows-windows%r(NUL
L,
SF:76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*\*\*
\*
SF:\*\*\*\*200\x20\r\n")%r(Help,96,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*200\*\*0\*\*\*\*\*\*\*\*\*\*200\x20\r\n500\x205\.3\.3\x20Unr
ec
SF:ognized\x20command\r\n")%r(GenericLines,76,"220\x20\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\*0\*\*\*\*200\x20\r\n")%r(GetRequ
es
SF:t,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\
*\
SF:*0\x20\*\*200\x20\r\n")%r(HTTPOptions,76,"220\x20\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\*\*\*\*\*\*200\x20\r\n")%r(RTSPRequ
es
SF:t,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\
*2
SF:0\x20\*\*200\x20\r\n")%r(RPCCheck,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*200\*\*0\*\*\*2\*2\*\*\*\*200\x20\r\n")%r(DNSVersionBin
dR
SF:eq,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2
\*
SF:\*0\x20\*\*200\x20\r\n");


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:

Here's something to ponder... Craig Humphrey (Jul 05)
- Re: Here's something to ponder... Ron (Jul 05)
- Re: Here's something to ponder... Martin Mačok (Jul 06)