Nmap Development mailing list archives
Re: Here's something to ponder...
From: Ron <iago () valhallalegends com>
Date: Tue, 05 Jul 2005 18:41:18 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, I could be wrong, but here's what I think. Most ports are filtered, except for port 80. Now, that can mean two things: a) The host is firewalled, but something (maybe an ISP) is blocking port 80) b) There is a hardware firewall/router that forwards ports including 80, but port 80 is closed on the host. If (b) is what's going on, then I don't know what the problem is. If (a) is what's going on, then it's possible it's partly fingerprinting whatever is blocking the port (the ISP), not the actual server. This has happened to me before, when my friend's ISP blocked ports by closing them, not filtering. This can be confirmed with a traceroute on port 80 compared to a traceroute on, say, port 25, and comparing the results. Another possibility is that there's a rewriting proxy or router that is reforming the packets. I'm not sure how to detect if that's happening, I'm afraid. Hope that helps a bit. - -Ron Craig Humphrey wrote:
Hi People, Just came across an interesting result in nmap 3.81 (on WinXPsp2 no less). nmap.exe -sSV -O some.computer.net Interesting ports on some.computer.net (xxx.xxx.xxx.xxx): (The 1657 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 25/tcp open smtp? 80/tcp closed http 143/tcp open imap Microsoft Exchange 2000 IMAP4rev1 server 6.0.6249.0 1723/tcp open pptp? 3389/tcp open microsoft-rdp Microsoft Terminal Service 4444/tcp open http Microsoft IIS webserver 5.0 [snip snip] Device type: general purpose Running: Microsoft Windows 2003/.NET OS details: Microsoft Windows Server 2003 Standard Edition Nmap finished: 1 IP address (1 host up) scanned in 124.183 seconds Spot the point of interest? The host reports as Win2k3, yet it's running IIS5 (which is Win2k) and Exchange2000 (which must be run on a Win2k server, not 2k3). The service signature for the SMTP services wasn't recognised (I'll post the sig below), which is odd, since you'd expect it to be Exchange2000... All of which seems to suggest that this box is actually doing some form of port-forwarding (ISA?) to multiple boxes behind the scenes... Or nmap got the OS sig wrong.... Which seems a little unlikely. What would people generally do next to determine if this is actually a firewall/proxy box. Firewalk? Packet sniff the packets to/from services to see if they have the same RTT as a ping to the boxe's IP address? I guess this would normally be a Friday type question... But the list has been relativly quiet... [everyone must be "working"] How does nmap handle unicode/utf-8 responses? It might explain the odd SMTP sig. Later'ish Craig SMTP sig: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi cefp-submit.cgi : SF-Port25-TCP:V=3.81%D=7/6%Time=42CAFFC2%P=i686-pc-windows-windows%r(NUL L, SF:76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \* SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\ *\ SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*\*\* \* SF:\*\*\*\*200\x20\r\n")%r(Help,96,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\ SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \* SF:\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\ SF:*\*\*\*\*200\*\*0\*\*\*\*\*\*\*\*\*\*200\x20\r\n500\x205\.3\.3\x20Unr ec SF:ognized\x20command\r\n")%r(GenericLines,76,"220\x20\*\*\*\*\*\*\*\*\* \* SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\ SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \* SF:\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\*0\*\*\*\*200\x20\r\n")%r(GetRequ es SF:t,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \* SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\ *\ SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\ *\ SF:*0\x20\*\*200\x20\r\n")%r(HTTPOptions,76,"220\x20\*\*\*\*\*\*\*\*\*\* \* SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\ SF:*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \* SF:\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\*\*\*\*\*\*200\x20\r\n")%r(RTSPRequ es SF:t,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \* SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\ *\ SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\ *2 SF:0\x20\*\*200\x20\r\n")%r(RPCCheck,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\* \* SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\ SF:*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \* SF:\*\*\*\*\*\*\*200\*\*0\*\*\*2\*2\*\*\*\*200\x20\r\n")%r(DNSVersionBin dR SF:eq,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\ SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\* \* SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2 \* SF:\*0\x20\*\*200\x20\r\n"); _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.9.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCyxqefqSf2EkP4p4RAgf6AJ4tuSou2OvbyTDfwudrdcSgAcQb0wCfRkLN Mn9hsTIwRE8K0S7fCOLaYSg= =E8X5 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Here's something to ponder... Craig Humphrey (Jul 05)
- Re: Here's something to ponder... Ron (Jul 05)
- Re: Here's something to ponder... Martin Mačok (Jul 06)