Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Here's something to ponder...

From: Ron <iago () valhallalegends com>
Date: Tue, 05 Jul 2005 18:41:18 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, I could be wrong, but here's what I think.

Most ports are filtered, except for port 80.  Now, that can mean two things:
a) The host is firewalled, but something (maybe an ISP) is blocking port 80)
b) There is a hardware firewall/router that forwards ports including 80,
but port 80 is closed on the host.

If (b) is what's going on, then I don't know what the problem is.

If (a) is what's going on, then it's possible it's partly fingerprinting
whatever is blocking the port (the ISP), not the actual server.  This
has happened to me before, when my friend's ISP blocked ports by closing
them, not filtering.

This can be confirmed with a traceroute on port 80 compared to a
traceroute on, say, port 25, and comparing the results.

Another possibility is that there's a rewriting proxy or router that is
reforming the packets.  I'm not sure how to detect if that's happening,
I'm afraid.

Hope that helps a bit.

- -Ron

Craig Humphrey wrote:

Hi People,

Just came across an interesting result in nmap 3.81 (on WinXPsp2 no
less).

nmap.exe -sSV -O some.computer.net
Interesting ports on some.computer.net (xxx.xxx.xxx.xxx):
(The 1657 ports scanned but not shown below are in state: filtered)
PORT     STATE  SERVICE       VERSION
25/tcp   open   smtp?
80/tcp   closed http
143/tcp  open   imap          Microsoft Exchange 2000 IMAP4rev1 server
6.0.6249.0
1723/tcp open   pptp?
3389/tcp open   microsoft-rdp Microsoft Terminal Service
4444/tcp open   http          Microsoft IIS webserver 5.0
[snip snip]
Device type: general purpose
Running: Microsoft Windows 2003/.NET
OS details: Microsoft Windows Server 2003 Standard Edition

Nmap finished: 1 IP address (1 host up) scanned in 124.183 seconds

Spot the point of interest?  The host reports as Win2k3, yet it's
running IIS5 (which is Win2k) and Exchange2000 (which must be run on a
Win2k server, not 2k3).

The service signature for the SMTP services wasn't recognised (I'll post
the sig below), which is odd, since you'd expect it to be
Exchange2000...

All of which seems to suggest that this box is actually doing some form
of port-forwarding (ISA?) to multiple boxes behind the scenes... Or nmap
got the OS sig wrong.... Which seems a little unlikely.

What would people generally do next to determine if this is actually a
firewall/proxy box.  Firewalk? Packet sniff the packets to/from services
to see if they have the same RTT as a ping to the boxe's IP address?

I guess this would normally be a Friday type question... But the list
has been relativly quiet... [everyone must be "working"]

How does nmap handle unicode/utf-8 responses?  It might explain the odd
SMTP sig.

Later'ish
Craig

SMTP sig:
1 service unrecognized despite returning data. If you know the
service/version,
please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servi
cefp-submit.cgi :
SF-Port25-TCP:V=3.81%D=7/6%Time=42CAFFC2%P=i686-pc-windows-windows%r(NUL
L,
SF:76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*\*\*
\*
SF:\*\*\*\*200\x20\r\n")%r(Help,96,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*200\*\*0\*\*\*\*\*\*\*\*\*\*200\x20\r\n500\x205\.3\.3\x20Unr
ec
SF:ognized\x20command\r\n")%r(GenericLines,76,"220\x20\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\*0\*\*\*\*200\x20\r\n")%r(GetRequ
es
SF:t,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\
*\
SF:*0\x20\*\*200\x20\r\n")%r(HTTPOptions,76,"220\x20\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\*\*\*\*\*\*200\x20\r\n")%r(RTSPRequ
es
SF:t,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2\
*2
SF:0\x20\*\*200\x20\r\n")%r(RPCCheck,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*0\*2\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\*
SF:\*\*\*\*\*\*\*200\*\*0\*\*\*2\*2\*\*\*\*200\x20\r\n")%r(DNSVersionBin
dR
SF:eq,76,"220\x20\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\
*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*0\*2\*\*
\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*200\*\*0\*\*\*2
\*
SF:\*0\x20\*\*200\x20\r\n");


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCyxqefqSf2EkP4p4RAgf6AJ4tuSou2OvbyTDfwudrdcSgAcQb0wCfRkLN
Mn9hsTIwRE8K0S7fCOLaYSg=
=E8X5
-----END PGP SIGNATURE-----


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Previous By Date Next
Previous By Thread Next

Current thread: