Nmap Development mailing list archives
Re: IPhone and nmap scan on wireless network
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 10 Apr 2008 21:55:31 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 10 Apr 2008 13:08:10 -0700 "Jaime Reza" <turinreza () gmail com> wrote:
hiya anyone tried to fingerprint /scan an iphone that is hooked up to a wireless network? i can see my iphone on the wireless network and it has an ip address but it's not being picked up by nmap (no packets received) -PN turin
Sure; do it all the time. We have so many of these on campus that we have to really stay on top of unlocked iPhones with OpenSSH installed that still have the default root password. I don't have any example scans for you right now but here is the logic in one of my scripts that finds iPhones and alerts me when they are running SSH: # iPhone (based on port open and weak TCP Sequence Prediction) if ((exists $misc{'TCPSeqPred'}) && ($misc{'TCPSeqPred'} == 0) && (exists $port{62078}) && ($port{62078}{'Service'} eq 'tcpwrapped')) { push @warning, {('name'=>'IPHONE', 'severity'=>2, 'text'=>'iPhone (weak TCP sequence' . ' is easily hackable)')}; # Detect possible SSH on iPhone if ((exists $port{22}) && ($port{22}{'Service'} eq 'ssh')) { push @warning, {('name'=>'IPHONE_SSH', 'severity'=>3, 'text'=>'iPhone may have known ' . 'default root password (\'alpine\')')}; } } Note that the check for TCPSeqPred == 0 requires -O or -A and the port 62078 eq 'tcpwrapped' requires -sV or -A. This code was written before the OS DB had a iPhone fingerprint so you'd probably do better now to check the OS Nmap says it is running. It would be very easy to turn the above code into a hostrule NSE script. I haven't because while the check works, it's a hack. How often does someone run OpenSSH on their phone without changing the root password, you ask? All the ****ing time. We've found the check to be _very_ valuable. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFH/ozbqaGPzAsl94IRAkhxAKC/UaHlqbLTpvxp/eyDLbGuZrwSvQCfcNcG XPIZbCD7Eo7y0SanTEst0FA= =IsO2 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- IPhone and nmap scan on wireless network Jaime Reza (Apr 10)
- Re: IPhone and nmap scan on wireless network Brandon Enright (Apr 10)
- Message not available
- Re: IPhone and nmap scan on wireless network Brandon Enright (Apr 10)
- Message not available
- Re: IPhone and nmap scan on wireless network Jaime Reza (Apr 10)
- Re: IPhone and nmap scan on wireless network Jaime Reza (Apr 10)
- Re: IPhone and nmap scan on wireless network Brandon Enright (Apr 10)