Nmap Development mailing list archives

Re: IPhone and nmap scan on wireless network

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Thu, 10 Apr 2008 21:55:31 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 10 Apr 2008 13:08:10 -0700
"Jaime Reza" <turinreza () gmail com> wrote:

hiya
anyone tried to fingerprint /scan an iphone that is hooked up to  a
wireless network?
i can see my iphone on the wireless network and it has an ip address
but it's not being picked up by nmap (no packets received)

-PN

turin


Sure; do it all the time.  We have so many of these on campus that we
have to really stay on top of unlocked iPhones with OpenSSH installed
that still have the default root password.

I don't have any example scans for you right now but here is the logic
in one of my scripts that finds iPhones and alerts me when they are
running SSH:

    # iPhone (based on port open and weak TCP Sequence Prediction)
    if ((exists $misc{'TCPSeqPred'}) &&
        ($misc{'TCPSeqPred'} == 0) &&
        (exists $port{62078}) &&
        ($port{62078}{'Service'} eq 'tcpwrapped')) {
        push @warning, {('name'=>'IPHONE',
                         'severity'=>2,
                         'text'=>'iPhone (weak TCP sequence'
                         . ' is easily hackable)')};

        # Detect possible SSH on iPhone
        if ((exists $port{22}) &&
            ($port{22}{'Service'} eq 'ssh')) {
            push @warning, {('name'=>'IPHONE_SSH',
                             'severity'=>3,
                             'text'=>'iPhone may have known '
                             . 'default root password (\'alpine\')')};
        }
    }


Note that the check for TCPSeqPred == 0 requires -O or -A and the port
62078 eq 'tcpwrapped' requires -sV or -A.  This code was written before
the OS DB had a iPhone fingerprint so you'd probably do better now to
check the OS Nmap says it is running.

It would be very easy to turn the above code into a hostrule NSE
script.  I haven't because while the check works, it's a hack.

How often does someone run OpenSSH on their phone without changing the
root password, you ask?  All the ****ing time.  We've found the check
to be _very_ valuable.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFH/ozbqaGPzAsl94IRAkhxAKC/UaHlqbLTpvxp/eyDLbGuZrwSvQCfcNcG
XPIZbCD7Eo7y0SanTEst0FA=
=IsO2
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

IPhone and nmap scan on wireless network Jaime Reza (Apr 10)
- Re: IPhone and nmap scan on wireless network Brandon Enright (Apr 10)
  - Message not available
    - Re: IPhone and nmap scan on wireless network Brandon Enright (Apr 10)
  - Re: IPhone and nmap scan on wireless network Jaime Reza (Apr 10)
  - Re: IPhone and nmap scan on wireless network Jaime Reza (Apr 10)