RE: Nmap output

["Veal, Richard" <rveal () westernpower co uk>]

Or for the same command (with less typing!) -vvv, if you really wanted
that level of verbosity


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Michael Condon
Sent: 20 November 2008 08:06
To: maash.rajani () gmail com; pen-test () securityfocus com
Subject: Re: Nmap output

The -f option generates this message:
Warning: Packet fragmentation selected on a host other than Linux,
OpenBSD, FreeBSD, or NetBSD.  This may or may not work.
From my experience it does seem to hose up the OS detection a bit.
Try this:
nmap -sV -v -v -v -sS -T3 --osscan-limit -O -PN <target> or nmap -sV -v
-v -v -sS -sU -T3 --osscan-limit -O -PN <target>

--------------------------------------------------
From: <maash.rajani () gmail com>
Sent: Wednesday, November 19, 2008 3:50 PM
To: <pen-test () securityfocus com>
Subject: Nmap output

> I scanned a host with nmap using two set of parameters.
>
> 1) nmap -P0 -f -O 192.168.100.44
>
> Warning:  OS detection for 192.168.100.44 will be MUCH less reliable 
> because we did not find at least 1 open and 1 closed TCP port All 1690

> scanned ports on host233-226.xxxx.xxx.xx (192.168.100.44) are filt 
> ered Device type: specialized|switch|WAP|printer|general purpose
> Running: Cisco IOS 12.X, D-Link embedded, Ember embedded, IBM 
> embedded, Lexmark embedded, Minix OS details: Cisco DOCSIS cable modem

> termination server running IOS 12.1, Cisco Catalyst 6509 running IOS 
> 12.1, D-Link DI-824VUP Wireless VPN Router, Ember InSi ght Adapter for

> programming EM2XX-family embedded devices, IBM 6400 Printer (sof tware

> version 7.0.9.6), Lexmark T632 Network Laser Printer, Minix 3.1.2a
>
>
>
>
>
> While in the second set of parameter i did not fragment the packets.
>
> 2) nmap -P0 -O 192.168.100.44
>
> Warning:  OS detection for 192.168.100.44 will be MUCH less reliable 
> because we did not find at least 1 open and 1 closed TCP port
> Warning:  OS detection will be MUCH less reliable because we did not 
> find at lea st 1 open and 1 closed TCP port Interesting ports on 
> host233-226.xxx.xxx.xx (192.168.100.44):
> Not shown: 1689 filtered ports
> PORT    STATE SERVICE
> 443/tcp open  https
> Device type: general purpose
> Running: IBM AIX 4.X, Microsoft Windows 2003/.NET|NT/2K/XP OS details:

> IBM AIX 4.3.2.0-4.3.3.0 on an IBM RS/*, Microsoft Windows 2003 Serve r

> or XP SP2
> Uptime: 3.360 days (since Sun Nov 16 13:22:23 2008)
>
>
>
>
> My question is without fragmenting the packets how was nmap able to 
> determine an open port.
> And what different did fragmentation make in OS detection.
>
> ----------------------------------------------------------------------
> --
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ----------------------------------------------------------------------
> --

Western Power Distribution (South West) plc / Western Power Distribution (South Wales) plc 
Registered in England and Wales 
Registered number: 2366894 (South West) / 2366985 (South Wales) 
Registered Office: Avonbank, Feeder Road, Bristol, BS2 0TB 

This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to whom they are addressed. If you have received this email in error please notify postmaster () westernpower co 
uk

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------