Penetration Testing mailing list archives

Re: Nmap output

From: "Nikhil Wagholikar" <visitnikhil () gmail com>
Date: Thu, 20 Nov 2008 16:03:52 +0530

Hello Maash,

I agree with Taufiq's point. Fragmentation is just one technique to
evade firewall, IDS/IPS etc.

NMap was originally developed keeping in mind UNIX/Linux operating
system. Later, it was ported to Microsoft Windows. So there are lots
of switches/options in NMap, which executes perfectly in UNIX/Linux
environment than on Microsoft Windows. One of the options is of
'fragmentation'.

I would suggest you to run the same scan from a UNIX/Linux based
system i.e. install NMap on a UNIX/Linux system and then run the same
scan. I am sure, you'll get near to perfect results from it.

Best of Luck !!

---
NIKHIL WAGHOLIKAR
Practice Lead | Security Assessment and Digital Forensics
NII Consulting
Web: http://www.niiconsulting.com/
Security Products: http://www.niiconsulting.com/products.html


2008/11/20 <maash.rajani () gmail com>


I scanned a host with nmap using two set of parameters.

1) nmap -P0 -f -O 192.168.100.44

Warning:  OS detection for 192.168.100.44 will be MUCH less reliable because we
did not find at least 1 open and 1 closed TCP port
All 1690 scanned ports on host233-226.xxxx.xxx.xx (192.168.100.44) are filt
ered
Device type: specialized|switch|WAP|printer|general purpose
Running: Cisco IOS 12.X, D-Link embedded, Ember embedded, IBM embedded, Lexmark
embedded, Minix
OS details: Cisco DOCSIS cable modem termination server running IOS 12.1, Cisco
Catalyst 6509 running IOS 12.1, D-Link DI-824VUP Wireless VPN Router, Ember InSi
ght Adapter for programming EM2XX-family embedded devices, IBM 6400 Printer (sof
tware version 7.0.9.6), Lexmark T632 Network Laser Printer, Minix 3.1.2a





While in the second set of parameter i did not fragment the packets.

2) nmap -P0 -O 192.168.100.44

Warning:  OS detection for 192.168.100.44 will be MUCH less reliable because we
did not find at least 1 open and 1 closed TCP port
Warning:  OS detection will be MUCH less reliable because we did not find at lea
st 1 open and 1 closed TCP port
Interesting ports on host233-226.xxx.xxx.xx (192.168.100.44):
Not shown: 1689 filtered ports
PORT    STATE SERVICE
443/tcp open  https
Device type: general purpose
Running: IBM AIX 4.X, Microsoft Windows 2003/.NET|NT/2K/XP
OS details: IBM AIX 4.3.2.0-4.3.3.0 on an IBM RS/*, Microsoft Windows 2003 Serve
r or XP SP2
Uptime: 3.360 days (since Sun Nov 16 13:22:23 2008)




My question is without fragmenting the packets how was nmap able to determine an open port.
And what different did fragmentation make in OS detection.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

Nmap output maash . rajani (Nov 19)
- Re: Nmap output τ∂υƒιφ * (Nov 19)
- Re: Nmap output Michael Condon (Nov 20)
  - RE: Nmap output Veal, Richard (Nov 20)
- Re: Nmap output Nikhil Wagholikar (Nov 20)
  - Re: Nmap output ChromeSilver (Nov 20)
  - Message not available
    - Re: Nmap output Nikhil Wagholikar (Nov 21)