SFOBUG 2003 Examples
nmap.org/presentations/SFOBUG03/
fyodor@insecure.org

$Id: index.html 20578 2010-10-11 20:03:27Z fyodor $

Example 1: Simple unprivileged user scan

> nmap www.openbsd.org

Starting nmap 3.48 ( http://nmap.org ) at 2003-12-02 10:39 PST
Interesting ports on openbsd.sunsite.ualberta.ca (129.128.5.191):
(The 1636 ports scanned but not shown below are in state: filtered)
PORT      STATE  SERVICE
21/tcp    open   ftp
22/tcp    open   ssh
25/tcp    open   smtp
80/tcp    open   http
110/tcp   open   pop3
113/tcp   open   auth
143/tcp   open   imap
514/tcp   open   shell
871/tcp   open   supfilesrv
2022/tcp  open   down
2401/tcp  open   cvspserver
7000/tcp  closed afs3-fileserver
7001/tcp  closed afs3-callback
7002/tcp  closed afs3-prserver
7003/tcp  closed afs3-vlserver
7004/tcp  closed afs3-kaserver
7005/tcp  closed afs3-volser
7006/tcp  closed afs3-errors
7007/tcp  closed afs3-bos
7008/tcp  closed afs3-update
7009/tcp  closed afs3-rmtsys
43188/tcp closed reachout

Nmap run completed -- 1 IP address (1 host up) scanned in 83.815 seconds

Example 2: More sophisticated scan

# nmap -sSV -T4 -O www.openbsd.org

Starting nmap 3.48 ( http://nmap.org ) at 2003-12-01 18:38 PST
Interesting ports on openbsd.sunsite.ualberta.ca (129.128.5.191):
(The 1636 ports scanned but not shown below are in state: filtered)
PORT      STATE  SERVICE         VERSION
21/tcp    open   ftp?
22/tcp    open   ssh             OpenSSH 3.7.1p2 (protocol 1.99)
25/tcp    open   smtp
80/tcp    open   http            Apache httpd 1.3.27 ((Unix) PHP/4.3.1 mod_perl/1.27)
110/tcp   open   pop3?
113/tcp   open   ident           pidentd
143/tcp   open   imap?
514/tcp   open   shell?
871/tcp   open   supfilesrv?
2022/tcp  open   ssh             OpenSSH 3.7.1p2 (protocol 1.99)
2401/tcp  open   cvspserver      cvs pserver
7000/tcp  closed afs3-fileserver
7001/tcp  closed afs3-callback
7002/tcp  closed afs3-prserver
7003/tcp  closed afs3-vlserver
7004/tcp  closed afs3-kaserver
7005/tcp  closed afs3-volser
7006/tcp  closed afs3-errors
7007/tcp  closed afs3-bos
7008/tcp  closed afs3-update
7009/tcp  closed afs3-rmtsys
43188/tcp closed reachout
[ cut ]
Device type: general purpose
Running: Sun Solaris 2.X|7
OS details: Sun Solaris 2.6 - 7 (SPARC)
Uptime 11.180 days (since Thu Nov 20 14:21:49 2003)

Nmap run completed -- 1 IP address (1 host up) scanned in 128.322 seconds

Example 3: HTTP Version sweep

# nmap -sSV -p80 -PS80 -iR 5000 | egrep -i -B2 "nmap| open  http "
[ Results trimmed for brevity ]
Starting nmap 3.48 ( http://nmap.org ) at 2003-12-02 10:13 PST
Interesting ports on whlr-185.res.umass.edu (128.119.128.185):
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.0.43 ((Win32))
--
Interesting ports on port-182.blakelapthorn.cams.newnet.co.uk (212.87.68.182):
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS webserver 5.0
--
Interesting ports on weborganiz01.ikoula.com (213.246.36.172):
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 1.3.26 (Ben-SSL/1.48 (Unix) Debian GNU/Linux PHP/4.3.3)
--
Interesting ports on 207.61.100.179:
PORT   STATE SERVICE VERSION
80/tcp open  http    Netscape Enterprise httpd 3.5.1G
--
Interesting ports on 207-101-121-247-rev.solutionnetworks.com (207.101.121.247):
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 1.3.27 ((Unix) PHP/4.3.1 mod_ssl/2.8.14 OpenSSL/0.9.7a)
--
Interesting ports on 146.20.67.23:
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 1.3.28 ((Unix) mod_layout/3.2)
--
Interesting ports on thesuperhosting.com (64.65.39.94):
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 1.3.28
--
Interesting ports on rrcs-sw-24-173-104-211.biz.rr.com (24.173.104.211):
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 1.3.27 ((Unix)  (Red-Hat/Linux) mod_gzip/1.3.26.1a PHP/4.1.2)
--
Interesting ports on a147-226-5-130.deploy.akamaitechnologies.com (147.226.5.130):
PORT   STATE SERVICE VERSION
80/tcp open  http    AkamiGHost (Akamai's HTTP Acceleration/Mirror service)
--
Interesting ports on c-24-130-67-102.we.client2.attbi.com (24.130.67.102):
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS webserver 5.0
--
Interesting ports on airband-216-138-125-67.airband.net (216.138.125.67):
PORT   STATE SERVICE VERSION
80/tcp open  http    Cisco IOS administrative webserver
--
Interesting ports on ADijon-107-1-5-115.w81-51.abo.wanadoo.fr (81.51.105.115):
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS webserver 5.1
--
Interesting ports on sexland.gr (66.33.43.126):
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 1.3.27 ((Unix)  (Red Hat/Linux) PHP/4.1.2)

Nmap run completed -- 5000 IP addresses (110 hosts up) scanned in 1086.324 seconds

Example 4: Packet Tracing

[ output formatted slightly for readability ]
# nmap -sV -p 25 --packet_trace mail.insecure.org

Starting nmap 3.48 ( http://nmap.org ) at 2003-12-02 12:37 PST
SENT (0.0260s) ICMP 63.202.174.201 > 205.217.153.50 Echo request (type=8/code=0) ttl=56 iplen=28
SENT (0.0280s) TCP 63.202.174.201:48502 > 205.217.153.50:80 A ttl=38 
               id=63582 iplen=40 seq=3775756894 ack=3775756894
RCVD (0.0400s) ICMP 205.217.153.50 > 63.202.174.201 Echo reply (type=0/code=0) ttl=56 iplen=28

SENT (0.3320s) TCP 63.202.174.201:48481 > 205.217.153.50:25 S ttl=37
               iplen=40 seq=1793593945 win=2048
RCVD (0.3430s) TCP 205.217.153.50:25 > 63.202.174.201:48481 SA ttl=56
               id=0 iplen=44 seq=3383329626 win=5840 ack=3383329626

NSOCK (0.3520s) TCP connection requested to 205.217.153.50:25 (IOD #1) EID 8
NSOCK (0.3660s) Callback: CONNECT SUCCESS for EID 8 [205.217.153.50:25]
NSOCK (0.3660s) Read request from IOD #1 [205.217.153.50:25] (timeout: 5000ms) EID 18
NSOCK (0.3990s) Callback: READ SUCCESS for EID 18 [205.217.153.50:25] (27 bytes): 
                220 core.lnxnet.net ESMTP..
NSOCK (0.3990s) Read request from IOD #1 [205.217.153.50:25] (timeout: 4965ms) EID 26
NSOCK (5.3690s) Callback: READ TIMEOUT for EID 26 [205.217.153.50:25]
NSOCK (5.3690s) Write request for 6 bytes to IOD #1 EID 35 [205.217.153.50:25]: HELP..
NSOCK (5.3690s) Read request from IOD #1 [205.217.153.50:25] (timeout: 5000ms) EID 42
NSOCK (5.3750s) Callback: WRITE SUCCESS for EID 35 [205.217.153.50:25]
NSOCK (5.3890s) Callback: READ SUCCESS for EID 42 [205.217.153.50:25] (55 bytes): 
                214 qmail home page: http://pobox.com/~djb/qmail.html..

Interesting ports on core.lnxnet.net (205.217.153.50):
PORT   STATE SERVICE VERSION
25/tcp open  smtp    qmail smtpd

Nmap run completed -- 1 IP address (1 host up) scanned in 5.425 seconds