 |
SFOBUG 2003 Examples nmap.org/presentations/SFOBUG03/ fyodor@insecure.org $Id: index.html 20578 2010-10-11 20:03:27Z fyodor $ |
|
SFOBUG 2003 Examples nmap.org/presentations/SFOBUG03/ fyodor@insecure.org $Id: index.html 20578 2010-10-11 20:03:27Z fyodor $ |
Example 1: Simple unprivileged user scan
> nmap www.openbsd.org Starting nmap 3.48 ( http://nmap.org ) at 2003-12-02 10:39 PST Interesting ports on openbsd.sunsite.ualberta.ca (129.128.5.191): (The 1636 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 113/tcp open auth 143/tcp open imap 514/tcp open shell 871/tcp open supfilesrv 2022/tcp open down 2401/tcp open cvspserver 7000/tcp closed afs3-fileserver 7001/tcp closed afs3-callback 7002/tcp closed afs3-prserver 7003/tcp closed afs3-vlserver 7004/tcp closed afs3-kaserver 7005/tcp closed afs3-volser 7006/tcp closed afs3-errors 7007/tcp closed afs3-bos 7008/tcp closed afs3-update 7009/tcp closed afs3-rmtsys 43188/tcp closed reachout Nmap run completed -- 1 IP address (1 host up) scanned in 83.815 seconds
Example 2: More sophisticated scan
# nmap -sSV -T4 -O www.openbsd.org Starting nmap 3.48 ( http://nmap.org ) at 2003-12-01 18:38 PST Interesting ports on openbsd.sunsite.ualberta.ca (129.128.5.191): (The 1636 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 3.7.1p2 (protocol 1.99) 25/tcp open smtp 80/tcp open http Apache httpd 1.3.27 ((Unix) PHP/4.3.1 mod_perl/1.27) 110/tcp open pop3? 113/tcp open ident pidentd 143/tcp open imap? 514/tcp open shell? 871/tcp open supfilesrv? 2022/tcp open ssh OpenSSH 3.7.1p2 (protocol 1.99) 2401/tcp open cvspserver cvs pserver 7000/tcp closed afs3-fileserver 7001/tcp closed afs3-callback 7002/tcp closed afs3-prserver 7003/tcp closed afs3-vlserver 7004/tcp closed afs3-kaserver 7005/tcp closed afs3-volser 7006/tcp closed afs3-errors 7007/tcp closed afs3-bos 7008/tcp closed afs3-update 7009/tcp closed afs3-rmtsys 43188/tcp closed reachout [ cut ] Device type: general purpose Running: Sun Solaris 2.X|7 OS details: Sun Solaris 2.6 - 7 (SPARC) Uptime 11.180 days (since Thu Nov 20 14:21:49 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 128.322 seconds
Example 3: HTTP Version sweep
# nmap -sSV -p80 -PS80 -iR 5000 | egrep -i -B2 "nmap| open http " [ Results trimmed for brevity ] Starting nmap 3.48 ( http://nmap.org ) at 2003-12-02 10:13 PST Interesting ports on whlr-185.res.umass.edu (128.119.128.185): PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.0.43 ((Win32)) -- Interesting ports on port-182.blakelapthorn.cams.newnet.co.uk (212.87.68.182): PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS webserver 5.0 -- Interesting ports on weborganiz01.ikoula.com (213.246.36.172): PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 1.3.26 (Ben-SSL/1.48 (Unix) Debian GNU/Linux PHP/4.3.3) -- Interesting ports on 207.61.100.179: PORT STATE SERVICE VERSION 80/tcp open http Netscape Enterprise httpd 3.5.1G -- Interesting ports on 207-101-121-247-rev.solutionnetworks.com (207.101.121.247): PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 1.3.27 ((Unix) PHP/4.3.1 mod_ssl/2.8.14 OpenSSL/0.9.7a) -- Interesting ports on 146.20.67.23: PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 1.3.28 ((Unix) mod_layout/3.2) -- Interesting ports on thesuperhosting.com (64.65.39.94): PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 1.3.28 -- Interesting ports on rrcs-sw-24-173-104-211.biz.rr.com (24.173.104.211): PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 1.3.27 ((Unix) (Red-Hat/Linux) mod_gzip/1.3.26.1a PHP/4.1.2) -- Interesting ports on a147-226-5-130.deploy.akamaitechnologies.com (147.226.5.130): PORT STATE SERVICE VERSION 80/tcp open http AkamiGHost (Akamai's HTTP Acceleration/Mirror service) -- Interesting ports on c-24-130-67-102.we.client2.attbi.com (24.130.67.102): PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS webserver 5.0 -- Interesting ports on airband-216-138-125-67.airband.net (216.138.125.67): PORT STATE SERVICE VERSION 80/tcp open http Cisco IOS administrative webserver -- Interesting ports on ADijon-107-1-5-115.w81-51.abo.wanadoo.fr (81.51.105.115): PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS webserver 5.1 -- Interesting ports on sexland.gr (66.33.43.126): PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 1.3.27 ((Unix) (Red Hat/Linux) PHP/4.1.2) Nmap run completed -- 5000 IP addresses (110 hosts up) scanned in 1086.324 seconds
Example 4: Packet Tracing
[ output formatted slightly for readability ]
# nmap -sV -p 25 --packet_trace mail.insecure.org
Starting nmap 3.48 ( http://nmap.org ) at 2003-12-02 12:37 PST
SENT (0.0260s) ICMP 63.202.174.201 > 205.217.153.50 Echo request (type=8/code=0) ttl=56 iplen=28
SENT (0.0280s) TCP 63.202.174.201:48502 > 205.217.153.50:80 A ttl=38
id=63582 iplen=40 seq=3775756894 ack=3775756894
RCVD (0.0400s) ICMP 205.217.153.50 > 63.202.174.201 Echo reply (type=0/code=0) ttl=56 iplen=28
SENT (0.3320s) TCP 63.202.174.201:48481 > 205.217.153.50:25 S ttl=37
iplen=40 seq=1793593945 win=2048
RCVD (0.3430s) TCP 205.217.153.50:25 > 63.202.174.201:48481 SA ttl=56
id=0 iplen=44 seq=3383329626 win=5840 ack=3383329626
NSOCK (0.3520s) TCP connection requested to 205.217.153.50:25 (IOD #1) EID 8
NSOCK (0.3660s) Callback: CONNECT SUCCESS for EID 8 [205.217.153.50:25]
NSOCK (0.3660s) Read request from IOD #1 [205.217.153.50:25] (timeout: 5000ms) EID 18
NSOCK (0.3990s) Callback: READ SUCCESS for EID 18 [205.217.153.50:25] (27 bytes):
220 core.lnxnet.net ESMTP..
NSOCK (0.3990s) Read request from IOD #1 [205.217.153.50:25] (timeout: 4965ms) EID 26
NSOCK (5.3690s) Callback: READ TIMEOUT for EID 26 [205.217.153.50:25]
NSOCK (5.3690s) Write request for 6 bytes to IOD #1 EID 35 [205.217.153.50:25]: HELP..
NSOCK (5.3690s) Read request from IOD #1 [205.217.153.50:25] (timeout: 5000ms) EID 42
NSOCK (5.3750s) Callback: WRITE SUCCESS for EID 35 [205.217.153.50:25]
NSOCK (5.3890s) Callback: READ SUCCESS for EID 42 [205.217.153.50:25] (55 bytes):
214 qmail home page: http://pobox.com/~djb/qmail.html..
Interesting ports on core.lnxnet.net (205.217.153.50):
PORT STATE SERVICE VERSION
25/tcp open smtp qmail smtpd
Nmap run completed -- 1 IP address (1 host up) scanned in 5.425 seconds