Network Security Lab-2: Port Scanning: 1. Output of Discovery Scan

Network Security Lab-2 : Port Scanning
1. Output of discovery scan:

Starting Nmap 5.50 ( http://nmap.org ) at 2017-02-13 23:06 EST
Nmap scan report for 10.0.0.113
Host is up (0.029s latency).
Nmap done: 64 IP addresses (2 hosts up) scanned in 10.93 seconds
2. Output of full TCP Connect scan

Not shown: 994 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1027/tcp open IIS
MAC Address: 08:00:27:7B:11:4C (Cadmus Computer Systems)

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
MAC Address: 00:50:56:9F:5A:33 (VMware)
3. Output of full TCP SYN scan

PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
1027/tcp open IIS

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
2049/tcp open nfs
4. Output of UDP Scan

PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp

PORT STATE SERVICE
111/udp open rpcbind
958/udp open|filtered unknown
5. The output of your operating system identification scan

PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
1027/tcp open IIS
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/
).
TCP/IP fingerprint:
OS:SCAN(V=5.50%D=2/14%OT=80%CT=1%CU=41861%PV=Y%DS=1%DC=D%G=Y%M=08
0027%TM=58
OS:A33EAB%P=i686-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=I%CI=I%TS=0)SEQ(
S
OS:P=107%GCD=1%ISR=10D%TI=I%CI=RD%II=I%SS=S%TS=0)SEQ(SP=107%GCD=2%IS
R=10D%T
OS:I=I%CI=I%TS=0)OPS(O1=M538NW0NNT00NNS%O2=M538NW0NNT00NNS%O3=M538N
W0NNT00%
OS:O4=M538NW0NNT00NNS%O5=M538NW0NNT00NNS%O6=M538NNT00NNS)WIN(W1=4
000%W2=400
OS:0%W3=4000%W4=4000%W5=4000%W6=4000)ECN(R=Y%DF=N%T=80%W=4000%O=M
538NW0NNS%
OS:CC=N%Q=)T1(R=Y%DF=N%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=
80%W=0%S=Z%
OS:A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=N%T=80%W=4000%S=O%A=S+%F=AS%O=
M538NW0NNT00
OS:NNS%RD=0%Q=)T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T4(R
=Y%DF=N%T=80
OS:%W=0%S=O%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F
=AR%O=%RD=0%Q
OS:=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=
80%W=0%S=A%
OS:A=O%F=R%O=%RD=0%Q=)T6(R=Y%DF=N%T=80%W=0%S=O%A=O%F=R%O=%RD=0
%Q=)T7(R=Y%DF
OS:=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T7(R=Y%DF=N%T=80%W=0%S=
Z%A=O%F=AR%O
OS:=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RU
CK=G%RUD=G
OS:)IE(R=Y%DFI=S%T=80%CD=Z)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 151.78 seconds
----

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
2049/tcp open nfs
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/
).
TCP/IP fingerprint:
OS:SCAN(V=5.50%D=2/14%OT=22%CT=1%CU=41776%PV=Y%DS=1%DC=D%G=Y%M=00
5056%TM=58
OS:A33FCF%P=i686-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=107%TI=Z%CI=Z%TS=8)SEQ
(S
OS:P=107%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M538ST11NW4%O2=M538
ST11NW
OS:4%O3=M538NNT11NW4%O4=M538ST11NW4%O5=M538ST11NW4%O6=M538ST11)WI
N(W1=16A0%
OS:W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=40%W=16
D0%O=M538N
OS:NSNW4%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3
(R=Y%DF=Y%
OS:T=40%W=16A0%S=O%A=S+%F=AS%O=M538ST11NW4%RD=0%Q=)T3(R=Y%DF=Y%T
=40%W=16A0%
OS:S=O%A=O%F=AS%O=M538ST11NW4%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%
A=Z%F=R%O=%R
OS:D=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=
Y%T=40%W=0%
OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
%RD=0%Q=)T6(
OS:R=Y%DF=Y%T=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
=0%S=Z%A=S+%F
OS:=AR%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
N%T=40%CD
OS:=S)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

6. Output of service header grab

HTTP/1.1 200 OK
Content-Length: 1433
Content-Type: text/html
Content-Location: http://10.0.0.113/iisstart.htm
Last-Modified: Fri, 21 Feb 2003 22:48:30 GMT
Accept-Ranges: bytes
ETag: "0339c5afbd9c21:2be"
Server: Microsoft-IIS/6.0
Date: Tue, 06 Dec 2016 02:58:41 GMT
Connection: close
HTTP/1.1 200 OK
Date: Mon, 12 Dec 2016 13:33:41 GMT
Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze14 with Suhosin-Patch mod_python/3.3.1
Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Last-Modified: Fri, 11 Sep 2009 22:52:47 GMT
ETag: "18bb4-2d-473552cbf6dc0"
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
7. The output of your service probes.

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
Service Info: OS: Windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

---
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.16 ((Debian) PHP/5.3.3-7+squeeze14 with
Suhosin-Patch mod_python/3.3.1 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1)
111/tcp open rpcbind 2 (rpc #100000)
2049/tcp open nfs 2-4 (rpc #100003)
Service Info: OS: Linux
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

8 & 9. Idle scan output

02:42:50.527641 IP (tos 0x0, ttl 128, id 22954, offset 0, flags [DF], proto ICMP (1), length 84)
knoxville.nslab > 10.0.0.5: ICMP echo reply, id 5340, seq 1, length 64
9. NMap Idle Scan

Initiating ARP Ping Scan at 03:16
Scanning 10.0.0.124 [1 port]
SENT (0.0320s) ARP who-has 10.0.0.124 tell 10.0.0.5
RCVD (0.0520s) ARP reply 10.0.0.124 is-at 00:50:56:9F:5A:33
Completed ARP Ping Scan at 03:16, 0.20s elapsed (1 total hosts)
NSOCK (0.2330s) UDP connection requested to 8.8.4.4:53 (IOD #1) EID 8
NSOCK (0.2330s) Read request from IOD #1 [8.8.4.4:53] (timeout: -1ms) EID 18
Initiating Parallel DNS resolution of 1 host. at 03:16
NSOCK (0.2330s) Write request for 41 bytes to IOD #1 EID 59 [8.8.4.4:53]:
3............124.0.0.10.in-addr.arpa.....
NSOCK (0.2340s) Callback: CONNECT SUCCESS for EID 8 [8.8.4.4:53]
NSOCK (0.2340s) Callback: WRITE SUCCESS for EID 59 [8.8.4.4:53]
NSOCK (0.2550s) Callback: READ SUCCESS for EID 18 [8.8.4.4:53] (41 bytes):
3............124.0.0.10.in-addr.arpa.....
Completed Parallel DNS resolution of 1 host. at 03:16, 0.02s elapsed
Initiating idle scan against 10.0.0.124 at 03:16
SENT (0.2570s) TCP 10.0.0.5:53461 > 10.0.0.113:80 SA ttl=39 id=58346 iplen=44
seq=94368335 win=4096 <mss 1460>
seq=94368336 win=2048 <mss 1460>
seq=94368337 win=3072 <mss 1460>
RCVD (0.2880s) TCP 10.0.0.113:80 > 10.0.0.5:53461 R ttl=128 id=23087 iplen=40
seq=2389026628 win=0
seq=2389026628 win=0
seq=94368338 win=2048 <mss 1460>
seq=2389026628 win=0
seq=94368339 win=4096 <mss 1460>
seq=94368340 win=4096 <mss 1460>
seq=2389026628 win=0
seq=2389026628 win=0
seq=2389026628 win=0
Idle scan using zombie 10.0.0.113 (10.0.0.113:80); Class: Incremental
seq=94368335 win=1024 <mss 1460>
seq=94368336 win=4096 <mss 1460>
seq=94368337 win=3072 <mss 1460>
seq=94368338 win=1024 <mss 1460>
seq=1993065072 win=1024 <mss 1460>
seq=2703669130 win=0
SENT (9.9860s) TCP 10.0.0.113:80 > 10.0.0.124:22 S ttl=50 id=24803 iplen=44
seq=4085327574 win=3072 <mss 1460>
seq=1993065572 win=1024 <mss 1460>
seq=2703669130 win=0
seq=1993066072 win=2048 <mss 1460>
seq=2703669130 win=0
SENT (10.2860s) TCP 10.0.0.113:80 > 10.0.0.124:22 S ttl=46 id=53621 iplen=44
seq=4085327574 win=3072 <mss 1460>
seq=1993066572 win=1024 <mss 1460>
seq=2703669130 win=0
seq=1993067072 win=1024 <mss 1460>
seq=2703669130 win=0
Discovered open port 22/tcp on 10.0.0.124
Completed idle scan against 10.0.0.124 at 03:16, 10.33s elapsed (1 ports)
PORT STATE SERVICE
22/tcp open ssh
Read data files from: /usr/local/share/nmap

Raw packets sent: 18 (776B) | Rcvd: 12 (468B)
10. Default method Nmap ping.

The default ping method of nmap is ICMP and ACK method with TCP SYN scan
11. icmp_ratelimit is the maximum rate at which the kernel generates icmp messages. Typically
the values are in Jiffies and its unit value id 1/100 per sesond. To slow down the UDP scan we
need to send the messages slower. So we could increase the value of the icmp_ratelimit value
so that the time between messages increase and messages would go slow.
12. -sS(SYN Scan) scan runs much faster than -sT(CONNECT Scan) scan, because it never
needs to complete the connection. It just sends a SYN packet and depending on its response, it
declares whether a port is open or closed. On the other hand CONNECT scan in a full fledged
TCP Connect call used in higher level layer of network protocol and also it has no control over
the raw packets
(Source: man page of nmap)
13. In general if the nmap doesnt receive any response after retransmission,s it concludes the
port as open or filtered. I
14. When running an idle scan against a victim, if the victims firewall drops the SYN packets,
then these ports are called filtered ports.if a SYN segment is sent to a filtered port of the host
then the host doesnt give a response to this segment because the segment couldnt reach the
host because of the firewall which simply drops the packet. If the scan target uses a tar-pit on
every unused port, it ends up hogging its resources and thereby affecting other users that try to
reach that system. The idle scan would not affected as well since all the incoming requests will
be to the zombie and the IP ID will be incremented whenever it gets a response. (Provided the
zombie is known to be idle.)
15. The general purpose of the IP ID bit is to find out the quantity of packets coming from the
source. So an obvious technique is to change the way IP ID is used. Some linux kernels
randomize the IP ID sequence such that same numbers are not used in the short period. Also
some kernels combine the value with Defragmentation bit, since anyhow the IP ID bit is going to
give the information about the same. Some ways Linux implements this is
1. IP Personality : It changes the parameters regarding the window size and packet
fragmentation, so that spoofed packets get the wrong information
2. Stealth patch: Stealth patch generally ignores packets of specific kind configured into it.
If the IP ID numbers are changed or modified, the side channel will be tricked into getting the
information about the real packets and thus can not get accurate information about the desired
port.

Network Security Lab-2: Port Scanning: 1. Output of Discovery Scan

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Network Security Lab-2: Port Scanning: 1. Output of Discovery Scan

Încărcat de

Drepturi de autor:

Formate disponibile

Network Security Lab-2 : Port Scanning

1. Output of discovery scan:

2. Output of full TCP Connect scan

Nmap scan report for 10.0.0.124

Nmap done: 2 IP addresses (2 hosts up) scanned in 5.79 seconds

3. Output of full TCP SYN scan

Nmap scan report for 10.0.0.124

Nmap done: 2 IP addresses (2 hosts up) scanned in 211.98 seconds

4. Output of UDP Scan

Nmap scan report for 10.0.0.124

Nmap done: 2 IP addresses (2 hosts up) scanned in 1096.80 seconds

5. The output of your operating system identification scan

Starting Nmap 5.50 ( http://nmap.org ) at 2017-02-14 12:27 EST

Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Starting Nmap 5.50 ( http://nmap.org ) at 2017-02-14 12:33 EST

Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

6. Output of service header grab

7. The output of your service probes.

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

8 & 9. Idle scan output

9. NMap Idle Scan

Read data files from: /usr/local/share/nmap

10. Default method Nmap ping.

S-ar putea să vă placă și