postimg
Dec 2009 28

Using NMAP To Detect Server Type0

Posted In Networking By John Hass

When you talk power utilities on any *nix it’s hard to skip nmap. Ever since it’s introduction nmap has been used for good and evil. If you’ve ever had a server hacked chances are they used nmap or some sort of nmap code to get the job done. Just how easy is it to detect the server type from nmap? Try my windows 2003 server (I know kick me in the nuts and call me sally).

nmap -A -T4 192.168.10.1

it took over a minute to get the results, but here is what I got.

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-15 15:42 CST
Interesting ports on server1.local.example.com (192.168.10.1):
Not shown: 963 closed ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
25/tcp    open  smtp          Microsoft ESMTP 6.0.3790.3959
|  smtp-commands: EHLO example.com Hello [192.168.10.34], TURN, SIZE, ETRN, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, X-EXPS GSSAPI NTLM LOGIN, X-EXPS=LOGIN, AUTH GSSAPI NTLM LOGIN, AUTH=LOGIN, X-LINK2STATE, XEXCH50
|_ HELP This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY
80/tcp    open  http          Microsoft IIS webserver 6.0
|_ html-title: Under Construction
110/tcp   open  pop3          MS Exchange 2003 pop3d 6.5.7638.1
|_ pop3-capabilities: USER EXPIRE(NEVER) UIDL PIPELINING TOP SASL(NTLM)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn
143/tcp   open  imap          Microsoft Exchange Server 2003 imapd 6.5.7638.1
|_ imap-capabilities: LOGIN-REFERRALS IMAP4 AUTH=NTLM IMAP4rev1 MAILBOX-REFERRALS UIDPLUS LITERAL+ IDLE NAMESPACE CHILDREN
445/tcp   open  microsoft-ds  Microsoft Windows 2003 microsoft-ds
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
691/tcp   open  resvc         Microsoft Exchange routing server 6.5.7638.138.1
993/tcp   open  tcpwrapped
995/tcp   open  tcpwrapped
1037/tcp  open  msrpc         Microsoft Windows RPC
1073/tcp  open  msrpc         Microsoft Windows RPC
1074/tcp  open  msrpc         Microsoft Windows RPC
1076/tcp  open  msrpc         Microsoft Windows RPC
1088/tcp  open  msrpc         Microsoft Windows RPC
1089/tcp  open  msrpc         Microsoft Windows RPC
1137/tcp  open  msrpc         Microsoft Windows RPC
1801/tcp  open  unknown
2103/tcp  open  msrpc         Microsoft Windows RPC
2105/tcp  open  msrpc         Microsoft Windows RPC
2107/tcp  open  msrpc         Microsoft Windows RPC
3389/tcp  open  microsoft-rdp Microsoft Terminal Service
4343/tcp  open  ssl/http      Microsoft IIS webserver 6.0
|_ sslv2: server still supports SSLv2
|  http-auth: HTTP Service requires authentication
|    Auth type: Negotiate
|_   Auth type: NTLM
|_ html-title: You are not authorized to view this page
5900/tcp  open  vnc           VNC (protocol 3.8)
6001/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
6002/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
6004/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
8080/tcp  open  http          Microsoft IIS webserver 6.0
|  http-auth: HTTP Service requires authentication
|    Auth type: Negotiate
|_   Auth type: NTLM
|_ html-title: You are not authorized to view this page
8181/tcp  open  http          Apache Tomcat/Coyote JSP engine 1.1
|_ html-title: Site doesn't have a title (text/html).
8443/tcp  open  ssl/http      Apache Tomcat/Coyote JSP engine 1.1
|_ html-title: Site doesn't have a title (text/html).
9000/tcp  open  http          Veritas backup exec continuous protection httpd
|_ html-title: Site doesn't have a title (text/xml).
9001/tcp  open  http          Veritas backup exec continuous protection httpd
|_ html-title: Site doesn't have a title (text/plain).
9002/tcp  open  http          Veritas backup exec continuous protection httpd (unauthorized)
|_ html-title: Site doesn't have a title (text/html).
9003/tcp  open  http          Veritas backup exec continuous protection httpd (unauthorized)
|_ html-title: Site doesn't have a title (text/plain).
10000/tcp open  backupexec    Veritas Backup Exec 9.0
Service Info: OS: Windows
Host script results:
|  smb-os-discovery: Windows Server 2003 3790 Service Pack 2
|  LAN Manager: Windows Server 2003 5.2
|  Name: example\SERVER1
|_ System time: 2009-12-15 15:38:06 UTC-6
|_ nbstat: NetBIOS name: SERVER1, NetBIOS user: , NetBIOS MAC: 00:11:43:e3:d5:f2
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.23 seconds

Surely this can’t work in Windows Server 2008?

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-15 15:47 CST
Interesting ports on server.local.example.com (192.168.10.5):
Not shown: 970 closed ports
PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          Microsoft ESMTP
|  smtp-commands: EHLO exchange.example.com Hello [192.168.10.34], SIZE 41943040, PIPELINING, DSN, ENHANCEDSTATUSCODES, AUTH, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50
|_ HELP This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
80/tcp   open  http          Microsoft IIS webserver 7.0
|_ html-title: 403 - Forbidden: Access is denied.
88/tcp   open  kerberos-sec  Microsoft Windows kerberos-sec
110/tcp  open  pop3          MS Exchange 2007 pop3d
|_ pop3-capabilities: USER SASL(NTLM GSSAPI PLAIN) TOP UIDL
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn
143/tcp  open  imap          Microsoft Exchange 2007 imapd
|_ imap-capabilities: IMAP4rev1 AUTH=GSSAPI LITERAL+ IMAP4 AUTH=NTLM AUTH=PLAIN NAMESPACE IDLE
389/tcp  open  ldap
443/tcp  open  ssl/http      Microsoft IIS webserver 7.0
|_ sslv2: server still supports SSLv2
|_ html-title: IIS7
445/tcp  open  microsoft-ds  Microsoft Windows 2003 microsoft-ds
464/tcp  open  kpasswd5?
587/tcp  open  smtp          Microsoft ESMTP
|  smtp-commands: EHLO exchange.example.com Hello [192.168.10.34], SIZE 41943040, PIPELINING, DSN, ENHANCEDSTATUSCODES, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING
|_ HELP This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
993/tcp  open  imaps?
995/tcp  open  pop3s?
1025/tcp open  msrpc         Microsoft Windows RPC
1026/tcp open  msrpc         Microsoft Windows RPC
1027/tcp open  msrpc         Microsoft Windows RPC
1029/tcp open  msrpc         Microsoft Windows RPC
1030/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
1031/tcp open  msrpc         Microsoft Windows RPC
1048/tcp open  msrpc         Microsoft Windows RPC
3268/tcp open  ldap
3269/tcp open  tcpwrapped
3389/tcp open  microsoft-rdp Microsoft Terminal Service
6001/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
6002/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
6004/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port993-TCP:V=5.00%I=7%D=12/15%Time=4B2803DB%P=x86_64-unknown-linux-gnu
SF:%r(NULL,20,"\*\x20BYE\x20Connection\x20is\x20closed\.\x2014\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port995-TCP:V=5.00%I=7%D=12/15%Time=4B2803DB%P=x86_64-unknown-linux-gnu
SF:%r(NULL,1F,"-ERR\x20Connection\x20is\x20closed\.\x2013\r\n");
Service Info: Host: exchange.example.com; OS: Windows
Host script results:
|_ nbstat: NetBIOS name: SERVER, NetBIOS user: , NetBIOS MAC: 00:22:19:54:ea:4d
|  smb-os-discovery: Windows Server (R) 2008 Standard 6001 Service Pack 1
|  LAN Manager: Windows Server (R) 2008 Standard 6.0
|  Name: example\SERVER
|_ System time: 2009-12-15 15:42:39 UTC-6

And Next time, don’t call me Shirley!

Now I am sure Linux is immune to this though!

Now I don’t want to brag, but all the linux servers first responded with

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-15 15:53 CST
All 1000 scanned ports on 192.168.10.20 are filtered
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.04 seconds

This was from default Ubuntu installs, eventually I did a scan on our webserver

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-15 15:54 CST
Interesting ports on mail.sipmeeting.com (example.com):
Not shown: 988 closed ports
PORT     STATE SERVICE   VERSION
21/tcp   open  ftp       ProFTPD 1.3.0a
22/tcp   open  ssh       OpenSSH 4.6 (protocol 1.99)
|_ sshv1: Server supports SSHv1
|  ssh-hostkey: 2048 da:5e:f2:1e:63:47:14:29:bd:f9:e3:ca:aa:4e:2b:20 (RSA1)
|  1024 4a:6d:a3:75:d9:8d:c8:dc:32:82:6d:81:d8:39:81:d4 (DSA)
|_ 2048 92:90:42:06:61:70:f8:a0:38:f6:2c:54:27:b2:2b:a8 (RSA)
25/tcp   open  smtp      Sendmail 8.14.1/8.14.1
|  smtp-commands: EHLO mail.example.com Hello [1.1.1.1], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP
|_ HELP 2.0.0 This is sendmail version 8.14.1 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
37/tcp   open  time      (32 bits)
80/tcp   open  http      Apache httpd 2.2.4 ((Unix) DAV/2 PHP/5.2.4)
|  html-title: Online Global Resource
|_ Requested resource was http://example.com/src/login.php
110/tcp  open  pop3      Openwall popa3d
|_ pop3-capabilities: capa
111/tcp  open  rpcbind
|  rpcinfo:
|  100000  2        111/udp  rpcbind
|  100011  1,2      929/udp  rquotad
|  100003  2,3,4   2049/udp  nfs
|  100024  1      55627/udp  status
|  100021  1,3,4  55629/udp  nlockmgr
|  100005  1,2,3  55630/udp  mountd
|  100000  2        111/tcp  rpcbind
|  100011  1,2      932/tcp  rquotad
|  100003  2,3,4   2049/tcp  nfs
|  100024  1      50902/tcp  status
|  100021  1,3,4  51522/tcp  nlockmgr
|_ 100005  1,2,3  60993/tcp  mountd
143/tcp  open  imap      UW imapd 2004.357
|_ imap-capabilities: BINARY THREAD=ORDEREDSUBJECT IMAP4REV1 STARTTLS LOGIN-REFERRALS UNSELECT SCAN SASL-IR THREAD=REFERENCES MAILBOX-REFERRALS SORT AUTH=LOGIN LITERAL+ IDLE NAMESPACE MULTIAPPEND
587/tcp  open  smtp      Sendmail 8.14.1/8.14.1
|  smtp-commands: EHLO mail.example.com Hello [1.1.1.1], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP
|_ HELP 2.0.0 This is sendmail version 8.14.1 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
2000/tcp open  callbook?
2049/tcp open  rpcbind
3306/tcp open  mysql     MySQL 5.0.37
|  mysql-info: Protocol: 10
|  Version: 5.0.37
|  Thread ID: 2757516
|  Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
|  Status: Autocommit
|_ Salt: qD@R\V{,c2kG_+SA/b#%
Service Info: Host: mail.example.com; OS: Unix
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.31 seconds

It was only able to detect Unix not Slackware Linux. Have fun and don’t do anything I wouldn’t do!

Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Blogplay
  • email
  • LinkedIn
  • MySpace
  • PDF
  • Reddit
  • RSS
  • Slashdot
  • StumbleUpon
  • Technorati
  • Twitter

Leave a comment

Get Adobe Flash playerPlugin by wpburn.com wordpress themes