Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: help interpreting the nmap output

from [miguel . dilaj] Network Security [Permanent Link]
Subject: Re: help interpreting the nmap output
Date: Fri, 17 Dec 2004 09:37:57 +0100 
Hi Ivan,

Good! Yes, you guess correctly, it seems that Apache was setup to show 
only its name.
For other ports, like services that don't have a text banner, you've 2 
very nice options:

a) use the -sV option in nmap. Read The Fine Manual, and also the article 
at http://www.insecure.org/nmap/versionscan.html
Take into account that this is not stealth (like -sS), it establishes the 
full TCP connection.
Be sure to use latest nmap, this option is quite new (>=3.45).
There's also a good article by Brian Hatch at InfoSec News: 
http://lists.virus.org/isn-0310/msg00030.html

b) use amap (http://www.thc.org/releases.php)
Amap is a next-generation scanning tool, which identifies applications and 
services even if they are not listening on the default port by creating a 
bogus-communication and analyzing the responses. Changes: more 
identifications, SSL bugix. Voted into the top-50 security tool list!

There're other tools out there to do the identification, Nessus for 
example can do some detection, but the 2 tools above are the preferred 
ones by most people (in my case: plain nmap, but I recognize the merits of 
amap as well).

Cheers,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG







"Ivan Fratric" <hacky_2001@hotmail.com>
16/12/2004 19:57

 
        To:     Miguel Dilaj/PH/Novartis@PH, security-basics@securityfocus.com
        cc: 
        Subject:        Re: help interpreting the nmap output


Thanks for the reply. I tried using netcat, and I get the following

nc -vv xxx.xxx.xxx.xxx 80
xxxxxxxxxxxx.com [xxx.xxx.xxx.xxx] 80 (http) open
HEAD / HTTP/1.1
Host: www.xxxxxxxxxxx.com

HTTP/1.1 200 OK
Date: Thu, 16 Dec 2004 19:41:45 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

So I guess the apache is configured not to show its version? When I try 
using netcat on the other mentioned ports I get something like

nc -vv xxx.xxx.xxx.xxx 23
xxxxxxxxxxxx.com [xxx.xxx.xxx.xxx] 23 (telnet) open
sent 0, rcvd 0: NOTSOCK

Is there anything else that can be done regarding the ports giving output 
like this?
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SF new column announcement: Zero Viruses In 2005?, Kelly Martin
Next by Date:  RE: Vpn concentrator - health care client, Michael Pace
Previous by Thread:  Re: help interpreting the nmap output, Corey LeBleu
Next by Thread:  Router vs. FW site to site solution?, King, Gregory
Indexes:  [Date] [Thread] [Top] [All Lists]