Unique and cool tutorial of port scanner Nmap,
available for most operating systems.
I've grouped together most of scanning techniques with examples in a simply, light form.
Get familiar with folowing sections: 1. PORTS AND NMAP2. FILES AND NMAP 3. TIME FOR SCANNING * BASIC TCP SCAN * SCAN "STEALTH" * SCAN PING * SCAN UDP * SCAN "HIDDEN" * SCAN OF PROTOCOLS * SCAN IDLE * SCAN OF OS DETECTION * SCAN OF VERSION DETECTION * SCAN ACK TO TEST FIREWALLS * SCAN WINDOW TCP * SCAN REMOTE PROCEDURE CALL (RPC) * SCAN LIST OF IP * SCAN MAINMON * SCAN DECOYS * OTHER "SPOOFING" OPTIONS 4. NMAP AND TIMING * Time-To-Live --ttl * FASTEST SCAN -F 5. TURNING OFF PING 6. TECHNIQUE OF FRAGMENTING PACKETS 7. NSE - NMAP SCRIPTING ENGINE 8. OTHER USEFUL OPTIONS 9. EXAMPLES
Private Network classes: 1) Class A – ranging from 10.0.0.0 to 10.255.255.255 (10.0.0.0/8) 2) Class B – ranging from 172.16.0.0 to 172.31.255.255 (172.16.0.0/12) 3) Class C – ranging from 192.168.0.0 to 192.168.255.255 (192.168.0.0/16) Reserved adressess: 1) 0.0.0.0 – unknown, default 2) 127.0.0.0 do 127.255.255.255 – loopback/local host 3) 255.255.255.255 – broadcast address HOW NMAP SEE PORTS Nmap distinguishes 6 different variants of ports: open, closed, filtered, unfiltered, open||filtered, closed||filtered. Its much more than other scanners.
■(closed) - closed port, receives and responds to nmap probe packets but lack of application is using it. When reachable closed ports, its possible there are open ports. ■(filtered) - ports filtered by router or firewall. Provide little info and makes scanning slower. ■(unfiltered) - port unfiltered so avaliable but nmap can't estimate is it open or closed. Can get unfiltered port using -sA technique. Other scans can evaluate that, ex: SYN, FIN, Window. ■(open|filtered) - can't estimate is it open or filtered. Can get such a info using techniques UDP, FIN, Null, Xmas and protocol scan. ■(closed|filtered) - can't say is it closed or filtered. Output of -sI technique. PORT RANGES. Nmap doesn't scan ports in the row, straight. It starts from the most popular:1000, if u want it to scan all 65535 ports from nmap-services file use option -p 1-65535. Nmap-services file includes most popular services of TCP/UDP ports but it doesn't mean other programs/services can't use them.If you want nmap to scan ports straight, use option nmap -r. To choose particular ports use options -p. Example: nmap -sU -sS X.X.X.X -p 21,22,80,443,U:53,111,137,T:49152-49154 Option -sU for UDP ports, and we picked these ports with U:52,11,137 Option -sS for TCP ports, and ports are specified by T:49152-49154. Other ports are default TCP. Can setup ports range: nmap -sX Y.Y.Y.Y -p 1-1023 Scan example is here. nmap -o fileName, normal format nmap -oN fileName: normal format nmap -oX fileName: XML format nmap -oG fileName: grep fromat nmap -oS fileName: cool Looking format nmap -sF -PN -vv X.X.X.X -p 80 -oS myScan1.txt PAUSE AND RESUME SCANNING Must choose file format -oN or -oG.Pause with CTR-C and resume with --resume fileName READ HOSTS LIST FROM FILE nmap -iL fileName, read list of IPs to scan from file. List format separeted by spaces, tabs or new lines.nmap -iL file1.txt -sF -p 80 Possible to exclude some hosts from scanning, use options: -- exclude host1,host2 etc... -- exludefile fileWithHosts [file with IP addresses in new lines or separeted by spaces] Scanning techniques can be fun. Can look if someone is online, what programs/services he uses, you'r getting knowledge about own network, some security gaps, opened ports. Often happen you must scan host few times using different techniques and compare results. SIMPLE TCP SCAN nmap -sT scans TCP ports, tries to connect to each port and shows is connection established or not. Results show info about ports you can connect to as "open". This scanning technique is highly detectable by firewalls and IDS systems (they will log your IP), don't use with -sS. Scan example is here. SCAN "STEALTH" SYN scanning technique (default one). nmap -sS scans open ports, sending TCP packets whom heardes contain flags, by the medium of flags we get info about "receiving" a packet, type of connection and how nmap shall respond.
■SYN (Synchronise) ■ACK (Acknowledge) ■FIN (Finished) ■RST (Reset: Connections is reseted, closed immediately) Will get RTS answer when port is "closed". When target host drops SYN packets and don't send RTS back, then port is "filtered". This technique is highly detectable by firewalls, they look for this method, but can make it invisible with other options. How it works: nmap sends SYN packets and look for open ports, finding one receipt SYN/ACK (open) and connection can be established but to avoid it nmap sends RTS to reset connection (usually leaving no trace in server logs). When port closed we get RST packet and info that port is "closed". When port filtered target host drops SYN packet and we get info that port is "filtered" There are no other possibilities, only these 3. Most of modern firewalls and IDS systems can detect SYN technique. Can use this method with other options ex. scanning time settings (described in other section) to make it more "invisible". Scan example is here. SCAN PING Scanning technique nmap -sP (ping/icmp) discovers online hosts, finding one, nmap receipts ICMP ECHO REPLY. If no reply for ICMP PING packet then nmap sends TCP PING to discover if pings are being blocked or host is offline. TCP PING sends SYN and ACK packets using default port 80. When host sends back SYN/ACK or RST then its online. When no response, host maybe offline or ports are filtered. Can disable this option with -P0 (zero).
■-PS (TCP SYN Ping) Sends null (empty) SYN packets on default port 80, possible to put own ports, ex: -p 21 or -PS80,443,22,23,25,80,113,1050,35000. Whenever ports are "avaliable" or not, this technique will establish if host is online or not. ■-PA (TCP ACK Ping) Sends ACK packets, scanning host don't know about such acknowledge signal and should reply with RTS and discover ports. Firewalls and IDS systems can block SYN packets but may have no rules/policy for straight ACK. Best choice is to use this technique both with -PS ex. nmap -v -PS -PA ■-PU sends (null) UDP Pings. Use it for suspicious/closed UDP ports, because "open" won't response for null UDP packets. ■-PE (Standard ICMP Echo Request) ■-PP (ICMP Timestamp Request) Can reveal additional info if an admin of target host blocks only Standard ICMP Echo Request ■-PM (Host Mask) Can reveal additional info if an admin of target host blocks only Standard ICMP Echo Request ■-PB (default ping with ICMP Echo Request and TCP PING and ACK packets) ■-PR (ARP ping) This technique scans host's hardware address ARP to detect the host. Bypassing IP ping techniques will give faster scan results and more reliable. Scan example is here. SCAN UDP Technique nmap -sU: scans open UDP ports. Scanner sends 0 byte UDP packet to choosen ports and in reply we'll get ICMP Port Unreachable - port closed or open. Sometimes this technique may lie, showing port as open when firewall blocks ICMP Port Unreachable. Other issue is that most of OS limit reply messages ICMP Port Unreachable and scanning can last very long. Only MS Windows machines will give fast results for all 65535 ports because Microsoft didn't limit ICMP Port Unreachable (maybe now it does?). This technique can discover trojans and services using UDP protocol. Very slow on unix-based systems. Scan example is here. SCAN "HIDDEN" Most of firewalls and IDS systems look for -sS technique. Alternative methods are described below. Each of these techniques correspond to packet header's flag. How it works: "closed" ports should respond with RST packet and "open" ports will drop nmap's signal without sending back RST. Then we know which ports are open. No connection is being established, so these techniques may be invisible. nmap -sF -v - Fin scanning, sends packet with FIN flag nmap -sX -w - Xmas Tree scanning, sends packets with FIN, URG and PUSH flags nmap -sN -v - Null scanning, sends packet without any flag Described methods work for OS with TCP RFC 793 protocol. MS Windows doesn't obey this protocol and drops all packets being sent this way. Conclusion: when other scanning methods show open/filtered ports and above techniques show no ports, you might deal with MS Windows machine. Scan example is here. SCAN OF PROTOCOLS Technique nmap -sO looks for protocols on target host, ex: icmp, igmp, tcp, udp.. There are 256 avaliable protocols, so it won't last too long. Scanner sends raw packets to choosen host and waits for answer. Receipt of ICMP Protocol Unreachable Message inform that protocol is not avaliable. Some firewalls like AIX, HP-UX, Digital UNIX and other won't response with ICMP Protocol Unreachable. Other issue is that target host may limit ICMP Protocol Unreachable. Scan example is here. SCAN IDLE Technique nmap -sI (idle) is one of the most undetectable methods of scanning, because no packet is being sent directly from our machine. All we need is "zombie" host to communicate with. The best "zombie" will be a host machine in the same network node as we are. We spoof IP of "zombie" host and target host will log IP of "zombie", and on "zombie" machine will stay trace of our home-host-IP. It is possible through exploiting of "predictable IP fragmentation ID" (IPID). This technique exploits IP of "zombie" host (IPID) and spoofs connection request to the target host. When port is "open", SYN/ACK packet will be send back to "zombie", which will answer with RST packet because has no info about such a connection request signal. When port is "closed", then target host will send to "zombie" host RST packet and communication will stop. Now scanner checks IPID of "zombie". If it increased by 2 (2 steps in its sequence), then port is "open". If it increased by 1, then port is "closed". This scanning technique doesn't distinquish port filtered from closed, and will show "closed". Some IDS systems and firewalls are able to detect spoofed packets, verifing from what network node it came from, so as I mentioned erlier, "zombie" should be in the same node as we are. Other issue with "zombie" is, it should has low network traffic, IPID sequence should be predictable (single-step increment). Its hard to find such a "zombie" if you are not very lucky person :) Thats why must use -O -v technique first, to gather info about IPID sequence. Cheap routers and MS Windows machines are good "zombie". Technique -sI can get you valuable info, ex: firewall policy, some "zombie" host may be admitted to communicate with target host's port. Default port for "zombie" is 80. To change it for one you want, use ex: 192.168.1.1:21, now we use port 21. For success scanning, "zombie" port must be "open" or "closed". More info: http://www.insecure.org/nmap/idlescan.html Scan example is here. SCAN OF OS DETECTION Technique nmap -O (fingerprinting) activates scanner system, designed for OS detection. Used with -v (-w) provides more info, ex: IPID sequence, useful when look for "zombie" host (-sI). Option -A activates OS detection and service version. Moreover, can add additional options: --osscan-limit (shorten time of scanning, nmap finding no open ports will give up erlier) --osscan-guess or --fuzzy (guesses OS) Scan example is here. SCAN OF VERSION DETECTION Technique nmap -sV detects service/program version on given port. Can use with -A, it includes -O (fingerprinting) and -sV (version). Additional options:
Valuable option, unless you'll remove "exclude" from nmap-service-probes file. Won't omit printer port TCP 9100. ■--version-intensity [level] Levels ranging from 1 to 9, 7 is default, --version-all means level 9, most paranoid. ■--version-light Light, fast scanning but not very precise. ■--version-trace Shows additional output while work (more info). Scan example is here. SCAN ACK TO TEST FIREWALLS Good technique for testing firewalls, their states: statful and stateless. Nmap sends to given port an ACK packet and when in response we get RST packet, then port is being classified as unfiltered, can be "open" or "closed". If no RST, then port is filtered by firewall. Firewall is stateless when blocks incoming SYN packets and stateful when track connections and blocks random, unsolicited ACK packets. Default nmap -sA technique has ACK flag, unless is being used option --scanflags. This method won't show open ports, so use it with other options to gather more info. Scan example is here. SCAN WINDOW TCP Works in the same way as SCAN ACK (described above) with a difference, it distinguishes "open", "closed" and even "filtered/unfiltered" ports when gets RST packet. It reads TCP Window size, unique for some OS. When OS (not all) will send RST packet with positive window size, then port is "open", etc.. Scan example is here. SCAN REMOTE PROCEDURE CALL (RPC) This technique scans remote procedures RPC of given ports/hosts, detects programs and versions. Use it both with other scanning methods. Won't work with "decoys" described below, can observe it on my sample scan. Scan example is here. SCAN LIST OF IP Cool and useful technique used for listing IP addresses ranges both with their names in the network area. ex. nmap -sL 192.168.0.1/16 Can obtain host names of scanned IP or turn it off with option -n Good technique if you want to take a look at some network area without alarming IDS or firewalls. More info in this tutorial: http://www.sangoma.com/support/tutorials/tcp_ip.html Scan example is here. SCAN MAINMON The name of this technique cames from its inventer Uriel Mainmon (~ 1996 y. AD). It uses methods Null, Finn and Xmass, sending FIN/ACK packets. Basically, it works that RST packet has to be send back to origin-host, whatever the port is "open" or "closed". Mainmon discovered that in BSD family, open ports won't send RST packets and that is the whole idea. Use it against BSD systems. Scan example is here. SCAN DECOYS This technique will not hide your real IP address but usage of many different IP will hide yours ! For person reading firewall log, its harder to find attacking host. Number of decoys is equal to number of packets being sent and may last long. Don't use with version detection -sV and TCP connect scan -sT. nmap -sS -n -D X.X.X.X,X.X.X.X,X.X.X.X,MY IP,X.X.X.X -p 80 www.example.com Setting no "real" IP, nmap will put one on default position. Scan example is here. OTHER "SPOOFING" METHODS Making scanning more "invisible" use options below:
■-e [interface] (use when nmap "doesn't see" your interface, ex. -e eth0) ■--source-port [PortNumber] or -g [PortNumber] (often firewalls od IDS accept connection from particular port, leaving one unfiltered, its a gap to gain info. This technique works with TCP and UDP scanning methods. Look for such ports totally "blind", randomly, even if other scans won't show wanted info (trust your luck). Nmap needs much more ports when techniques -R (DNS) or -O are being used, and this method will not work. ■--data-length [size] (change default size of packet which is for TCP 40 bytes and for ICMP 28 bytes, bigger packets with random data mean longer scanning) ■--ttl [value] (sets "time-to-live" of a packet) ■--randomize-hosts (sets random value of scanning hosts, making scan more "invisible") ■--spoof-mac [MAC address or vendor's name] (can put MAC address of network card other than yours, putting 0 will set random MAC, can put vendor's name ex: linksys or MAC of a neighbour) ■--badsum (sends packet with error control sum (like check sum) of TCP/UDP packets. NMAP AND TIMING Nmap gives option to setup scanning time using various techniques, to speed-up or slow-down whole process and make it more "invisible". There are 6 time control modes, from 0 to 5 (Paranoid, Sneaky, Polite, Normal, Aggressive and Insane). Usage with option -T, ex: -T0 ~ Paranoid, -T1 ~ Sneaky, etc... Option -T0 will last the longest, at least 5 min gap between src="http://ad.linksynergy.com/fs-bin/show?id=RD3pkZ51OrU&bids=396240.110&subid=0&type=4&gridnum=10"> every packet being sent, making scanning process highly "undetectable" for a human and a machine reading logs (time discrepancys). Option -T5 will last the shortest, use it for very fast network, often it looses part of an info ! Option -T3 is a default one.
■--min-hostgroup [number of hosts] ■--max-hostgroup [number of hosts] Setup minimum or maximum number of hosts to scan. It makes sense when scanning many hosts and want to see results before the end of whole process (don't know exacly how it works) ■--min-parallelism [number of probes] ■--max-parallelism [number of probes] Setup number of tests/probes: minimum or maximum. Technique is being used for hosts discovery depending on network performance. Nmap provides 1 test for high network traffic, up to several hundred with perfect conditions. Can put number of minimum tests to speed-up scanning but may get error results. By default, nmap changes number of probes on its own. Putting --max-parallelism to 1 (one test for a host) both with --scan-delay option (described below) can trick some IDS systems and give interesting results. ■--min-rtt-timeout [time] ■--max-rtt-timeout [time] ■--initial-rtt-timeout [time] Round trip time value (rtt) determining how long to wait for a probe response, before giving up or retransmission. Waiting time depends on previous probes. When network-traffic is large, timeout might last longer and scanning last longer. Time value put in milliseconds, ex: --max-rtt-timeout 100 (100ms), seconds, minutes or hours: 100s, 100m, 100h. Putting other than default value for --max-rtt-timeout and --initial-rtt-timeout shortens time of scanning. Putting too small time value is an error, because of retransmissions while nmap waits for response. Use it with option -P0, for well filtered networks. For LAN can put time value to 100, ex: --max-rtt-timeout 100 While scanning some distant host, its good technique to check response for ICMP protocol using ping or other network tools like hping2 or hping3. Then calculate maximum time value for 10 packets and multiply it by 2 (to be sure) and for --initial-rtt-timeout and --max-rtt-timeout > X3. Never put less than 100ms and more than 1000ms. Option --min_rtt_timeout is being rarely used (when communications drops and large traffic). ■--max-retries [value] Setup restransmission number of probes. Use it when a target host limits responses in time or when network traffic blocks/losses response packets. A default "retransimssion" value is set to 10. When the network works fast without interferences, nmap needs only 1 retransmission. To shorten scanning time, can put --max-retries 3 or just leave this option in peace :) ■--host-timeout [time] Very useful options shortening time of scanning. Might happen that one of host we scan is slower and scanning time last longer. This options enables to put maximum scanning time for hosts in seconds, minutes, hours, ex: --host-timeout 5m (it means don't scan host longer than 5 minutes, slower host will be omitted). ■--scan-delay [time] ■--max_scan-delay [time] Setup time between consecutive tests. It might shorten scanning time if you know what you'r doing. Some OS (like Solaris) limit responses to ex: 1 ICMP packet per second. Knowing that, can put --scan-delay 1s. Time setting is in the same form: 1s,1m,1h. Nmap adjusts itself to received responses time, what can slow down scanning process, thus use option --max_scan-delay, but not too low because of retransmissions. This method may be used to trick IDS systems and make scanning more "invisible". More info in nmap's manual. Time-To-Live means nmap --ttl This option can map packet path (trace) like tools traceroute or tacert. Can put time value from 0 to 255, ex: nmap --ttl 160 -v X.X.X.X -p 80 I can't use it yet, so no example ;/ FAST SCAN means nmap -F Technique namp -F it's the method for fast scanning, uses ports from nmap-services. Method much faster than scanning all 65,535 ports. Scan example is here. TURNING OFF PING Can turn "ping" off with: nmap -P0 (zero) or -PN This option turns ICMP ping (signal) off, and -PT turns it on. Can put port numbery with: nmap -PT-80 -w X.X.X.X Use it both with -PS (SYN ping instead TCP ACK) More "ping" options in subsection "SCAN PING" Scan example is here. TECHNIQUE OF FRAGMENTING PACKETS Option nmap -f fragments packets into tiny pieces when used with techniques: -sS, -sF, -sX, -sN. Less complex firewalls will pass such fragmented packets straight into OS, one assebmling them sends response. Better firewalls (even iptables) can assemble fragmented packet and identify it. Can use option -ff to make packets smaller or use option: --mtu and put size of fragmets as multiple of 8. Smaple scan is here. NMAP SCRIPTING ENGINE Powerfull technique giving possiblity to use own scripts or use other avaliable on the web. NSE scripts are divided into few categories. Option: -sC IPaddress (nmap uses default scripts) Option: --script NameOffile (put own script) Option: --script-trace (shows IP addresses, input and output data, can use with --packet-trace) Scripts are located in folder /usr/share/nmap/scripts (linux) More info is here: http://nmap.org/book/nse.html Smaple scan is here. OTHER USEFUL OPTIONS
■v || V - increase/decrease verbosity level ■d || D - increase/decrease debugging level ■p || P - turn on/off tracing packets Option -6, for IPv6 protocol. Option -d [level], debugging (errors) level, levels from 1 to 9, more data. Option -n, turns off DNS query, speed-up scanning. Option -R, turns on DNS query, default nmap will show only "online" hosts names. Option --dns_servers server1,server2, can put own DNS servers :) Option --system_dns, uses local DNS server. Option --packet-trace, trace data packets being sent/received. Option --iflist, shows interfaces and routing. Option --datadir [FolderName], point directory with data files. Option --send-eth, low-level (raw/data link) ethernet frames, use instead IP layer [raw sockets: UNIX OS] -- (this option can be used against MS Windows). Option --send-ip, opposite, sends packets through raw IP sockets (against UNIX). Option --interactive, interactive mode, less popular, possible to scan few host at once. Option -V; --version, shows nmap version. Option -h, shows help. More info: http://nmap.org/book/nmap-overview-and-demos.html |
.
EXAMPLES
PORTS || Back[root@DomDzieci lucky2014]# nmap -sU -sX X.X.X.X -p 21,22,80,443,U:53,111,137,T:49152-49154 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-09 18:14 CET Nmap scan report for static-89-113.is.net.pl (X.X.X.X) Host is up (0.013s latency). PORT STATE SERVICE 21/tcp open|filtered ftp 22/tcp open|filtered ssh 80/tcp open|filtered http 443/tcp open|filtered https 49152/tcp open|filtered unknown 49153/tcp open|filtered unknown 49154/tcp open|filtered unknown 21/udp open|filtered ftp 22/udp open|filtered ssh 53/udp open|filtered domain 80/udp open|filtered http 111/udp open|filtered rpcbind 137/udp open|filtered netbios-ns 443/udp open|filtered https Nmap done: 1 IP address (1 host up) scanned in 2.66 seconds
SIMLPY TCP SCAN || Back
nmap -sT -O 127.0.0.1 [root@DomDzieci lucky2014]# nmap -sT -Pn -O X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-06 15:05 CET Nmap scan report for static-89-113.is.net.pl (X.X.X.X) Host is up. All 1000 scanned ports on static-89-113.is.net.pl (X.X.X.X) are filtered Too many fingerprints match this host to give specific OS details OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 211.50 seconds [root@DomDzieci lucky2014]# nmap -sT -Pn -O 192.168.1.1 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-06 15:15 CET Nmap scan report for 192.168.1.1 Host is up (0.0043s latency). Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http MAC Address: 00:11:50:1A:A7:BE (Belkin) Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.18 - 2.4.35 (likely embedded) Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 4.49 seconds
[root@DomDzieci lucky2014]# nmap -sT -Pn -O 192.168.1.1 -p 21 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-06 15:42 CET Nmap scan report for 192.168.1.1 Host is up (0.0015s latency). PORT STATE SERVICE 21/tcp closed ftp MAC Address: 00:11:50:1A:A7:BE (Belkin) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.38 seconds
SCAN "STEALTH" || Back
[root@DomDzieci lucky2014]# nmap -sS -A X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-09 17:59 CET Nmap scan report for static-89-113.is.net.pl (X.X.X.X) Host is up (0.039s latency). Not shown: 992 filtered ports PORT STATE SERVICE VERSION 80/tcp open http? 443/tcp open skype2 Skype 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open unknown 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 49159/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port80-TCP:V=5.51%I=7%D=11/9%Time=4EBAB1A8%P=i686-pc-linux-gnu%r(GetReq SF:uest,1A,"HTTP/1\.0\x20404\x20Not\x20Found\r\n\r\n")%r(HTTPOptions,6E,"\ SF:x9e\xe0s%\x90D\x82>K\xb6\x89\x87\xd0w\xe7>1{\xb7'\?\xc2\xbbMu\[xH\xf0\x SF:d9\xb9\x0f\x16\.NHt\x83S\xbeYb\xa72h\0\x8b\xae\xbb0\xe1\x9e\xf7<}\x8a\x SF:f3\x08\xd96\xaf\x94\xf5\xa2\+\xe0\xd1\xceg\xecm\xbac\xb8\xc9f\x1fD\xe5\ SF:xd2\x9b\x90\xc1\xfe\xd7\x9c\]\xea\xd3h\xb9\x96\x8f\xf4\xd5\x02\x0b@\xb1 SF:\.GLM\x1aC\x18\xa9\xc6\xff\xa4")%r(RTSPRequest,5D,"\x83\xf4e\x84\x9c\xc SF:6\x84u\x9c\x81\xf0\x0b\xca\xab6Q\xed>\x14fg\[\xd5w1_\xa3\x8d\xb8\x1d\x1 SF:5\x90\xf7\xf3p\x18L\0\x81\xc3\xad\x9e\x0c>d\xe4\x18\xbb\xe38I\xe6\x9f\x SF:c4eR\x1b\x10A~W\x1c\xddjS\xe89\x16\x0ftU\x82\x8b\xc01\xae\xc7\xcc\xcd\x SF:9a\xc3\x98\)F\x7f\$E\xb2\xfbp!\xde7")%r(FourOhFourRequest,1A,"HTTP/1\.0 SF:\x20404\x20Not\x20Found\r\n\r\n")%r(RPCCheck,69,"\xdbg\xfc\xcb\x88N7\xe SF:f\x010\xb5\xab\$\x9bJ\xc1}Dh\xbf\x9d<\xd7\xcc\xdau\(\x1a\xd8lx\x08\xac\ SF:x91\xb9\x89\xce\xcd\xea\xe8\xcbOB\x15M\xda9l\xe5\xd2\x9b\x90\xc1\xfe\xd SF:7\x9c\]\xea\xd3h\xb9\x96\x8f\xf4\xd5\x02\x0b@\xb1\.GLM\x1aC\x18\xa9\xc6 SF:\xff\xa4\xc52{\xf0\xa1\^\xb7\xfc=J\xb3\xc8\x99\xf6oT\xb5b\xeb\xa0\x91\x SF:8e'\xac-")%r(DNSVersionBindReq,4D,"\x16_\x7f\xd7\x89b\"\x85v\xd4\n\x9bA SF:\x07\x0fTz\xa7z\xb5Vu\x8c\x8a\x8e\xfa\x8a\xe0\x0c\xb1\x87o\xbe\x94\xcd\ SF:xc5\xd2\xdc\x1b\xca\xa2<\x8e:md\$\x17\xa7,\xad\xfa\xa3\xf8\t\xa6_\x84%\ SF:x12\xdb\xd0\x01>\x17\xdc\x9d\*\x13\xa8\xf9\xd6\xcf4\x15BK")%r(DNSStatus SF:Request,59,"\x1e\xf6\xbcS\0\xcf`#\xc8\xb2\xf9\xaah\xb9D\xd6\xa9Zlp\xd6\ SF:$<\xf9\$\x86\xd7\x18!\x95\xa6\xa0\xb6\xa9\x1e\xeb\x99\xa4:I\x8fXOD\"v6W SF:\x19v\xef\xd45\xe2k\x20\x11\x0e\xa7,\xad\xfa\xa3\xf8\t\xa6_\x84%\x12\xd SF:b\xd0\x01>\x17\xdc\x9d\*\x13\xa8\xf9\xd6\xcf4\x15BK\x80\xf1")%r(SSLSess SF:ionReq,60,"D\x04\xb6n\xddR\xd3\xfa\x9a\xfc\xea\x01U\xa6\xf2\xb6\x9e\xf5 SF:\x98\xea\x9e4\x8b\xa0p1\xc92\x93P\xe4n\x98\x8f\xcd\x04QM\xb6w-s\xa3\x98 SF:\x03&\xf2\xfd\xb4\x95\xc2\xcb\0q\xee\x07\x0c\r\xda\x03\xd8i\x86\xbfd\x8 SF:5\xf2;\xb0a\x1ew\xbc\xfd\ns\x88Y\xb6/\x14u\"\xab`QN\xe7\xed\x8cc\+OE\xa SF:7\xb1")%r(LDAPBindReq,50,"/\x9e&F\x1dh\xa8\x1a\x10\xdd\xe8\xe5}\xa0r\.x SF:\x9f\x0c\x0e\x061\xa4\xee\xa6\x20\x17c[root@DomDzieci lucky2014]# nmap -sS -v X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-16 23:31 CET Initiating Ping Scan at 23:31 Scanning X.X.X.X [4 ports] Completed Ping Scan at 23:31, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 23:31 Completed Parallel DNS resolution of 1 host. at 23:31, 0.00s elapsed Initiating SYN Stealth Scan at 23:31 Scanning a67.net138.okay.pl (X.X.X.X) [1000 ports] Discovered open port 80/tcp on X.X.X.X Completed SYN Stealth Scan at 23:31, 4.62s elapsed (1000 total ports) Nmap scan report for a67.net138.okay.pl (X.X.X.X) Host is up (0.053s latency). Not shown: 983 closed ports PORT STATE SERVICE 53/tcp filtered domain 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 515/tcp filtered printer 631/tcp filtered ipp 1025/tcp filtered NFS-or-IIS 1720/tcp filtered H.323/Q.931 2869/tcp filtered icslap 6129/tcp filtered unknown 9100/tcp filtered jetdirect 9101/tcp filtered jetdirect 9102/tcp filtered jetdirect 9110/tcp filtered unknown 9111/tcp filtered DragonIDSConsole 9900/tcp filtered iua Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 4.91 seconds Raw packets sent: 1057 (46.484KB) | Rcvd: 1001 (40.044KB)
SCAN PING || Back[root@DomDzieci lucky2014]# nmap -sP 127.0.0.1 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-06 16:20 CET Nmap scan report for DomDzieci.localdomain (127.0.0.1) Host is up. Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds [root@DomDzieci lucky2014]# nmap -sP 192.168.1.1 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-06 16:20 CET Nmap scan report for 192.168.1.1 Host is up (0.0017s latency). MAC Address: 00:11:50:1A:A7:BE (Belkin) Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds[root@DomDzieci lucky2014]# nmap -PS -PA X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-22 18:31 CET Nmap scan report for a23.net138.okay.pl (X.X.X.X) Host is up (0.051s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 14.54 seconds
SCAN UDP || Back[root@DomDzieci lucky2014]# nmap -sU -d -v -g 53 --send-eth X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-22 18:44 CET PORTS: Using top 1000 ports found open (TCP:0, UDP:1000, SCTP:0) --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Initiating Ping Scan at 18:44 Scanning X.X.X.X [4 ports] Packet capture filter (device wlan0): dst host 192.168.1.3 and (icmp or ((tcp or udp or sctp) and (src host X.X.X.X))) We got a TCP ping packet back from X.X.X.X port 443 (trynum = 0) Completed Ping Scan at 18:44, 0.03s elapsed (1 total hosts) Overall sending rates: 146.78 packets / s, 5577.78 bytes / s. mass_rdns: Using DNS server 217.144.192.2 mass_rdns: Using DNS server 217.144.192.33 Initiating Parallel DNS resolution of 1 host. at 18:44 mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 18:44, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating UDP Scan at 18:44 Scanning a23.net138.okay.pl (X.X.X.X) [1000 ports] Packet capture filter (device wlan0): dst host 192.168.1.3 and (icmp or ((tcp or udp or sctp) and (src host X.X.X.X))) Bad Sequence number from host X.X.X.X. Increased max_successful_tryno for X.X.X.X to 1 (packet drop) Increasing send delay for X.X.X.X from 0 to 50 due to 11 out of 22 dropped probes since last increase. Destroying timed-out global ping from X.X.X.X. Completed UDP Scan at 18:44, 46.39s elapsed (1000 total ports) Overall sending rates: 65.40 packets / s, 1884.19 bytes / s. Nmap scan report for a23.net138.okay.pl (X.X.X.X) Host is up, received syn-ack (0.0047s latency). Scanned at 2011-11-22 18:44:02 CET for 46s Not shown: 999 open|filtered ports Reason: 999 no-responses PORT STATE SERVICE REASON 137/udp filtered netbios-ns admin-prohibited from 80.85.224.249 Final times for host: srtt: 4697 rttvar: 1621 to: 100000 Read from /usr/share/nmap: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 46.60 seconds Raw packets sent: 3038 (87.561KB) | Rcvd: 37 (1.568KB)[root@DomDzieci lucky2014]# nmap -sU 192.168.1.1 -p 80 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-06 16:29 CET Nmap scan report for 192.168.1.1 Host is up (0.0013s latency). PORT STATE SERVICE 80/udp closed http MAC Address: 00:11:50:1A:A7:BE (Belkin) Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds [root@DomDzieci lucky2014]# nmap -sU -PN X.X.X.X -p 80 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-06 16:30 CET Nmap scan report for static-89-113.is.net.pl (X.X.X.X) Host is up. PORT STATE SERVICE 80/udp open|filtered http Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds
SCAN "HIDDEN" || Back[root@DomDzieci lucky2014]# nmap -sF -v -A X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-13 10:31 CET NSE: Loaded 57 scripts for scanning. Initiating Ping Scan at 10:31 Scanning X.X.X.X [4 ports] Completed Ping Scan at 10:31, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 10:31 Completed Parallel DNS resolution of 1 host. at 10:31, 0.01s elapsed Initiating FIN Scan at 10:31 Scanning a23.net138.okay.pl (X.X.X.X) [1000 ports] Completed FIN Scan at 10:31, 7.42s elapsed (1000 total ports) Initiating Service scan at 10:31 Scanning 996 services on a23.net138.okay.pl (X.X.X.X) Discovered open port 80/tcp on X.X.X.X Discovered open|filtered port 80/tcp on a23.net138.okay.pl (X.X.X.X) is actually open Discovered open port 443/tcp on X.X.X.X Discovered open|filtered port 443/tcp on a23.net138.okay.pl (X.X.X.X) is actually open Service scan Timing: About 9.90% done; ETC: 10:36 (0:04:42 remaining) Service scan Timing: About 20.70% done; ETC: 10:36 (0:03:54 remaining) Service scan Timing: About 31.50% done; ETC: 10:36 (0:03:18 remaining) Service scan Timing: About 43.10% done; ETC: 10:36 (0:02:40 remaining) Service scan Timing: About 55.10% done; ETC: 10:35 (0:02:03 remaining) Service scan Timing: About 67.10% done; ETC: 10:35 (0:01:29 remaining) Service scan Timing: About 79.10% done; ETC: 10:35 (0:00:56 remaining) Completed Service scan at 10:35, 260.11s elapsed (1000 services on 1 host) Initiating OS detection (try #1) against a23.net138.okay.pl (X.X.X.X) Initiating Traceroute at 10:35 Completed Traceroute at 10:35, 0.05s elapsed Initiating Parallel DNS resolution of 5 hosts. at 10:35 Completed Parallel DNS resolution of 5 hosts. at 10:35, 0.02s elapsed NSE: Script scanning X.X.X.X. Initiating NSE at 10:35 NSE Timing: About 40.24% done; ETC: 10:37 (0:00:46 remaining) Completed NSE at 10:37, 112.25s elapsed NSE: Script scanning X.X.X.X. Initiating NSE at 10:37 Completed NSE at 10:38, 63.17s elapsed Nmap scan report for a23.net138.okay.pl (X.X.X.X) Host is up (0.022s latency). Not shown: 998 open|filtered ports PORT STATE SERVICE VERSION 80/tcp open http? 443/tcp open skype2 Skype 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port80-TCP:V=5.51%I=7%D=11/13%Time=4EBF8E73%P=i686-pc-linux-gnu%r(GetRe SF:quest,1A,"HTTP/1\.0\x20404\x20Not\x20Found\r\n\r\n")%r(HTTPOptions,33," SF:\xc1\x10G\xcd\xa3\xbc9Z\x1e\xc1P\x8c\x06i4o\xe3\xca3\x9c\xcb\xc7u\n\xdc SF:z\x17l\x89\xe8\xa0l\.\x82\xcb\xe1\x04\xed\|\xbb\xec\+\t\xe9\x8d6\]\xb7\ SF:xe9\x06\?")%r(RTSPRequest,58,"1#\xdf\x81\x10Az\xf2QI\xe1\x13\x90/\x16\x SF:99\xd1\xef\xcb\xad\x13\x90>}11\xf3\x95\x8c\xbfP\xf9\x186\x1e~\x0bUW\xe6 SF:l\x14:\x97\xb56{\xcc\xb0a\x1ew\xbc\xfd\ns\x88Y\xb6/\x14u\"\xab`QN\xe7l\ SF:xed:\xe38I\xe6\x9f\xc4eR\x1b\x10A~W\x1c\xddjS")%r(FourOhFourRequest,1A, SF:"HTTP/1\.0\x20404\x20Not\x20Found\r\n\r\n")%r(RPCCheck,58,"\xaef\xc5\xe SF:0X\x07\xb2rws\xcb\x12\xc9\xe0yO\?\xce\?wok\xe0\xad\x9f\xd2a\x01\x20\x06 SF:\x98\x16\xa4\xc9\tcQ\xac\xf3\xa8R\xac\x0b2\x90y\xc7\x8d\x8c\x8dZ\x83X\x SF:e9\x06\?\xe4\x05r\xbb0\xe1\x9e\xf7<}\x8a\xf3\x08\xd96\xaf\x94\xf5\xa2\+ SF:\xe0\xd1\xceg\xecm\xbac\xb8\xc9f\x1f")%r(DNSVersionBindReq,57,"\xd7G\x8 SF:e,\x01\xf6\x1fU\x9e\xaa\x02\x81\xd3\xea\xff\\\xa8\x1b6D\xfd6\x15\xa5&\x SF:82\x8b\x17\xce\x08\x9b\xfc\x83\x14\xc3\xc6\xe4\x0e\x87\x85\x89\xd28u\x9 SF:2\0\x9e\x02O\xb4\x95\xc2\xcb\0q\xee\x07\x0c\r\xda\x03\xd8i\x86\xbfd\x85 SF:\xf2;\xb0a\x1ew\xbc\xfd\ns\x88Y\xb6/\x14u\"\xab`Q")%r(DNSStatusRequest, SF:31,"\x15\x0c\$\xf0\xba\xfew\x8f\x0b\x88i\xf6\xdf3W\xe9\x16\xd5d\x83=\xd SF:6\xc6{=\xf4dJ\x8e\x05\x9f\x9bI\x11\0,k\[\xb6\^\x05\x9b\xe8\xbd\r\xe3\xb SF:5\xc2!")%r(SSLSessionReq,74,"\xf64\x13\xa67\xad\?\x0b\x1a\x8bb\0\x94\xc SF:a\x98\xd0\x90\xa2\+3\xb6\x83\xf7\x9d,\xe50<\xee\x01IA\xb7\x9b\r\xf9\xc1 SF:\xad/\x0b\x0e8\x87\xcb\xc8\xa4-\x02\xb6/\x14u\"\xab`QN\xe7l\xed:\xe38I\ SF:xe6\x9f\xc4eR\x1b\x10A~W\x1c\xddjS\xe89\x16\x0ftU\x82\x8b\xc01\xae\xc7\ SF:xcc\xcd\x9a\xc3\x98\)F\x7f\$E\xb2\xfbp!\xde7\|\xbd\xec\x04\x8f\*\x05\xa SF:4;\x87")%r(SMBProgNeg,47,"\xcai5\xd6\xc9\xe3\x8c\x89\x11T\xee\xfe2t\x88 SF:R\xb4\\\xbb}\xd3Ns\xd6:\x85CQ=\xb1\?d3\xd6\x20\xd9x\x87\x81\xa1\xaf\xd4 SF:\xca\xdd\xdb\xb6\xed\x18a\x1ew\xbc\xfd\ns\x88Y\xb6/\x14u\"\xabcJyv\xe4L SF:\xe8\x98")%r(LDAPBindReq,6A,"\xac\xf6\x13\xe0\xf8\xd6\x8c\xef>\xfe{\xe4 SF:\xb5{S\xd7\xc0\xef\x02\x98\x06\*\x1f\^,\x89\[\x91\xe1\xaf\|\xa3j\xb0\xf SF:6P\xb4\xfd\xae\xfd\xab\x0bD\xf4\xb0\xb8\?w\xd45\xe2k\x20\x11\x0e\xa7,\x SF:ad\xfa\xa3\xf8\t\xa6_\x84%\x12\xdb\xd0\x01>\x17\xdc\x9d\*\x13\xa8\xf9\x SF:d6\xcf4\x15BK\x80\xf1n\x87\x8c\x8dZ\x83X\xe9\x06\?\xe4\x05r\xbb0\xe1\x9 SF:e\xf7<}"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 2000|XP OS details: Microsoft Windows 2000 SP4, Microsoft Windows XP SP2 or SP3, Microsoft Windows XP SP3 Network Distance: 5 hops TCP Sequence Prediction: Difficulty=255 (Good luck!) IP ID Sequence Generation: Incremental TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 25.06 ms 192.168.1.1 2 42.95 ms static-79-1.is.net.pl (X.X.X.X) 3 41.21 ms 80.85.224.249 4 40.63 ms 192.168.9.113 5 39.46 ms a23.net138.okay.pl (X.X.X.X) Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 453.50 seconds Raw packets sent: 2059 (85.092KB) | Rcvd: 28 (1.460KB)
SCAN OF PROTOCOLS || Back[root@DomDzieci lucky2014]# nmap -sO -PN -v X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-13 10:53 CET Initiating Parallel DNS resolution of 1 host. at 10:53 Completed Parallel DNS resolution of 1 host. at 10:53, 0.00s elapsed Initiating IPProto Scan at 10:53 Scanning a26.net138.okay.pl (X.X.X.X) [256 ports] Discovered open port 17/ip on X.X.X.X Completed IPProto Scan at 10:54, 4.10s elapsed (256 total ports) Nmap scan report for a26.net138.okay.pl (X.X.X.X) Host is up (0.020s latency). Not shown: 254 open|filtered protocols PROTOCOL STATE SERVICE 17 open udp 132 closed sctp Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 4.14 seconds Raw packets sent: 510 (10.312KB) | Rcvd: 4 (284B) [root@DomDzieci lucky2014]# nmap -sO 192.168.1.1 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-06 17:25 CET Nmap scan report for 192.168.1.1 Host is up (0.011s latency). Not shown: 251 open|filtered protocols PROTOCOL STATE SERVICE 1 open icmp 2 closed igmp 6 open tcp 17 open udp 132 closed sctp MAC Address: 00:11:50:1A:A7:BE (Belkin) Nmap done: 1 IP address (1 host up) scanned in 2.93 seconds
SCAN IDLE || Back[root@DomDzieci lucky2014]# nmap -sI Y.Y.Y.Y:443 X.X.X.X WARNING: Many people use -Pn w/Idlescan to prevent pings from their true IP. On the other hand, timing info Nmap gains from pings can allow for faster, more reliable scans. Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-13 11:15 CET Idle scan using zombie Y.Y.Y.Y (Y.Y.Y.Y:443); Class: Incremental Nmap scan report for static-89-113.is.net.pl (X.X.X.X) Host is up (0.024s latency). Not shown: 996 closed|filtered ports PORT STATE SERVICE 25/tcp open smtp 2103/tcp open zephyr-clt 8080/tcp open http-proxy 15002/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 213.41 seconds
SCAN OF OS DETECTION || Back
SCAN OF VERSION DETECTION || Back
[root@DomDzieci lucky2014]# nmap -O -PN -v X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-06 17:58 CET Initiating Parallel DNS resolution of 1 host. at 17:58 Completed Parallel DNS resolution of 1 host. at 17:58, 0.00s elapsed Initiating SYN Stealth Scan at 17:58 Scanning static-89-113.is.net.pl (X.X.X.X) [1000 ports] Discovered open port 443/tcp on X.X.X.X Discovered open port 80/tcp on X.X.X.X Discovered open port 49153/tcp on X.X.X.X Discovered open port 49152/tcp on X.X.X.X Completed SYN Stealth Scan at 17:59, 14.43s elapsed (1000 total ports) Initiating OS detection (try #1) against static-89-113.is.net.pl (X.X.X.X) Nmap scan report for static-89-113.is.net.pl (X.X.X.X) Host is up (0.022s latency). Not shown: 996 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 49152/tcp open unknown 49153/tcp open unknown Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 2008|7|Vista OS details: Microsoft Windows Server 2008, Microsoft Windows Server 2008 Beta 3, Microsoft Windows 7 Professional, Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or Windows 7 Uptime guess: 0.029 days (since Sun Nov 6 17:17:05 2011) TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: Incremental Read data files from: /usr/share/nmap OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.24 seconds Raw packets sent: 2046 (92.592KB) | Rcvd: 15 (760B)
SCAN OF VERSION DETECTION || Back
[root@DomDzieci lucky2014]# nmap -A -PN -v X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-13 10:55 CET NSE: Loaded 57 scripts for scanning. Initiating Parallel DNS resolution of 1 host. at 10:55 Completed Parallel DNS resolution of 1 host. at 10:55, 0.00s elapsed Initiating SYN Stealth Scan at 10:55 Scanning a26.net138.okay.pl (X.X.X.X) [1000 ports] Discovered open port 443/tcp on X.X.X.X Discovered open port 80/tcp on X.X.X.X Increasing send delay for X.X.X.X from 0 to 5 due to 45 out of 149 dropped probes since last increase. Completed SYN Stealth Scan at 10:55, 10.03s elapsed (1000 total ports) Initiating Service scan at 10:55 Scanning 2 services on a26.net138.okay.pl (X.X.X.X) Service scan Timing: About 50.00% done; ETC: 10:58 (0:01:34 remaining) Completed Service scan at 10:57, 93.95s elapsed (2 services on 1 host) Initiating OS detection (try #1) against a26.net138.okay.pl (X.X.X.X) Initiating Traceroute at 10:57 Completed Traceroute at 10:57, 0.03s elapsed Initiating Parallel DNS resolution of 5 hosts. at 10:57 Completed Parallel DNS resolution of 5 hosts. at 10:57, 2.51s elapsed NSE: Script scanning X.X.X.X. Initiating NSE at 10:57 Completed NSE at 10:57, 22.43s elapsed Nmap scan report for a26.net138.okay.pl (X.X.X.X) Host is up (0.0072s latency). Not shown: 990 closed ports PORT STATE SERVICE VERSION 80/tcp open http? 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 443/tcp open skype2 Skype 445/tcp filtered microsoft-ds 1025/tcp filtered NFS-or-IIS 1720/tcp filtered H.323/Q.931 2869/tcp filtered icslap 6129/tcp filtered unknown 9900/tcp filtered iua 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port80-TCP:V=5.51%I=7%D=11/13%Time=4EBF9424%P=i686-pc-linux-gnu%r(GetRe SF:quest,1A,"HTTP/1\.0\x20404\x20Not\x20Found\r\n\r\n")%r(HTTPOptions,61," SF:\)\t\xeb#\x17\xda\x89\x16X\xe37<\xc1~f\x8d\xfa\xf0\xd4\xd8\xefr\x01\x99 SF:\xba\xe6\xb1\xe4\xc9'eL\xdad>,@\xc1\x9c:\x86;\xa9\x14\xfd\xcb\xc4\xb1\x SF:9d\*\x13\xa8\xf9\xd6\xcf4\x15BK\x80\xf1n\x87\x8c\x8dZ\x83X\xe9\x06\?\xe SF:4\x05r\xbb0\xe1\x9e\xf7<}\x8a\xf3\x08\xd96\xaf\x94\xf5\xa2\+\xe0\xd1\xc SF:eg\xecm")%r(RTSPRequest,51,"\xea\x08\xd8D\xc6k\xcc0\xc6n\xa9}\x15\x90\x SF:cd\x81\n>\xc8\x82\xdf\x01\xdft\xeb\xb4O\x99\xe1\xac\xce\x1cm\xcf\]\x0cM SF:k\xd4S\xd6\x05\x8c\x1e\xe4\xed\xc5\xa5\xee\x07\x0c\r\xda\x03\xd8i\x86\x SF:bfd\x85\xf2;\xb0a\x1ew\xbc\xfd\ns\x88Y\xb6/\x14u\"\xab`QN")%r(FourOhFou SF:rRequest,1A,"HTTP/1\.0\x20404\x20Not\x20Found\r\n\r\n")%r(RPCCheck,36," SF:\xca\xb3\x86\xc76m\xc3\xb2&\xbdGt/E\x8c\x9dt\xd0\x1b\xae\xe8\xa6d\xf4\) SF:\xa6\xd8\xdd\x142\xb6\xeb\xe2\xab\x8f\xef\xe9o\xfd\xe3\xf8\x04\xe967gp\ SF:x8cI\xe6\x9f\xc4eR")%r(DNSVersionBindReq,66,"\0\xc5m\xaf\xa1y\xc7\x81\x SF:af\xebl2\x12%%\xe7\x8c\(s\xe3\xab\xdc\xa3B\"@\xfb\xa98\x19\]k\x06\x85\x SF:b8N\xe2\x84\xa61\xa93\x87\xd4\x84\x85\x06\.\x17\xdc\x9d\*\x13\xa8\xf9\x SF:d6\xcf4\x15BK\x80\xf1n\x87\x8c\x8dZ\x83X\xe9\x06\?\xe4\x05r\xbb0\xe1\x9 SF:e\xf7<}\x8a\xf3\x08\xd96\xaf\x94\xf5\xa2\+\xe0\xd1\xceg\xecm\xbac\xb8") SF:%r(DNSStatusRequest,4A,"\xb1\xcb>\x9b>\x0cl\xca\xc0\xea&1\xc9\xec\xcd\x SF:df\xdeK{\xa3\xc8\[L\xff!\x8a\x7f\x84zZ\r\x91\x99\x1b\x9cb\x99m\x02v\xd4 SF:\x08\x90U\xc3\xd3\xc8yjS\xe89\x16\x0ftU\x82\x8b\xc01\xae\xc7\xcc\xcd\x9 SF:a\xc3\x98\)F\x7f\$E\xb2\xfb")%r(SSLSessionReq,72,"\x94\x03G\x0f\xf4\xd3 SF:\xdb\xa0zz\xe7\xb2\x8e4\xbb\xdaX\]\xc4\x15\xd6\x8c{\xb4L\xf3-\x82\x05\x SF:fa\xeeU\xd0'-\xc9aNzG\x02\xcfI\xf7o\xbf\x1df&\xdf\x04\xa5\x92\[P\x81\xb SF:e\x97\\\x1d\xaa\x93\(yVO\xb4\x95\xc2\xcb\0q\xee\x07\x0c\r\xda\x03\xd8i\ SF:x86\xbfd\x85\xf2;\xb0a\x1ew\xbc\xfd\ns\x88Y\xb6/\x14u\"\xab`QN\xe7\xb6H SF:\xdc\r\xb5u\x97\x13")%r(SMBProgNeg,59,"JE\xa0\xf3\x99\x88}\xaa\xcf\x88S SF:Z\x8b\xf8\xac\xa3\xaf\xcf\x15\xee\xed\x18e\n\xb71\xc1t6\x97\x05'\xfb\x1 SF:9\x17\xdc\x9d\*\x13\xa8\xf9\xd6\xcf4\x15BK\x80\xf1gd SF:OBD\x87\?\xaa"); Device type: general purpose Running: Microsoft Windows XP OS details: Microsoft Windows XP Professional SP2 Network Distance: 5 hops TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: Incremental TRACEROUTE (using port 554/tcp) HOP RTT ADDRESS 1 8.01 ms 192.168.1.1 2 19.66 ms static-79-1.is.net.pl (X.X.X.X) 3 21.71 ms 80.85.224.249 4 19.30 ms 192.168.9.113 5 21.98 ms a26.net138.okay.pl (X.X.X.X) Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 132.00 seconds Raw packets sent: 1119 (50.712KB) | Rcvd: 1098 (44.332KB)
[root@DomDzieci lucky2014]# nmap -sV -vv X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-16 22:32 CET NSE: Loaded 8 scripts for scanning. Initiating Ping Scan at 22:32 Scanning X.X.X.X [4 ports] Completed Ping Scan at 22:32, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 22:32 Completed Parallel DNS resolution of 1 host. at 22:32, 0.00s elapsed Initiating SYN Stealth Scan at 22:32 Scanning a23.net138.okay.pl (X.X.X.X) [1000 ports] Discovered open port 443/tcp on X.X.X.X Discovered open port 80/tcp on X.X.X.X Completed SYN Stealth Scan at 22:33, 14.65s elapsed (1000 total ports) Initiating Service scan at 22:33 Scanning 2 services on a23.net138.okay.pl (X.X.X.X) Service scan Timing: About 50.00% done; ETC: 22:34 (0:00:32 remaining) Completed Service scan at 22:34, 102.77s elapsed (2 services on 1 host) NSE: Starting runlevel 1 (of 1) scan. NSE: Script scanning X.X.X.X. Initiating NSE at 22:34 Completed NSE at 22:34, 0.03s elapsed Nmap scan report for a23.net138.okay.pl (X.X.X.X) Host is up (0.035s latency). Scanned at 2011-11-16 22:32:56 CET for 118s Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http? 443/tcp open skype2 Skype 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port80-TCP:V=5.51%I=7%D=11/16%Time=4EC42C20%P=i686-pc-linux-gnu%r(GetRe SF:quest,1A,"HTTP/1\.0\x20404\x20Not\x20Found\r\n\r\n")%r(HTTPOptions,55," SF:J\x13yi\xd3i,\xcdu\)\xd1I\xbc\x99Q\xe1\"L\.\xd2\xdb\xe2\x9c\xf4e\xae\x1 SF:9\xfb
SCAN ACK || Back[root@DomDzieci lucky2014]# nmap -sA -PN -v X.X.X.X -p 80 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-08 17:18 CET Initiating Parallel DNS resolution of 1 host. at 17:18 Completed Parallel DNS resolution of 1 host. at 17:18, 0.01s elapsed Initiating ACK Scan at 17:18 Scanning a23.net138.okay.pl (X.X.X.X) [1 port] Completed ACK Scan at 17:18, 2.02s elapsed (1 total ports) Nmap scan report for a23.net138.okay.pl (X.X.X.X) Host is up. PORT STATE SERVICE 80/tcp filtered http Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds Raw packets sent: 2 (80B) | Rcvd: 0 (0B)[root@DomDzieci lucky2014]# nmap -sA -T4 X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-16 22:42 CET Nmap scan report for host.pl (X.X.X.X) Host is up (0.024s latency). Not shown: 999 filtered ports PORT STATE SERVICE 443/tcp unfiltered https Nmap done: 1 IP address (1 host up) scanned in 150.94 seconds[root@DomDzieci lucky2014]# nmap -sA -d -v -g 53 --send-eth X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-22 18:55 CET PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0) --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Initiating Ping Scan at 18:55 Scanning X.X.X.X [4 ports] Packet capture filter (device wlan0): dst host 192.168.1.3 and (icmp or ((tcp or udp or sctp) and (src host X.X.X.X))) We got a TCP ping packet back from X.X.X.X port 443 (trynum = 0) Completed Ping Scan at 18:55, 0.03s elapsed (1 total hosts) Overall sending rates: 149.67 packets / s, 5687.35 bytes / s. mass_rdns: Using DNS server 217.144.192.2 mass_rdns: Using DNS server 217.144.192.33 Initiating Parallel DNS resolution of 1 host. at 18:55 mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 18:55, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0] Initiating ACK Scan at 18:55 Scanning a23.net138.okay.pl (X.X.X.X) [1000 ports] Packet capture filter (device wlan0): dst host 192.168.1.3 and (icmp or ((tcp or udp or sctp) and (src host X.X.X.X))) Bad Sequence number from host X.X.X.X. Received scan response with unexpected TCP flags: 16 Increased max_successful_tryno for X.X.X.X to 1 (packet drop) Completed ACK Scan at 18:55, 19.95s elapsed (1000 total ports) Overall sending rates: 150.97 packets / s, 6038.76 bytes / s. Nmap scan report for a23.net138.okay.pl (X.X.X.X) Host is up, received syn-ack (0.027s latency). Scanned at 2011-11-22 18:55:02 CET for 20s Not shown: 998 filtered ports Reason: 998 no-responses PORT STATE SERVICE REASON 80/tcp unfiltered http reset 443/tcp unfiltered https reset Final times for host: srtt: 27262 rttvar: 29207 to: 144090 Read from /usr/share/nmap: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 20.17 seconds Raw packets sent: 3015 (120.592KB) | Rcvd: 16 (644B)
SCAN WINDOW TCP || Back
[root@DomDzieci lucky2014]# nmap -sW -sV -vv host.pl Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-16 22:50 CET NSE: Loaded 8 scripts for scanning. Initiating Ping Scan at 22:50 Scanning host.pl (X.X.X.X) [4 ports] Completed Ping Scan at 22:50, 2.05s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 22:50 Completed Parallel DNS resolution of 1 host. at 22:50, 0.00s elapsed Initiating Window Scan at 22:50 Scanning host.pl (X.X.X.X) [1000 ports] Increasing send delay for X.X.X.X from 0 to 5 due to 11 out of 12 dropped probes since last increase. Increasing send delay for X.X.X.X from 5 to 10 due to 11 out of 11 dropped probes since last increase. Window Scan Timing: About 43.15% done; ETC: 22:51 (0:00:41 remaining) Increasing send delay for X.X.X.X from 10 to 20 due to 11 out of 11 dropped probes since last increase. Increasing send delay for X.X.X.X from 20 to 40 due to 11 out of 11 dropped probes since last increase. Window Scan Timing: About 59.30% done; ETC: 22:52 (0:00:50 remaining) Increasing send delay for X.X.X.X from 40 to 80 due to 11 out of 11 dropped probes since last increase. Increasing send delay for X.X.X.X from 80 to 160 due to 11 out of 11 dropped probes since last increase. Increasing send delay for X.X.X.X from 160 to 320 due to 11 out of 11 dropped probes since last increase. Window Scan Timing: About 73.00% done; ETC: 22:52 (0:00:46 remaining) Increasing send delay for X.X.X.X from 320 to 640 due to 11 out of 11 dropped probes since last increase. Window Scan Timing: About 78.00% done; ETC: 22:53 (0:00:49 remaining) Window Scan Timing: About 81.60% done; ETC: 22:54 (0:00:50 remaining) Increasing send delay for X.X.X.X from 640 to 1000 due to 11 out of 11 dropped probes since last increase. Window Scan Timing: About 83.95% done; ETC: 22:55 (0:00:52 remaining) Window Scan Timing: About 86.40% done; ETC: 22:56 (0:00:52 remaining) Window Scan Timing: About 88.85% done; ETC: 22:57 (0:00:48 remaining) Window Scan Timing: About 91.05% done; ETC: 22:57 (0:00:42 remaining) Window Scan Timing: About 93.05% done; ETC: 22:58 (0:00:35 remaining) Completed Window Scan at 23:00, 628.49s elapsed (1000 total ports) Initiating Service scan at 23:00 NSE: Starting runlevel 1 (of 1) scan. Nmap scan report for host.pl (X.X.X.X) Host is up (0.029s latency). rDNS record for X.X.X.X: host.pl Scanned at 2011-11-16 22:50:02 CET for 631s Not shown: 999 filtered ports PORT STATE SERVICE VERSION 443/tcp closed https Read data files from: /usr/share/nmap Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 630.94 seconds Raw packets sent: 2142 (85.664KB) | Rcvd: 2122 (84.956KB)
REMOTE PROCEDURE CALL (RPC) || Back
[root@DomDzieci lucky2014]# nmap -sS -sR -v -D X.X.X.X,My IP,X.X.X.X Y.Y.Y.Y WARNING: RPC scan currently does not make use of decoys so don't count on that protection Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-17 17:15 CET Initiating Ping Scan at 17:15 Scanning X.X.X.X [4 ports] Completed Ping Scan at 17:15, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 17:15 Completed Parallel DNS resolution of 1 host. at 17:15, 0.00s elapsed Initiating SYN Stealth Scan at 17:15 Scanning static-89-53.is.net.pl (X.X.X.X) [1000 ports] Increasing send delay for X.X.X.X from 0 to 5 due to 42 out of 138 dropped probes since last increase. Completed SYN Stealth Scan at 17:15, 13.05s elapsed (1000 total ports) Nmap scan report for static-89-53.is.net.pl (X.X.X.X) Host is up (0.076s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 1720/tcp filtered H.323/Q.931 Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 13.27 seconds Raw packets sent: 5028 (221.120KB) | Rcvd: 1042 (41.680KB)
SCAN LIST OF IP || Back
[root@DomDzieci lucky2014]# nmap -sL 85.28.138.1-13 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-08 17:44 CET Nmap scan report for a1.net138.okay.pl (85.28.138.1) Nmap scan report for a2.net138.okay.pl (85.28.138.2) Nmap scan report for a3.net138.okay.pl (85.28.138.3) Nmap scan report for www.arek.okay.pl (85.28.138.4) Nmap scan report for a5.net138.okay.pl (85.28.138.5) Nmap scan report for a6.net138.okay.pl (85.28.138.6) Nmap scan report for a7.net138.okay.pl (85.28.138.7) Nmap scan report for a8.net138.okay.pl (85.28.138.8) Nmap scan report for a9.net138.okay.pl (85.28.138.9) Nmap scan report for a10.net138.okay.pl (85.28.138.10) Nmap scan report for a11.net138.okay.pl (85.28.138.11) Nmap scan report for a12.net138.okay.pl (85.28.138.12) Nmap scan report for a13.net138.okay.pl (85.28.138.13) Nmap done: 13 IP addresses (0 hosts up) scanned in 0.13 seconds
SCAN MAINMON || Back
[root@DomDzieci lucky2014]# nmap -sM -v X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-16 23:19 CET Initiating Ping Scan at 23:19 Scanning X.X.X.X [4 ports] Completed Ping Scan at 23:19, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 23:19 Completed Parallel DNS resolution of 1 host. at 23:19, 0.05s elapsed Initiating Maimon Scan at 23:19 Scanning shellmix.com (X.X.X.X) [1000 ports] Completed Maimon Scan at 23:19, 19.37s elapsed (1000 total ports) Nmap scan report for shellmix.com (X.X.X.X) Host is up (0.072s latency). Not shown: 998 open|filtered ports PORT STATE SERVICE 111/tcp closed rpcbind 2049/tcp closed nfs Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 19.62 seconds Raw packets sent: 3013 (120.516KB) | Rcvd: 2335 (93.408KB)
SCAN DECOYS || Back
[root@DomDzieci lucky2014]# nmap -sF -v -D X.X.X.X,Y.Y.Y.Y,X.X.X.X,MY IP -p 80 X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-17 17:01 CET Initiating Ping Scan at 17:01 Scanning X.X.X.X [4 ports] Completed Ping Scan at 17:01, 2.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 17:01 Completed Parallel DNS resolution of 1 host. at 17:01, 0.00s elapsed Initiating FIN Scan at 17:01 Scanning static-89-113.is.net.pl (X.X.X.X) [1 port] Completed FIN Scan at 17:01, 0.24s elapsed (1 total ports) Nmap scan report for static-89-113.is.net.pl (X.X.X.X) Host is up (0.022s latency). PORT STATE SERVICE 80/tcp open|filtered http Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 2.47 seconds Raw packets sent: 50 (1.920KB) | Rcvd: 1 (44B)
TIMING || Back
[root@DomDzieci lucky2014]# nmap -sS -T4 -v -D X.X.X.X,My IP,Y.Y.Y.Y X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-17 17:12 CET Initiating Ping Scan at 17:12 Scanning X.X.X.X [4 ports] Completed Ping Scan at 17:12, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 17:12 Completed Parallel DNS resolution of 1 host. at 17:12, 0.00s elapsed Initiating SYN Stealth Scan at 17:12 Scanning static-89-53.is.net.pl (X.X.X.X) [1000 ports] Completed SYN Stealth Scan at 17:13, 8.81s elapsed (1000 total ports) Nmap scan report for static-89-53.is.net.pl (X.X.X.X) Host is up (0.053s latency). Not shown: 996 closed ports PORT STATE SERVICE 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 1720/tcp filtered H.323/Q.931 Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 9.02 seconds Raw packets sent: 4144 (182.240KB) | Rcvd: 1010 (40.388KB)
FAST SCAN || Back
[root@DomDzieci lucky2014]# nmap -F -PN 127.0.0.1 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-09 17:52 CET Nmap scan report for DomDzieci.localdomain (127.0.0.1) Host is up (0.000015s latency). Not shown: 99 closed ports PORT STATE SERVICE 6000/tcp open X11 Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
TURNING OFF PING || Back
[root@DomDzieci nmap]# nmap -g 53 -w -PN X.X.X.X Warning: File ./nmap.xsl exists, but Nmap is using /usr/share/nmap/nmap.xsl for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too). Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-23 12:50 CET Nmap scan report for a26.net138.okay.pl (X.X.X.X) Host is up (0.0040s latency). Not shown: 990 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 1025/tcp filtered NFS-or-IIS 1720/tcp filtered H.323/Q.931 2869/tcp filtered icslap 6129/tcp filtered unknown 9900/tcp filtered iua Nmap done: 1 IP address (1 host up) scanned in 10.29 seconds
[root@DomDzieci lucky2014]# nmap -PT -PS -vv X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-08 18:53 CET Initiating Ping Scan at 18:53 Scanning X.X.X.X [2 ports] Completed Ping Scan at 18:53, 0.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 18:53 Completed Parallel DNS resolution of 1 host. at 18:53, 0.00s elapsed Initiating SYN Stealth Scan at 18:53 Scanning static-89-76.is.net.pl (X.X.X.X) [1000 ports] Discovered open port 443/tcp on X.X.X.X Discovered open port 80/tcp on X.X.X.X Completed SYN Stealth Scan at 18:53, 15.17s elapsed (1000 total ports) Nmap scan report for static-89-76.is.net.pl (X.X.X.X) Host is up (0.040s latency). Scanned at 2011-11-08 18:53:03 CET for 16s Not shown: 996 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 1056/tcp closed vfo 2869/tcp closed icslap Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 15.41 seconds Raw packets sent: 3004 (132.172KB) | Rcvd: 14 (572B)
FRAGMENTING PACKETS || Back
[root@DomDzieci lucky2014]# nmap -f -sS -PN -vv X.X.X.X Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-09 17:27 CET Initiating Parallel DNS resolution of 1 host. at 17:27 Completed Parallel DNS resolution of 1 host. at 17:27, 0.00s elapsed Initiating SYN Stealth Scan at 17:27 Scanning static-89-113.is.net.pl (X.X.X.X) [1000 ports] Discovered open port 443/tcp on X.X.X.X Discovered open port 80/tcp on X.X.X.X Discovered open port 49152/tcp on X.X.X.X Discovered open port 49153/tcp on X.X.X.X Discovered open port 49155/tcp on X.X.X.X Discovered open port 49154/tcp on X.X.X.X Discovered open port 49159/tcp on X.X.X.X Completed SYN Stealth Scan at 17:27, 19.01s elapsed (1000 total ports) Nmap scan report for static-89-113.is.net.pl (X.X.X.X) Host is up (0.074s latency). Scanned at 2011-11-09 17:27:38 CET for 19s Not shown: 993 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49159/tcp open unknown Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 19.14 seconds Raw packets sent: 2004 (88.176KB) | Rcvd: 16 (704B)
[root@DomDzieci lucky2014]# nmap -sS -v -n -T4 -ff X.X.X.X -p 1-1023 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-20 21:18 CET Initiating Ping Scan at 21:18 Scanning X.X.X.X [4 ports] Completed Ping Scan at 21:18, 0.02s elapsed (1 total hosts) Initiating SYN Stealth Scan at 21:18 Scanning X.X.X.X [1023 ports] Discovered open port 443/tcp on X.X.X.X Discovered open port 80/tcp on X.X.X.X Completed SYN Stealth Scan at 21:18, 6.01s elapsed (1023 total ports) Nmap scan report for X.X.X.X Host is up (0.012s latency). Not shown: 1021 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 6.20 seconds Raw packets sent: 2051 (90.220KB) | Rcvd: 5 (220B)
NSE || Back
[root@DomDzieci nmap]# nmap --script default,safe -v X.X.X.X -p 80 Warning: File ./nmap.xsl exists, but Nmap is using /usr/share/nmap/nmap.xsl for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too). Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-23 12:43 CET NSE: Loaded 103 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 12:43 Completed NSE at 12:43, 40.00s elapsed Initiating Ping Scan at 12:43 Scanning X.X.X.X [4 ports] Completed Ping Scan at 12:43, 0.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 12:43 Completed Parallel DNS resolution of 1 host. at 12:43, 0.00s elapsed Initiating SYN Stealth Scan at 12:43 Scanning a26.net138.okay.pl (X.X.X.X) [1 port] Discovered open port 80/tcp on X.X.X.X Completed SYN Stealth Scan at 12:43, 0.02s elapsed (1 total ports) NSE: Script scanning X.X.X.X. Initiating NSE at 12:43 Completed NSE at 12:44, 5.63s elapsed Nmap scan report for a26.net138.okay.pl (X.X.X.X) Host is up (0.0060s latency). PORT STATE SERVICE 80/tcp open http |_http-malware-host: Host appears to be clean | http-headers: | |_ (Request type: GET) Host script results: | asn-query: | BGP: 85.28.128.0/18 | Country: PL | Origin AS: 21404 - FIRMA FIRMA S.A. Tarnow |_ Peer AS: 8246 20804 |_ipidseq: Unknown Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 46.38 seconds Raw packets sent: 96 (108.244KB) | Rcvd: 2 (88B)