NMap Noisy Example Output

This post is a complement to an article I wrote for eForensics Magazine, which is coming out in 2014.

NMap Noisy Example Output

# Nmap 6.40 scan initiated Tue Dec 3 22:55:48 2013 as: nmap -T5 -v -A -oN Kali-method-2.txt 192.168.1.0/24

Nmap scan report for 192.168.1.0 \24

Nmap scan report for unknownBCC8108BEB97 (192.168.1.64)

 

Host is up (0.0059s latency).

Not shown: 998 closed ports

PORT STATE SERVICE VERSION

8080/tcp open http-proxy?

8086/tcp open http T-Home Entertain set-top box httpd

| http-auth:

| HTTP/1.1 401 Bad Request

|_ Server returned status 401 but no WWW-Authenticate header.

|_http-methods: No Allow or Public header in OPTIONS response (status code 401)

|_http-title: Site doesn’t have a title.

MAC Address: BC:C8:10:8B:EB:97 (Cisco Spvtg)

Device type: media device

Running: Motorola embedded, Telekom embedded

OS CPE: cpe:/h:motorola:vip1232 cpe:/h:telekom:mr_303

OS details: Motorola VIP1232 digital set top box or Telekom Media Receiver MR 303

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=125 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: Device: media device

TRACEROUTE

HOP RTT ADDRESS

1 5.86 ms unknownBCC8108BEB97 (192.168.1.64)

Nmap scan report for BRN001BA9BDA46D (192.168.1.66)

Host is up (0.00089s latency).

Not shown: 994 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp Brother/HP printer ftpd 1.13

|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

23/tcp open telnet Brother/HP printer telnetd

80/tcp open http Debut embedded httpd 1.20 (Brother/HP printer http admin)

515/tcp open printer

631/tcp open ipp?

9100/tcp open jetdirect?

MAC Address: 00:1B:A9:BD:A4:6D (Brother Industries)

Device type: printer|webcam

Running: HP embedded, Brother embedded, Sony embedded

OS CPE: cpe:/h:sony:snc-rz30n

OS details: HP LaserJet (1020-, 2010-, 2600-, 2800-, 3050-, or 3390-series), or Brother (DCP-375CW, HL-5250DN, HL-22700W, MFC-7840N, MFC-8860DN, or MFC-9970CDW) printer; or Sony SNC-RZ30N network camera

Uptime guess: 32.985 days (since Fri Nov 1 00:21:05 2013)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=17 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: Device: printer

TRACEROUTE

HOP RTT ADDRESS

1 0.89 ms BRN001BA9BDA46D (192.168.1.66)

Nmap scan report for ATL-WHalton (192.168.1.68)

Host is up (0.0052s latency).

Not shown: 991 filtered ports

PORT STATE SERVICE VERSION

135/tcp open msrpc Microsoft Windows RPC

445/tcp open netbios-ssn

912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)

1026/tcp open msrpc Microsoft Windows RPC

1027/tcp open msrpc Microsoft Windows RPC

1031/tcp open msrpc Microsoft Windows RPC

1032/tcp open msrpc Microsoft Windows RPC

5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|_http-methods: No Allow or Public header in OPTIONS response (status code 503)

|_http-title: Service Unavailable

8181/tcp open unknown

MAC Address: 84:3A:4B:57:43:2A (Intel Corporate)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: phone|general purpose

Running: Microsoft Windows Phone|Vista|2008|7

OS CPE: cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_7

OS details: Microsoft Windows Phone 7.5, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7

Uptime guess: 2.277 days (since Sun Dec 1 16:19:35 2013)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=258 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| smb-os-discovery:

| OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1)

| OS CPE: cpe:/o:microsoft:windows_7::sp1

| Computer name: ATL-WHalton

| NetBIOS computer name: ATL-WHALTON

| Domain name: test.30309.info

| Forest name: test.30309.info

| FQDN: ATL-WHalton.test.30309.info

| NetBIOS domain name: 30309

|_ System time: 2013-12-03T22:57:53-05:00

| smb-security-mode:

| Account that was used for smb scripts: guest

| User-level authentication

| SMB Security: Challenge/response passwords supported

|_ Message signing supported

|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE

HOP RTT ADDRESS

1 5.20 ms ATL-WHalton (192.168.1.68)

Nmap scan report for LNAR-PBYLYZY (192.168.1.70)

Host is up (0.013s latency).

All 1000 scanned ports on LNAR-PBYLYZY (192.168.1.70) are filtered

MAC Address: 60:67:20:95:F2:64 (Intel Corporate)

Too many fingerprints match this host to give specific OS details

Network Distance: 1 hop

TRACEROUTE

HOP RTT ADDRESS

1 12.61 ms LNAR-PBYLYZY (192.168.1.70)

Nmap scan report for homeportal (192.168.1.254)

Host is up (0.0049s latency).

Not shown: 996 closed ports

PORT STATE SERVICE VERSION

80/tcp open http 2Wire HomePortal touer http config

|_http-methods: No Allow or Public header in OPTIONS response (status code 404)

|_http-title: Site doesn’t have a title (text/html).

256/tcp filtered fw1-secureremote

443/tcp open ssl/http 2Wire HomePortal touer http config

|_http-methods: No Allow or Public header in OPTIONS response (status code 404)

|_http-title: Site doesn’t have a title (text/html).

| ssl-cert: Subject: commonName=gateway.pace.com/organizationName=2Wire/countryName=US

| Issuer: commonName=Gateway Authentication/organizationName=2Wire/countryName=US

| Public Key type: rsa

| Public Key bits: 1024

| Not valid before: 2013-01-28T01:16:17+00:00

| Not valid after: 2028-02-24T01:16:17+00:00

| MD5: 6048 d569 009c 04c8 da63 51ff 5504 ff79

|_SHA-1: 5839 1502 1a1a fcf1 9278 b137 839a c7b1 507e d72d

|_ssl-date: 2013-12-04T03:57:53+00:00; 0s from local time.

49152/tcp open unknown

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

SF-Port49152-TCP:V=6.40%I=7%D=12/3%Time=529EA7D4%P=i686-pc-linux-gnu%r(Fou

SF:rOhFourRequest,5,”\*\xced\0\x03″)%r(GetRequest,5,”\*\xced\0\x03″)%r(HTT

SF:POptions,5,”\*\xced\0\x03″)%r(RTSPRequest,5,”\*\xced\0\x03″)%r(RPCCheck

SF:,5,”\*\xced\0\x03″)%r(DNSVersionBindReq,5,”\*\xced\0\x03″)%r(DNSStatusR

SF:equest,5,”\*\xced\0\x03″)%r(SSLSessionReq,5,”\*\xced\0\x03″)%r(Kerberos

SF:,5,”\*\xced\0\x03″)%r(SMBProgNeg,5,”\*\xced\0\x03″)%r(X11Probe,5,”\*\xc

SF:ed\0\x03″)%r(LDAPBindReq,5,”\*\xced\0\x03″)%r(SIPOptions,5,”\*\xced\0\x

SF:03″)%r(LANDesk-RC,5,”\*\xced\0\x03″)%r(TerminalServer,5,”\*\xced\0\x03″

SF:)%r(NCP,5,”\*\xced\0\x03″)%r(NotesRPC,5,”\*\xced\0\x03″)%r(WMSRequest,5

SF:,”\*\xced\0\x03″)%r(oracle-tns,5,”\*\xced\0\x03″)%r(afp,5,”\*\xced\0\x0

SF:3″);

MAC Address: 60:C3:97:9D:2C:21 (2 Wire)

Device type: WAP

Running: 2Wire embedded

OS CPE: cpe:/h:2wire:1701hg cpe:/h:2wire:2700hg cpe:/h:2wire:2700hg-b cpe:/h:2wire:2701hg-b cpe:/h:2wire:rg2701hg cpe:/h:2wire:3800hgv-b

OS details: 2Wire 1701HG, 2700HG, 2700HG-B, 2701HG-B, RG2701HG, or 3800HGV-B wireless ADSL modem

Uptime guess: 16.649 days (since Sun Nov 17 07:24:02 2013)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=123 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: Device: broadband router

TRACEROUTE

HOP RTT ADDRESS

1 4.87 ms homeportal (192.168.1.254)

Nmap scan report for telcontar-2 (192.168.1.72)

Host is up (0.000081s latency).

Not shown: 998 closed ports

PORT STATE SERVICE VERSION

80/tcp open http Tntnet 2.2

|_http-methods: No Allow or Public header in OPTIONS response (status code 200)

|_http-title: Site doesn’t have a title (text/html).

9418/tcp open git?

Aggressive OS guesses: Linux 3.7 – 3.9 (98%), Netgear DG834G WAP or Western Digital WD TV media player (96%), Linux 3.8 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6) (92%), Linux 3.7 (92%), Crestron XPanel control system (91%), Linux 2.4.26 (Slackware 10.0.0) (91%), Linux 3.4 (91%)

No exact OS matches for host (test conditions non-ideal).

Uptime guess: 2.287 days (since Sun Dec 1 16:05:33 2013)

Network Distance: 0 hops

TCP Sequence Prediction: Difficulty=265 (Good luck!)

IP ID Sequence Generation: All zeros

Read data files from: /usr/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

# Nmap done at Tue Dec 3 22:59:09 2013 — 256 IP addresses (6 hosts up) scanned in 201.68 seconds