The agenda for today's talk is:
Return to the Top of Page
Just as a thief must case a business before attempting to rob it, a cracker must case the net and prospective machines. This process can be very discreet or it can make a "bull in a china shop" look skillful. It all depends on the quality if the investigator and his tools. We will use the term cracker to refer to the cyber stalker.
Return to the Top of Page
For the purposes of this talk, the term cracker will refer to an individual attempting to break-in to a machine (just like a safe cracker). We will use the original definition of hacker, on the other hand, to refer to an individual who is excellent at coding or using the system.
Crackers come in a range of expertise:
Often there is not a clear definition between these categories. Successful Script Kiddies with enough initiative learn to be Amateurs. The Amateurs who don't get scared of being caught (and prosecuted) have the ability to become an Expert. It's the fear of getting caught that stops most potential crackers.
Return to the Top of Page
In the same way that streets and alleys are the pathways of burgulars, TCP/IP (Transmission Control Protocol / Internet Protocol) has become the avenue of the cracker. TCP/IP is a suite of protocols used by computers to communicate with each other over a network. While many other protocols exist, the TCP/IP suite has become the dominant one and is the method of machine-to-machine communication on the Internet.
TCP/IP is a set of rules that govern how to send information between computers (hosts). Every computer on the Internet must have an address. TCP/IP address are 32 bits (4 bytes) in size and are usually written in the form nnn.nnn.nnn.nnn where nnn is a number between 0 and 255. The four sets of digits (octets) form all the possible Internet addresses. DNS (Domain Name Service) was created so that Internet names can be translated into these numeric Internet addresses (and vice versa). The nslookup command is a tool for querying the DNS servers. For example:
Regardless of the form (numeric or name), each address refers to a specific computer (such as the street address of a house or someone's phone number).
To process communications easier, TCP/IP developed the concept of a port. A TCP/IP port can be thought of as a sub-address (in the way that a room number specifies part of a building, or an extension specifies a specific phone in a large company). TCP/IP ports are split into "well-known" ports and "high-number" ports. The ports with numbers below 1024 are considered the "well-known" ports and are reserved for use by "well-known" applications (like e-mail and the web). The "high-number" ports are free to be used by any application (and are often used for Denial of Service attacks or BackOrifice). A socket is the combination of an Internet address as well as a specific port. This socket will uniquely identify a communications channel between two computers.
Here is a list of some of the common "well-known" ports:
| Port | Name | Description |
|---|---|---|
| 7 | echo | Echoes back any characters sent to it. |
| 9 | discard | Absorbs all characters sent and ignores them. |
| 13 | daytime | Returns the hosts date/time stamp |
| 19 | chargen | Generates the character set. |
| 21 | ftp | File Transfer Protocol - FTP Server |
| 22 | ssh | Secure form of telent |
| 23 | telnet | Console style connecton to a host |
| 25 | smtp | Simple Mail Transfer Protocol - send and deliver e-mail |
| 37 | time | Older time syncing format |
| 42 | nameserver | DNS requests |
| 43 | whois | Internet domain requests |
| 53 | domain | DNS requests |
| 67 | bootps | Boot Protocol - server assigns IP address to client |
| 68 | bootpc | Boot Protocol - client receives IP address from server |
| 69 | tftp | Trivial File Transfer Protocol - no authentification |
| 70 | gopher | Text based precursor to the web |
| 79 | finger | User information on a host |
| 80 | www | HyperText Transfer Protocol - Web Server |
| 110 | pop-3 | Post Office Protocol - read e-mail remotely |
| 111 | sunrpc | Part of NFS |
| 113 | auth | Passes host and user information to querying servers |
| 119 | nntp | Network News Transfer Protocol - Usenet news messages |
| 123 | ntp | Network Time Protocol - new time syncing format |
| 137 | netbios-ns | NETBIOS Name Service for Windows machines |
| 138 | netbios-dgm | NETBIOS Datagram for Windows machines |
| 139 | netbios-ssn | NETBIOS Session Service for Windows machines |
| 143 | imap2 | Internet Mail Access Protocol - read e-mail remotely |
| 161 | snmp | Simple Network Monitoring Protocol - capture statistics about machines |
| 162 | snmp-trap | Simple Network Monitoring Protocol - (see above) |
| 194 | irc | Internet Relay Chat - chatting |
| 201 | at-rtmp | AppleTalk Routing for Macintoshes |
| 202 | at-nbp | AppleTalk Name binding for Macintoshes |
| 204 | at-echo | AppleTalk echo for Macintoshes |
| 206 | at-zis | AppleTalk Zone Transfer for Macintoshes |
| 220 | imap3 | Internet Mail Access Protocol - new version |
| 443 | https | HyperText Transfer Protocol Secure - secure web |
| 525 | timed | Older time format |
| 540 | uucp | Unix-Unix Copy Protocol - older file transfer |
Here is a list of some of the common "high-number" ports:
| Port | Name | Description |
|---|---|---|
| 1812 | radius | Terminal server communications |
| 3306 | mysql | The MySQL Database |
| 5432 | postgres | The Postgres Database |
| 6667 | ircd | Internet Relay Chat |
| 8080 | webcache | Non-priveleged Web Server |
| 12345 | NetBus | Windows remote control |
| 12346 | NetBus | Windows remote control |
| 20034 | NetBus | Windows remote control |
| 27374 | asp | Ramen Toolkit remote control |
| 31337 | Back Orifice | Windows remote control |
Return to the Top of Page
Even without arming yourself with all the tools crackers write, there's a lot of information you can gather about a host or network by yourself, with default utilities. We'll explore some of these utilities here.
[root@ropers updates]# ping www.nmap.org PING www.nmap.org (208.184.74.98) from 130.39.198.58 : 56(84) bytes of data. 64 bytes from amy.lnxnet.net (208.184.74.98): icmp_seq=0 ttl=239 time=301.168 msec 64 bytes from amy.lnxnet.net (208.184.74.98): icmp_seq=1 ttl=239 time=299.563 msec 64 bytes from amy.lnxnet.net (208.184.74.98): icmp_seq=2 ttl=239 time=362.702 msec 64 bytes from amy.lnxnet.net (208.184.74.98): icmp_seq=3 ttl=239 time=286.167 msec 64 bytes from amy.lnxnet.net (208.184.74.98): icmp_seq=4 ttl=239 time=229.394 msec 64 bytes from amy.lnxnet.net (208.184.74.98): icmp_seq=5 ttl=239 time=342.040 msec 64 bytes from amy.lnxnet.net (208.184.74.98): icmp_seq=6 ttl=239 time=396.239 msec --- www.nmap.org ping statistics --- 7 packets transmitted, 7 packets received, 0% packet loss round-trip min/avg/max/mdev = 229.394/316.753/396.239/50.955 ms
[root@ropers updates]# traceroute www.nmap.org traceroute to www.nmap.org (208.184.74.98), 30 hops max, 38 byte packets 1 frey-eth-gw.net.lsu.edu (130.39.198.1) 2.281 ms 1.197 ms 1.453 ms 2 bb3-net1-atm.net.lsu.edu (130.39.244.13) 2.309 ms 2.098 ms 3.062 ms 3 172.19.251.21 (172.19.251.21) 62.187 ms 71.076 ms 45.990 ms 4 host-209-149-134-184.btr.bellsouth.net (209.149.134.184) 73.782 ms 43.282 ms 70.435 ms 5 500.Serial3-6.GW2.NOL1LTER.NET (157.130.88.249) 47.828 ms 38.219 ms 28.662 ms 6 133.ATM2-0.XR2.HOU4.ALTER.NET (152.63.96.126) 59.153 ms 45.062 ms 50.258 ms 7 292.at-2-0-0.XR2.DFW7.ALTER.NET (146.188.242.25) 52.892 ms 56.365 ms 74.576 ms 8 190.ATM11-0-0.GW4.DFW7.ALTER.NET (146.188.242.109) 50.720 ms * 90.595 ms 9 abovenet-dfw7.alter.net (157.130.138.46) 84.825 ms 77.638 ms 66.276 ms 10 ord2-dfw1-oc3.ord2.above.net (208.185.156.177) 109.638 ms 104.229 ms 77.967 ms 11 sjc2-ord2-oc48.sjc2.above.net (208.184.233.45) 172.665 ms 187.536 ms 177.542 ms 12 core1-core4-oc48.sjc2.above.net (208.184.102.201) 173.894 ms 184.122 ms 185.735 ms 13 core5-sjc2-oc48.sjc1.above.net (216.200.0.177) 152.580 ms * 185.445 ms 14 main1-core5-oc12.sjc1.above.net (208.185.175.250) 186.356 ms 238.848 ms 205.807 ms 15 main.sjc.megapath.net (209.249.140.28) 180.923 ms 161.062 ms 169.721 ms 16 sdsl-216-200-177-10.dsl.sjc.megapath.net (216.200.177.10) 347.495 ms 365.266 ms 337.581 ms 17 amy.lnxnet.net (208.184.74.98) 385.012 ms 369.496 ms 429.081 ms
[root@ropers updates]# whois nmap.org@whois.networksolutions.com
[whois.networksolutions.com]
The Data in Network Solutions' WHOIS database is provided by Network
Solutions for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Network Solutions does not guarantee its accuracy. By submitting a
WHOIS query, you agree that you will use this Data only for lawful
purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail
(spam); or (2) enable high volume, automated, electronic processes
that apply to Network Solutions (or its systems). Network Solutions
reserves the right to modify these terms at any time. By submitting
this query, you agree to abide by this policy.
Connection refused: invalid ip addressThe previous information has been obtained either directly from the
registrant or a registrar of the domain name other than Network Solutions.
Network Solutions, therefore, does not guarantee its accuracy or
completeness.
Domain not found in remote registrar whois.
Whois Server Version 1.3
Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: NMAP.ORG
Registrar: TUCOWS.COM, INC.
Whois Server: whois.opensrs.net
Referral URL: www.opensrs.org
Name Server: NS2.INSECURE.ORG
Name Server: NS1.INSECURE.ORG
Updated Date: 17-aug-2000
>>> Last update of whois database: Tue, 20 Mar 2001 09:28:56 EST <<<
The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.
The previous information has been obtained either directly from the
registrant or a registrar of the domain name other than Network Solutions.
Network Solutions, therefore, does not guarantee its accuracy or
completeness.
[root@ropers updates]# whois nmap.org@whois.opensrs.net
[rr-n1-tor.opensrs.net]
Registrant:
Insecure.Com LLC
370 Altair Way #113
Sunnyvale, CA 94086-6100
US
Domain Name: NMAP.ORG
Administrative Contact:
Vaskovich, Fyodor fyodor@insecure.org
370 Altair Way #113
Sunnyvale, CA 94086-6100
US
408-793-5160
Technical Contact:
Vaskovich, Fyodor fyodor@insecure.org
370 Altair Way #113
Sunnyvale, CA 94086-6100
US
408-793-5160
Billing Contact:
Vaskovich, Fyodor fyodor@insecure.org
370 Altair Way #113
Sunnyvale, CA 94086-6100
US
408-793-5160
Record last updated on 21-Mar-2001.
Record expires on 18-Jan-2002.
Record Created on 18-Jan-1999.
Domain servers in listed order:
NS2.INSECURE.ORG 24.1.206.202
NS1.INSECURE.ORG 208.184.74.98
[root@ropers updates]# nslookup www.nmap.org
Server: otc-dns1.lsu.edu
Address: 130.39.3.5
Non-authoritative answer:
Name: www.nmap.org
Address: 208.184.74.98
[root@ropers updates]# nslookup
Default Server: otc-dns1.lsu.edu
Address: 130.39.3.5
> server 208.184.74.98
Default Server: amy.lnxnet.net
Address: 208.184.74.98
Aliases: 98.74.184.208.in-addr.arpa
> www.nmap.org
Server: amy.lnxnet.net
Address: 208.184.74.98
Aliases: 98.74.184.208.in-addr.arpa
Name: www.nmap.org
Address: 208.184.74.98
> 208.184.74.98
Server: amy.lnxnet.net
Address: 208.184.74.98
Aliases: 98.74.184.208.in-addr.arpa
Name: amy.lnxnet.net
Address: 208.184.74.98
Aliases: 98.74.184.208.in-addr.arpa
> ls nmap.org
[amy.lnxnet.net]
*** Can't list domain nmap.org: Unspecified error
> exit
[root@ropers updates]# nslookup
Default Server: otc-dns1.lsu.edu
Address: 130.39.3.5
> ls lsu.edu
[otc-dns1.lsu.edu]
$ORIGIN lsu.edu.
@ 1H IN A 130.39.75.99
www.ace 1H IN A 130.39.88.137
www.acm 1H IN A 130.39.8.222
aaweb.admin 1H IN A 130.39.70.69
aaweb2.admin 1H IN A 130.39.69.253
acad135.admin 1H IN A 130.39.68.72
acad180.admin 1H IN A 130.39.68.73
acad180-dubl.admin 1H IN A 130.39.68.239
acad211.admin 1H IN A 130.39.70.71
acad272.admin 1H IN A 130.39.66.229
. .
. .
. .
> exit
[root@ropers updates]# dig www.nmap.org ; <<>> DiG 8.3 <<>> www.nmap.org ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUERY SECTION: ;; www.nmap.org, type = A, class = IN ;; ANSWER SECTION: www.nmap.org. 23h28m14s IN A 208.184.74.98 ;; AUTHORITY SECTION: nmap.org. 23h28m14s IN NS ns1.insecure.org. nmap.org. 23h28m14s IN NS ns2.insecure.org. ;; ADDITIONAL SECTION: ns2.insecure.org. 23h36m41s IN A 24.1.206.202 ;; Total query time: 101 msec ;; FROM: ropers to SERVER: default -- 130.39.3.5 ;; WHEN: Wed Mar 21 16:19:05 2001 ;; MSG SIZE sent: 30 rcvd: 107 [root@ropers updates]# dig @208.184.74.98 nmap.org T_AXFR ; <<>> DiG 8.3 <<>> @208.184.74.98 nmap.org T_AXFR ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; T_AXFR, type = A, class = IN ;; AUTHORITY SECTION: . 2h59m19s IN SOA A.ROOT-SERVERS.NET. hostmaster.nsiregistry.NET. ( 2001032100 ; serial 30M ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum ;; Total query time: 234 msec ;; FROM: ropers to SERVER: 208.184.74.98 ;; WHEN: Wed Mar 21 16:35:20 2001 ;; MSG SIZE sent: 24 rcvd: 100
[root@ropers updates]# finger @www.nmap.org [www.nmap.org] -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3a mQCNAzVUFb0AAAEEAM6KpEvT9YMZhQkR5gbKJR5n246Ys7+zUaQCr1/pSW4eUz6f MZbn9oWAQwAN7jbaBsPiu6NSLeBFjDyByOwBhnkzDK+/Ok6E/uhQxarXFFn3gqt8 7pjnfzanDtXA4JfiTgnF+xJB4S0gMIHuq15c8AhwHThguh2tOs4dPqJTWH2VAAUR tBdGeW9kb3IgPGZ5b2RvckBkaHAuY29tPokAlQMFEDVUFb3OHT6iU1h9lQEBr0YD /jX7PjE/2Wt0COZW8E5BVAYjW3a+5YBOVC5/aEqZOSphGxoXqNmL/mU+veQmX1Yx N8SYNTlfz70aFWNg3diSKWlRDMa00XXUNDDtPffAluD9QX+sfqKXNjSLBWUFPBvT dlWSqH4HqTwopy4QhAXat6xEmARmVlgLl54dknoBO67H =Wt2o -----END PGP PUBLIC KEY BLOCK-----
[root@ropers updates]# telnet www.nmap.org 25
Trying 208.184.74.98...
Connected to www.nmap.org.
Escape character is '^]'.
220 amy.insecure.org ESMTP
quit
221 amy.insecure.org
Connection closed by foreign host.
[root@ropers updates]# telnet www.nmap.org 80
Trying 208.184.74.98...
Connected to www.nmap.org.
Escape character is '^]'.
GET / HTTP/1.0
User-Agent: HTCIAdemo/1.0
Host: www.nmap.org:80
Accept: */*
(press <ENTER>)
HTTP/1.0 200 OK
Date: Wed, 21 Mar 2001 22:36:06 GMT
Server: Apache/1.3.12 (Unix) mod_perl/1.24
Last-Modified: Fri, 09 Mar 2001 08:20:42 GMT
Content-Type: text/html
Age: 1486
X-Cache: HIT from cache-19.lnxnet.net
Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Insecure.org -- Computer Security, Nmap, Port Scanner, Exploit World, Exploits, Hacking, Hacker, Linux, Solaris, Windows, FreeBSD</TITLE>
. .
. .
. .
<!-- END ATWEB HITOMETER TAG -->
</BODY>
</HTML>
[root@ropers BUILD]# telnet notes.lsu.edu 25
Trying 130.39.80.45...
Connected to notes.lsu.edu.
Escape character is '^]'.
220 mail081.lsu.edu ESMTP Service (Lotus Domino Release 5.0.5) ready at Thu, 22 Mar 2001 08:34:17 -0600
HELO www.whitehouse.gov
250 mail081.lsu.edu Hello www.whitehouse.gov ([130.39.198.58]), pleased to meet you
MAIL from:george.w.bush@whitehouse.gov
250 george.w.bush@whitehouse.gov... Sender OK
RCPT to:bropers@lsu.edu
250 bropers@lsu.edu... Recipient OK
DATA
354 Enter message, end with "." on a line by itself
Date: Wed, 21 Mar 2003, 15:15:01 -0600
To: All My Supporters <bush.supporters@politics.sucks>
From: George W. ("Wild") Bush Republican Election Committee <george.w.bush@whitehouse.com>
Subject: Thanks for your support
This is the faked e-mail from the President.
Pretty easy, huh?
Thanks,
George W.
.
250 Message accepted for delivery
QUIT
221 mail081.lsu.edu SMTP Service closing transmission channel
Connection closed by foreign host.
PINE 4.32 MESSAGE INDEX <Incoming-Folders> Notes Msg 1 of 290 NEW
N 1 Mar 22 (953) Thanks for your support
. .
. .
. .
Received: from www.whitehouse.gov ([130.39.198.58]) by mail081.lsu.edu (Lotus Domino
Release 5.0.5) with SMTP id 2001032208350324:191 ; Thu, 22 Mar 2001 08:35:03
-0600
To: All My Supporters <bush.supporters@politics.sucks>
From: George W. ("Wild") Bush Republican Election Committee
<george.w.bush@whitehouse.com>
Subject: Thanks for your support
Date: Thu, 22 Mar 2001 08:38:44 -0600
Message-ID: <OF1437AF37.5611FB66-ON86256A17.00507377@LocalDomain>
Bcc: Brian_Ropers-Huilman/bropers/LSU
X-MIMETrack: Serialize by Router on mail081.lsu.edu/LSU(Release 5.0.5 |September 22, 2000) at
03/22/2001 08:38:45 AM,Serialize complete at 03/22/2001 08:38:45 AM,
Itemize by Router on MAIL011/LSU(Release 5.0.5 |September 22, 2000) at 03/22/2001
08:38:45 AM,Serialize by Router on MAIL011/LSU(Release 5.0.5 |September 22, 2000) at 03/22/2001
08:38:45 AM
This is the faked e-mail from the President.
Pretty easy, huh?
Thanks,
George W.
Return to the Top of Page
We've demonstrated a small, manual portscan with the tools mentioned above. Most people won't have the patience (or the skill) to scan all ports of all machines on a network. The by-hand tools can be used to determine some pieces of information about a machine, but there is obviously some guess-work, previous knowledge, and time involved. Full automation would also be a plus.
Luckily, there is another tool available called nmap, which is perhaps the best network scanner, that allows you to gather detailed information about not only a single machine, but possibly an entire network with just one command.
nmap, available from http://www.nmap.org, provides "network-wide ping sweep, portscan and OS detection" and encourages you to "audit your network security before the bad guys do." The tool can be used to determine which machines are really on your network (and possibly detect unauthorized machines), which services are being made available from machines on your network (and possibly detect unauthorized services), as well as identify what OS is running on the machines (the new beta version may even be able to tell you how long each machine has been on!).
We will look at nmap here in it's various forms.
[root@ropers /root]# nmap -sP -v -v 130.39.198.*
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Host (130.39.198.0) appears to be down.
Host frey-eth-gw.net.lsu.edu (130.39.198.1) appears to be up.
Host (130.39.198.2) appears to be up.
Host (130.39.198.3) appears to be down.
Host (130.39.198.4) appears to be down.
Host (130.39.198.5) appears to be down.
Host (130.39.198.6) appears to be down.
Host (130.39.198.7) appears to be down.
Host bigdog.lsu.edu (130.39.198.8) appears to be up.
. .
. .
. .
Host athar.ocs.lsu.edu (130.39.198.244) appears to be up.
Host (130.39.198.245) appears to be down.
Host (130.39.198.246) appears to be down.
Host otc-student16.ocs.lsu.edu (130.39.198.247) appears to be up.
Host (130.39.198.248) appears to be down.
Host alea.ocs.lsu.edu (130.39.198.249) appears to be up.
Host lijun.ocs.lsu.edu (130.39.198.250) appears to be up.
Host (130.39.198.251) appears to be down.
Host (130.39.198.252) appears to be down.
Host otc-fileserver.ocs.lsu.edu (130.39.198.253) appears to be up.
Host webserver.otc.lsu.edu (130.39.198.254) appears to be up.
Host (130.39.198.255) appears to be down.
Nmap run completed -- 256 IP addresses (111 hosts up) scanned in 11 seconds
[root@ropers updates]# nmap -sT -v -v www.nmap.org Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) Host amy.lnxnet.net (208.184.74.98) appears to be up ... good. Initiating Connect() Scan against amy.lnxnet.net (208.184.74.98) Adding TCP port 53 (state open). Adding TCP port 79 (state open). Adding TCP port 22 (state open). Adding TCP port 80 (state open). Adding TCP port 25 (state open). The Connect() Scan took 480 seconds to scan 1542 ports. Interesting ports on amy.lnxnet.net (208.184.74.98): (The 1535 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 79/tcp open finger 80/tcp open http 113/tcp closed auth 6699/tcp closed napster Nmap run completed -- 1 IP address (1 host up) scanned in 483 seconds
[root@ropers updates]# nmap -sU -v -v 130.39.198.* Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) Host (130.39.198.0) appears to be down, skipping it. Host frey-eth-gw.net.lsu.edu (130.39.198.1) appears to be up ... good. Initiating UDP Scan against frey-eth-gw.net.lsu.edu (130.39.198.1) The UDP Scan took 15 seconds to scan 1453 ports. Interesting ports on frey-eth-gw.net.lsu.edu (130.39.198.1): (The 1449 ports scanned but not shown below are in state: closed) Port State Service 7/udp open echo 9/udp open discard 69/udp open tftp 161/udp open snmp Host (130.39.198.2) appears to be up ... good. Initiating UDP Scan against (130.39.198.2) The UDP Scan took 7 seconds to scan 1453 ports. Interesting ports on (130.39.198.2): (The 1449 ports scanned but not shown below are in state: closed) Port State Service 161/udp open snmp 162/udp open snmptrap 520/udp open route 1024/udp open unknown Host (130.39.198.3) appears to be down, skipping it. Host (130.39.198.4) appears to be down, skipping it. Host (130.39.198.5) appears to be down, skipping it. Host (130.39.198.6) appears to be down, skipping it. Host (130.39.198.7) appears to be down, skipping it. Host bigdog.lsu.edu (130.39.198.8) appears to be up ... good. Initiating UDP Scan against bigdog.lsu.edu (130.39.198.8) The UDP Scan took 7 seconds to scan 1453 ports. Interesting ports on bigdog.lsu.edu (130.39.198.8): (The 1438 ports scanned but not shown below are in state: closed) Port State Service 7/udp open echo 9/udp open discard 13/udp open daytime 19/udp open chargen 37/udp open time 53/udp open domain 111/udp open sunrpc 123/udp open ntp 161/udp open snmp 177/udp open xdmcp 514/udp open syslog 978/udp open unknown 979/udp open unknown 1515/udp open ifor-protocol 2049/udp open nfs Host (130.39.198.9) appears to be down, skipping it. Host (130.39.198.10) appears to be down, skipping it. Host (130.39.198.11) appears to be down, skipping it. <CTRL-C> caught SIGINT signal, cleaning up
[root@ropers updates]# nmap -sN -v -v -O 130.39.198.*
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Host (130.39.198.0) appears to be down, skipping it.
Host frey-eth-gw.net.lsu.edu (130.39.198.1) appears to be up ... good.
Initiating NULL Scan against frey-eth-gw.net.lsu.edu (130.39.198.1)
The NULL Scan took 13 seconds to scan 1542 ports.
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
For OSScan assuming that port 21 is open and port 39228 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Interesting ports on frey-eth-gw.net.lsu.edu (130.39.198.1):
(The 1540 ports scanned but not shown below are in state: filtered)
Port State Service
21/tcp open ftp
23/tcp open telnet
Remote operating system guess: Bay Networks BLN-2 Network Router or ASN Processor revision 9
OS Fingerprint:
T1(Resp=Y%DF=N%W=200%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Host (130.39.198.2) appears to be up ... good.
Initiating NULL Scan against (130.39.198.2)
The NULL Scan took 5 seconds to scan 1542 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
Interesting ports on (130.39.198.2):
(The 1540 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
Remote operating system guess: Router/Switch/Printer (LanPlex 2500/Cisco Catalyst 5505/CISCO 6509/Trancell Webramp/Xylan Omni Switch)/Epson Stylus (100BTX-NIC HP Secure Web Console)
OS Fingerprint:
TSeq(Class=64K%IPID=I%TS=U)
T1(Resp=Y%DF=N%W=1000%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=Y%DF=N%W=1000%ACK=O%Flags=A%Ops=)
T4(Resp=Y%DF=N%W=1000%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=0%ULEN=134%DAT=E)
TCP Sequence Prediction: Class=64K rule
Difficulty=1 (Trivial joke)
TCP ISN Seq. Numbers: 715D6A01 715F5E01 71605801 71615201 71634601 71644001
IPID Sequence Generation: Incremental
Host (130.39.198.3) appears to be down, skipping it.
Host (130.39.198.4) appears to be down, skipping it.
Host (130.39.198.5) appears to be down, skipping it.
Host (130.39.198.6) appears to be down, skipping it.
Host (130.39.198.7) appears to be down, skipping it.
Host bigdog.lsu.edu (130.39.198.8) appears to be up ... good.
Initiating NULL Scan against bigdog.lsu.edu (130.39.198.8)
The NULL Scan took 96 seconds to scan 1542 ports.
(no tcp responses received -- assuming all ports filtered)
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1542 scanned ports on bigdog.lsu.edu (130.39.198.8) are: filtered
Too many fingerprints match this host for me to give an accurate OS guess
TCP/IP fingerprint:
SInfo(V=2.54BETA22%P=i686-pc-linux-gnu%D=3/22%Time=3ABA0466%O=-1%C=-1)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=15C%RID=E%RIPCK=F%UCK=0%ULEN=134%DAT=E)
Host (130.39.198.9) appears to be down, skipping it.
Host (130.39.198.10) appears to be down, skipping it.
Host (130.39.198.11) appears to be down, skipping it.
Host frey-1100-108-1.net.lsu.edu (130.39.198.12) appears to be up ... good.
Initiating NULL Scan against frey-1100-108-1.net.lsu.edu (130.39.198.12)
The NULL Scan took 3 seconds to scan 1542 ports.
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1542 scanned ports on frey-1100-108-1.net.lsu.edu (130.39.198.12) are: closed
Remote OS guesses: 3Com SuperStack II (OS v 2.0), Allied Telesyn AT-S10 version 3.0 on an AT-TS24TR hub, Asanta IntraStack Ethernet Switch (6014 DSB Versions: BP(2.06 ), FW(1.03 )), Asanta IntraSwitch 5324, AsanteHub 2072 Ethernet Hub, Gold Card Ethernet Interface Firmware Ver. 3.19 (95.01.16). Apparently a MIO Network interface for HP LaserJets, etc.
OS Fingerprint:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=APR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S%Flags=APR%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=APR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
<CTRL-C>
caught SIGINT signal, cleaning up
[root@ropers updates]# nmap -sT -p 12345,12346,20034,27374,31337 -v -v 130.39.198.*
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Host (130.39.198.0) appears to be down, skipping it.
Host frey-eth-gw.net.lsu.edu (130.39.198.1) appears to be up ... good.
Initiating Connect() Scan against frey-eth-gw.net.lsu.edu (130.39.198.1)
The Connect() Scan took 0 seconds to scan 5 ports.
All 5 scanned ports on frey-eth-gw.net.lsu.edu (130.39.198.1) are: closed
Host (130.39.198.2) appears to be up ... good.
Initiating Connect() Scan against (130.39.198.2)
The Connect() Scan took 0 seconds to scan 5 ports.
All 5 scanned ports on (130.39.198.2) are: closed
Host (130.39.198.3) appears to be down, skipping it.
Host (130.39.198.4) appears to be down, skipping it.
Host (130.39.198.5) appears to be down, skipping it.
Host (130.39.198.6) appears to be down, skipping it.
Host (130.39.198.7) appears to be down, skipping it.
Host bigdog.lsu.edu (130.39.198.8) appears to be up ... good.
Initiating Connect() Scan against bigdog.lsu.edu (130.39.198.8)
The Connect() Scan took 0 seconds to scan 5 ports.
All 5 scanned ports on bigdog.lsu.edu (130.39.198.8) are: closed
. .
. .
. .
Host otc-fileserver.ocs.lsu.edu (130.39.198.253) appears to be up ... good.
Initiating Connect() Scan against otc-fileserver.ocs.lsu.edu (130.39.198.253)
The Connect() Scan took 0 seconds to scan 5 ports.
All 5 scanned ports on otc-fileserver.ocs.lsu.edu (130.39.198.253) are: closed
Host webserver.otc.lsu.edu (130.39.198.254) appears to be up ... good.
Initiating Connect() Scan against webserver.otc.lsu.edu (130.39.198.254)
The Connect() Scan took 0 seconds to scan 5 ports.
All 5 scanned ports on webserver.otc.lsu.edu (130.39.198.254) are: closed
Host (130.39.198.255) appears to be down, skipping it.
Nmap run completed -- 256 IP addresses (112 hosts up) scanned in 26 seconds
Return to the Top of Page
Return to the Top of Page
This page last updated 2001/05/17 10:40:54.