Saturday, January 5, 2008

Multipart PortScanning Part 2

We will now continue with our "scanning journey". In this installment we are going to look at another TCP scan using
BT2 as our target machine. I am also using the latest version of Nmap on a windows box.

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!

On our third installment we are going to look at out BT2 box. This is a fresh install of BT2 on a HDD. This will show exactly what it is others may see if you are running BT2 on your network. Now keep in mind things may be different for each individual setup possibility.

I used the latest version of Nmap it comes complete with a nice GUI if you are so inclined. I was since its on a windows box anyway! And yes you can get this for yourBT2 or 3 Box.
The only reason I did it that way is because I only have one BT Box setup right now and it was the easiest option for me. However If you have the option then go for it and post your results here as well!

So we used the same basic commands as before and it looks like:
 # nmap -A -v
Again this is still a TCP SYN Scan.
The output shows us the following:

 Starting Nmap 4.52 ( ) at 2008-01-05 22:42
Initiating ARP Ping Scan at 22:42
Scanning [1 port]
Completed ARP Ping Scan at 22:42, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:42
Completed Parallel DNS resolution of 1 host. at 22:42, 0.05s elapsed
Initiating SYN Stealth Scan at 22:42
Scanning [1714 ports]
Discovered open port 6000/tcp on
Discovered open port 631/tcp on
Completed SYN Stealth Scan at 22:42, 0.19s elapsed (1714 total ports)
Initiating Service scan at 22:42
Scanning 2 services on
Completed Service scan at 22:43, 6.02s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against
SCRIPT ENGINE: Initiating script scanning.
Host appears to be up ... good.
Interesting ports on
Not shown: 1712 closed ports
631/tcp open ipp CUPS 1.1
6000/tcp open X11 (access denied)
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.23, Linux 2.6.20-15-server (Ubuntu 7.04 server, x86)
Uptime: 0.050 days (since Sat Jan 05 21:30:36 2008)
Network Distance: 12 hops
TCP Sequence Prediction: Difficulty=188 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Unix

Read data files from: G:\Nmap
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 8.822 seconds
Raw packets sent: 1737 (78.040KB) | Rcvd: 1729 (79.864KB)
Now notice the output looks a little different, however all of the information is there. Since we used the "-A"
we get our services information in the output. This is some of the critical info that malicious users need in order to compromise a system.

Notice that we have TCP port 631 ipp open, with CUPS1.1 running.
Now for those that don't know this is the service for printing under *nixes.
This would allow users to print from the machine or remote users connect and print as well. Printing (with explicit permission) over a networked computer can be fun and malicious! A malicious user could connect to a networked printer and print out anything they wanted to.

We also see that we have TCP port 6000 open with X11 running but notice is say (access denied). This is the X Window System that allows out BT box to have a desktop.
This is a service because on *nix boxes we can have multiple users from multiple locations logged onto the box itself. And those other users can have a desktop and it can be customized to their liking. Also notice that our scan tells us what kernel we are running in this case 2.6.X

The OS details is for the Distro that we are running and this can and will be different. This data is not correct however because the "signatures that Nmap is using is not correct. At the end of the report we have an option to submit incorrect results to Nmap.

We also see the Uptime of 0.050 days, with a date. This can be very useful information for us. If we scan a box over several days or weeks we may learn that A. our computer is not very stable. B. It gets turned off at night or C. The computer is malfunctioning and needs to reboot.

This can be very useful when doing our pen testing.
A computer that is constantly rebooting may be having problems that we can take advantage of!

This scan gives you a chance to see what your BT box looks like on the net. This is how others may "see" you.

No comments: