Nmap help

Hello, I am trying to use nmap to see what ports are open etc on a PC on my network.

I do the simple: nmap ipaddress It says that all of the 1670 ports scanned are filtered - what does this mean please. And I get a mac address - I have heard this is quite useful and that you can do stuff with it, but after resaerch I could not find anything.

Cheers anyone

It means those 1670 ports are checked to make sure whats connecting to them I THINK. But there are 65535 ports I think so it means litte really what you are looking for is open ports running services.

An easier port scanner is Superscan 3 (don't like 4). But in my opnion nMap is much better than superscan.

Bluesportscanner I reckon is the best I'm not sure of the name though.

I have actualy been trying quite a few of these scanners and yes it is blues port scanner.

Superscan 3 gives two open ports: 80 and 110 which are http and pop3.

I guess now Ive got to try and find some exploits for these or could I telnet to one of these? cheers

well telneting to an open port wont help unless it has a service with vunerability

Fair enough, how would i find a service with a vunerability. So you mean if i telneted to these ports and ip then it would only be of use if i found a vunerability there, is this the right idea? Thanks

telnet to the ip on the specific port if a service is running it will 'reply' then you just look around for a vunerability, like on my favorite http://packetstormsecurity.nl/ http://www.securityfocus.net/ http://www.frsirt.com/

Thanks for the good links, i had a look around on the firsr one, did not see many exploits for 110, but lots for 80.

Im a newbie to this realy. When i telnet or raw using putty to the ip address of a different pc on my network at prot 80 it does not give me any banners, should it?

Im trying to understand how this works by using my own network. Is there a way I can free up more ports than shown above on the pc im targeting

I'm no an expert on these but I'm pretty sure that those are mostly for servers running websites, but then I'm not a expert.

Can you give me an example of a very simple exploit for port 80 if you know one.

And what would be the reason for only two prots showing up on nmap for a computer on my network. Feel like im getting nowhere.

thanks

okay, when you run nmap, it scans the IANA known ports, and the ports found in the nmap-services file (about 1670 by deafult).

So, yes, it checked 1670 ports. If you want it to check all ports, give the argument -p0- that will check from 0 to 65535. However, it will also take longer.

Now, regarding the state, closed means that it returnd an RST/ACK. Open indicates the return of a SYN/ACK, and filtered means that it is filtered. Thisusually indicates a firewall, although it can be a sign that there is a device that simply filters packets with a certian flag set (eg: a router 1 or 2 hops before the target that drops all packets with the SYN flag set).

If a port is reported as filtered, it probably either:

1. returned an ICMP Code 13 message (Probihited)

OR

2. didn't return anything

There is also a 4th state, unfiltered. You only get this if you do an ACK scan (or soemthing else designed to elict RST replys from the target) and if most of the port scanned were filtered (as best as nmap can tell).

I'd say if you're new, stick with TCP connect() (-sT) or SYN stealth (-sS). The others can be somewhat confusing, especially when a FIN scan says a port is open, and yet you can't telnet (or otherwise connect) to the port.

BTW, if you really want to map out rulesets, take a look at firewalk, hping2, and the –scanflags option of nmap.

Okay, sorry about the double post, but my first one was getting long.

Okay, with a MAC address, you can implement a man in the middle attack. This is only useful on a LAN or a WAN, and probably won't help you much in this situation. (If you want more info on a MiTM attack, pm me. Or if enough people want to know about it, i'll post how to do a simple on here).

As for banners, if you telnet to port 80 and type:

HEAD / HTTP/1.0

The server will reply with its version. That is needed to run an exploit against it. If the banner says Apache 2.0.54, an IIS unicode exploit will not work. So, use your head.

POP3 (Post Office Protocol 3) runs on 110. This is what most non-technical users use to retrieve email. Telnetting to port 110 will not turn up anything that appears to be useful, but say you know the persons account (john@example.com), you can then either read thier email or bruteforce the password (which i will not cover).

To use the username and password to login, you'd connect and type:

USER john
PASS password

And then you can use the RETR command to read this emails and LIST to view a list of email in the inbox.

BTW, if you want to make nmap grab banners use the -sV option.

And as for a sample explit, its not gonna do you any good if we show you one, cause like i said, say i showed you how to do an IIS uudecode exploit against a Windows 2000 box, and you're attacking a Linux box with apache 1.3.32. Not gonna work.

wolfmankurd: personally, I telnet to all the open ports I find. you'd be amazed at what you can get simply by connecting. For instance, you can connect a Cisco router to a remote X server if you know what you're doing ;)