Results 1 to 7 of 7

Thread: Nmap results

  1. #1
    Junior Member
    Join Date
    Sep 2003

    Unhappy Nmap results

    Hi, I have just found a GUI version of nmap on my system so decided to use it against my self to see what happened.

    Im not really into port scanning as ive never needed to do it and it doesnt really intrest me.
    Im more of a PC repair + maintainance person.

    The results I got are as follows:


    Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-30 23:08 BST
    Host localhost ( appears to be up ... good.
    Initiating Connect() Scan against localhost ( at 23:08
    Adding open port 111/tcp
    Adding open port 631/tcp
    Adding open port 25/tcp
    Adding open port 6000/tcp
    The Connect() Scan took 2 seconds to scan 65535 ports.
    Initiating service scan against 4 services on 1 host at 23:08
    The service scan took 5 seconds to scan 4 services on 1 host.
    Initiating RPCGrind Scan against localhost ( at 23:08
    The RPCGrind Scan took 0 seconds to scan 1 ports.
    For OSScan assuming that port 25 is open and port 1 is closed and neither are firewalled
    Interesting ports on localhost (
    (The 65531 ports scanned but not shown below are in state: closed)
    25/tcp open smtp Postfix smtpd
    111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
    631/tcp open ipp CUPS 1.1
    6000/tcp open X11 (access denied)
    Device type: general purpose
    Running: Linux 2.4.X
    OS details: Linux Kernel 2.4.19 - 2.4.20
    OS Fingerprint:

    Uptime 0.132 days (since Wed Jun 30 19:58:56 2004)
    TCP Sequence Prediction: Class=random positive increments
    Difficulty=3490917 (Good luck!)
    TCP ISN Seq. Numbers: 1B774AAC 1C310F39 1BD8958B 1BB18517 1C0D704A 1C36438F
    IPID Sequence Generation: Incremental

    Nmap run completed -- 1 IP address (1 host up) scanned in 12.283 seconds

    I understand the open ports and the services running on them an stuff but I am totally confused by the T1 -T7 lines aswell as the TCP ISN Seq. Numbers: 1B774......etc.???????

    Could someone be kind enough to maybe interperate what all this means and if there is a sercurity implication to this?!?

    Thank you very much in advance to anyone who can help me!!

    edit// I forgot to say; this is the string I used: nmap -sT -sR -sV -I -O -PI -PP -PM -vv

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Did you sanitize those results? I didn't think NMap ran against localhost, (
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Junior Member
    Join Date
    Sep 2003
    No, it is cut and pasted straight from the window.

    I am behind a router, so im not sure if would be me or the router.
    But saying that it has recongnised the Linux OS so I guess it would be me.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    but I am totally confused by the T1 -T7 lines aswell as the TCP ISN Seq. Numbers: 1B774......etc.???????

    The T1 through T7 lines are tests (test/response) that NMAP runs in attempt to fingerprint the remote host. For example, a Windows NT4 box will produce a certain pattern of responses during these tests and thus, NMAP will return WinNT4 as the guessed OS. Though these tests are accurate, they are not perfect.

    (ISN = Initial Sequence Number)
    Sequence number guessing is another method NMAP uses to fingerprint the remote host. IPID stands for IP identification number. Fire up a sniffer and you can see this info in the data collected. Note that different OSes place different info (if any) in this field.

    Windows used to use sequential TCP/IP sequence numbers and thus, the information was used by NMAP to fingerprint the OS. Sequential sequence numbers used to/can be used for far more awful things. Just look at the zombie scan feature in NMAP for an example.

    Other uses include exposing the number of packets sent by a host over a given period. This can be used to estimate web site traffic, determine when people log on, OS detection, firewall rules, load balancer detection, interface guessing, etc.

    Here is Fyodor, the NMAP developer has to say about ISN and IPID techniques: FINGERPRINTING METHODOLOGY

    TCP ISN Sampling -- The idea here is to find patterns in the initial
    sequence numbers chosen by TCP implementations when responding to
    a connection request. These can be categorized in to many groups
    such as the traditional 64K (many old UNIX boxes), Random
    increments (newer versions of Solaris, IRIX, FreeBSD, Digital
    UNIX, Cray, and many others), True "random" (Linux 2.0.*, OpenVMS,
    newer AIX, etc). Windows boxes (and a few others) use a "time
    dependent" model where the ISN is incremented by a small fixed
    amount each time period. Needless to say, this is almost as
    easily defeated as the old 64K behavior. Of course my favorite
    technique is "constant". The machines ALWAYS use the exact same
    ISN . I've seen this on some 3Com hubs (uses 0x803) and Apple
    LaserWriter printers (uses 0xC7001).

    You can also subclass groups such as random incremental by
    computing variances, greatest common divisors, and other functions
    on the set of sequence numbers and the differences between the
    numbers. It should be noted that ISN generation has important
    security implications. Nmap is the first program I have seen to
    use this for OS identification.

    IPID sampling -- Most operating systems increment a system-wide IPID
    value for each packet they send. Others, such as OpenBSD, use a
    random IPID and some systems (like Linux) use an IPID of 0 in
    many cases where the "Donn't Fragment" bit is not set. Windows
    does not put the IPID in network byte order, so it increments by
    256 for each packet. Nmap also has categories for constant,
    random positive integral, and unknown sequence classes.
    Predictable IPID sequences have important security consequences
    beyond OS detection. The Nmap "Idlescan" (-sI) feature is one
    such example.

    Anyway, just back from vacation and I'm trying to shake the sand outta my ears. Hope this helps you out.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member
    Join Date
    Mar 2002
    The tcpip sequence numbers are used in syn, syn/ack, ack transmissions.

    The main purpose of 'guessing' these would be for a session hijack or spoof attempt.
    I wrote a tutorial a while ago about session hijacking and spoofing, talked quite a bit about these sequence numbers.

  6. #6
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Originally posted here by djplaya216921
    YEs its stuff about the routing with your cpu to ur computer but more detailed how ever u should not post that around places cuz belive it or not people can traces these or just take wut u said and crack ur computer open or give u a virus

    How can you trace (localhost) ?

    /me goes off to trace cdstomper's localhost and cracks it open, then gives him a virus for his linux OS
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  7. #7
    Junior Member
    Join Date
    Apr 2004
    hmmmm... when I try to run nmap aginst my loopback I get this:

    C:\nmap>nmap -O

    Starting nmap 3.50 ( http://www.insecure.org/nmap ) at 2004-07-03 10:44 Mountain
    Daylight Time
    rawrecv_open: SIO_RCVALL failed (10022) on device loopback0



    did I need any of those other flags to force it to scan its own home?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts