Nmap results

[cdstomper]

Hi, I have just found a GUI version of nmap on my system so decided to use it against my self to see what happened.

Im not really into port scanning as ive never needed to do it and it doesnt really intrest me.
Im more of a PC repair + maintainance person.

The results I got are as follows:

---------------------------------------------------------------------------------------------------------------------------------------------------

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-30 23:08 BST
Host localhost (127.0.0.1) appears to be up ... good.
Initiating Connect() Scan against localhost (127.0.0.1) at 23:08
Adding open port 111/tcp
Adding open port 631/tcp
Adding open port 25/tcp
Adding open port 6000/tcp
The Connect() Scan took 2 seconds to scan 65535 ports.
Initiating service scan against 4 services on 1 host at 23:08
The service scan took 5 seconds to scan 4 services on 1 host.
Initiating RPCGrind Scan against localhost (127.0.0.1) at 23:08
The RPCGrind Scan took 0 seconds to scan 1 ports.
For OSScan assuming that port 25 is open and port 1 is closed and neither are firewalled
Interesting ports on localhost (127.0.0.1):
(The 65531 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE OWNER VERSION
25/tcp open smtp Postfix smtpd
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
631/tcp open ipp CUPS 1.1
6000/tcp open X11 (access denied)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux Kernel 2.4.19 - 2.4.20
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=354465%IPID=I%TS=100HZ)
T1(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Uptime 0.132 days (since Wed Jun 30 19:58:56 2004)
TCP Sequence Prediction: Class=random positive increments
Difficulty=3490917 (Good luck!)
TCP ISN Seq. Numbers: 1B774AAC 1C310F39 1BD8958B 1BB18517 1C0D704A 1C36438F
IPID Sequence Generation: Incremental

Nmap run completed -- 1 IP address (1 host up) scanned in 12.283 seconds
-------------------------------------------------------------------------------------------------------------------------------------------------

I understand the open ports and the services running on them an stuff but I am totally confused by the T1 -T7 lines aswell as the TCP ISN Seq. Numbers: 1B774......etc.???????

Could someone be kind enough to maybe interperate what all this means and if there is a sercurity implication to this?!?

Thank you very much in advance to anyone who can help me!!

edit// I forgot to say; this is the string I used: nmap -sT -sR -sV -I -O -PI -PP -PM -vv 127.0.0.1

[Tiger Shark]

Did you sanitize those results? I didn't think NMap ran against localhost, (127.0.0.1).

[cdstomper]

No, it is cut and pasted straight from the window.

I am behind a router, so im not sure if 127.0.0.1 would be me or the router.
But saying that it has recongnised the Linux OS so I guess it would be me.

[thehorse13]

but I am totally confused by the T1 -T7 lines aswell as the TCP ISN Seq. Numbers: 1B774......etc.???????

The T1 through T7 lines are tests (test/response) that NMAP runs in attempt to fingerprint the remote host. For example, a Windows NT4 box will produce a certain pattern of responses during these tests and thus, NMAP will return WinNT4 as the guessed OS. Though these tests are accurate, they are not perfect.

(ISN = Initial Sequence Number)
Sequence number guessing is another method NMAP uses to fingerprint the remote host. IPID stands for IP identification number. Fire up a sniffer and you can see this info in the data collected. Note that different OSes place different info (if any) in this field.

Windows used to use sequential TCP/IP sequence numbers and thus, the information was used by NMAP to fingerprint the OS. Sequential sequence numbers used to/can be used for far more awful things. Just look at the zombie scan feature in NMAP for an example.

Other uses include exposing the number of packets sent by a host over a given period. This can be used to estimate web site traffic, determine when people log on, OS detection, firewall rules, load balancer detection, interface guessing, etc.

Here is Fyodor, the NMAP developer has to say about ISN and IPID techniques: FINGERPRINTING METHODOLOGY

TCP ISN Sampling -- The idea here is to find patterns in the initial
sequence numbers chosen by TCP implementations when responding to
a connection request. These can be categorized in to many groups
such as the traditional 64K (many old UNIX boxes), Random
increments (newer versions of Solaris, IRIX, FreeBSD, Digital
UNIX, Cray, and many others), True "random" (Linux 2.0.*, OpenVMS,
newer AIX, etc). Windows boxes (and a few others) use a "time
dependent" model where the ISN is incremented by a small fixed
amount each time period. Needless to say, this is almost as
easily defeated as the old 64K behavior. Of course my favorite
technique is "constant". The machines ALWAYS use the exact same
ISN . I've seen this on some 3Com hubs (uses 0x803) and Apple
LaserWriter printers (uses 0xC7001).

You can also subclass groups such as random incremental by
computing variances, greatest common divisors, and other functions
on the set of sequence numbers and the differences between the
numbers. It should be noted that ISN generation has important
security implications. Nmap is the first program I have seen to
use this for OS identification.

IPID sampling -- Most operating systems increment a system-wide IPID
value for each packet they send. Others, such as OpenBSD, use a
random IPID and some systems (like Linux) use an IPID of 0 in
many cases where the "Donn't Fragment" bit is not set. Windows
does not put the IPID in network byte order, so it increments by
256 for each packet. Nmap also has categories for constant,
random positive integral, and unknown sequence classes.
Predictable IPID sequences have important security consequences
beyond OS detection. The Nmap "Idlescan" (-sI) feature is one
such example.

Anyway, just back from vacation and I'm trying to shake the sand outta my ears. Hope this helps you out.

--TH13

[The3ntropy]

The tcpip sequence numbers are used in syn, syn/ack, ack transmissions.

The main purpose of 'guessing' these would be for a session hijack or spoof attempt.
I wrote a tutorial a while ago about session hijacking and spoofing, talked quite a bit about these sequence numbers.

[instronics]

Originally posted here by djplaya216921
YEs its stuff about the routing with your cpu to ur computer but more detailed how ever u should not post that around places cuz belive it or not people can traces these or just take wut u said and crack ur computer open or give u a virus

How can you trace 127.0.0.1 (localhost) ?


/me goes off to trace cdstomper's localhost and cracks it open, then gives him a virus for his linux OS

[eth3r]

hmmmm... when I try to run nmap aginst my loopback I get this:


C:\nmap>nmap -O 127.0.0.1

Starting nmap 3.50 ( http://www.insecure.org/nmap ) at 2004-07-03 10:44 Mountain
Daylight Time
rawrecv_open: SIO_RCVALL failed (10022) on device loopback0

QUITTING!

c:\nmap>

did I need any of those other flags to force it to scan its own home?