Scanning and OS Fingerprinting

Here we will look at a lab in which we are connected to a environment where we have to enumerate devices in the network and also use some of the nmap switches to find the os running on the hosts.

Description

In this lab you will be connected to an enterprise network with some clients and servers. You have to map the network.

Goals

  • Run a ping scan with fping

  • Run a ping scan with nmap, do you find any differences? Can you tell why?

  • Perform a SYN scan against the targets. Identify clients and servers

  • Identify the version of every daemon listening on the network

  • Identify, if it is possible, the operating system running on each host

Tools

The best tools for this lab are:

  • fping

  • nmap

Solutions

lets verify if we are connected to the enterprise environment. That can be checked by checking the ip address.

we now know that we are now connected to the network with ip 10.142.111.240/24.

so now i'll do a ping sweep to detect other devices that are present in the network

──(kali㉿kali)-[~]
└─$ fping -a -g 10.142.111.0/24 2>/dev/null
10.142.111.1
10.142.111.6
10.142.111.48
10.142.111.96
10.142.111.99
10.142.111.100
10.142.111.240                                                                                                                                                        
┌──(kali㉿kali)-

these are the hosts that were present in the network.

Now we will run a ping scan on the same network with nmap ping scan as show below

nmap -sn 10.142.111.0/24

┌──(kali㉿kali)-[~]
└─$ nmap -sn 10.142.111.0/24                
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-19 14:25 EDT
Nmap scan report for 10.142.111.1
Host is up (0.42s latency).
Nmap scan report for 10.142.111.6
Host is up (0.42s latency).
Nmap scan report for 10.142.111.48
Host is up (0.32s latency).
Nmap scan report for 10.142.111.96
Host is up (0.31s latency).
Nmap scan report for 10.142.111.99
Host is up (0.31s latency).
Nmap scan report for 10.142.111.100
Host is up (0.32s latency).
Nmap scan report for 10.142.111.213
Host is up (0.31s latency).
Nmap scan report for 10.142.111.240
Host is up (0.0018s latency).
Nmap done: 256 IP addresses (8 hosts up) scanned in 13.19 seconds
                                                                                  
┌──(kali㉿kali)-[~]
└─$

now we know the devices present in the network, lets go ahead and perform a syn scan on them,

In order to perform a syn scan we need root user permissions. So , make sure to use sudo if you are not running as a root.

please note that syn scan take a little longer to run as it is stealthy 🤫.

  • -sS -- use syn scan

  • -vv -- Verbose

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS 10.142.111.1,6,48,96,99,100 -vv                             1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-19 14:32 EDT
Initiating ARP Ping Scan at 14:32
Scanning 6 hosts [1 port/host]
Completed ARP Ping Scan at 14:32, 1.00s elapsed (6 total hosts)
Initiating Parallel DNS resolution of 6 hosts. at 14:32
Completed Parallel DNS resolution of 6 hosts. at 14:32, 0.06s elapsed
Initiating SYN Stealth Scan at 14:32
Scanning 6 hosts [1000 ports/host]
Discovered open port 22/tcp on 10.142.111.6
Discovered open port 22/tcp on 10.142.111.99
Discovered open port 22/tcp on 10.142.111.1
Discovered open port 3389/tcp on 10.142.111.48
Discovered open port 445/tcp on 10.142.111.48
Discovered open port 135/tcp on 10.142.111.48
Discovered open port 139/tcp on 10.142.111.48
Discovered open port 80/tcp on 10.142.111.96
Discovered open port 80/tcp on 10.142.111.99
Discovered open port 53/tcp on 10.142.111.99
Discovered open port 80/tcp on 10.142.111.1
Discovered open port 53/tcp on 10.142.111.1
SYN Stealth Scan Timing: About 18.14% done; ETC: 14:35 (0:02:20 remaining)
SYN Stealth Scan Timing: About 25.71% done; ETC: 14:36 (0:02:56 remaining)
SYN Stealth Scan Timing: About 39.79% done; ETC: 14:37 (0:02:36 remaining)
SYN Stealth Scan Timing: About 55.83% done; ETC: 14:36 (0:01:45 remaining)
SYN Stealth Scan Timing: About 69.23% done; ETC: 14:36 (0:01:12 remaining)
SYN Stealth Scan Timing: About 78.43% done; ETC: 14:36 (0:00:53 remaining)
Completed SYN Stealth Scan against 10.142.111.6 in 224.26s (5 hosts left)
Completed SYN Stealth Scan against 10.142.111.96 in 227.70s (4 hosts left)
Completed SYN Stealth Scan against 10.142.111.48 in 229.18s (3 hosts left)
Completed SYN Stealth Scan against 10.142.111.100 in 229.78s (2 hosts left)
Completed SYN Stealth Scan against 10.142.111.1 in 247.12s (1 host left)
Completed SYN Stealth Scan at 14:36, 247.93s elapsed (6000 total ports)
Nmap scan report for 10.142.111.1
Host is up, received arp-response (0.56s latency).
Scanned at 2021-08-19 14:32:45 EDT for 248s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
53/tcp open  domain  syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 00:50:56:A2:0C:BA (VMware)

Nmap scan report for 10.142.111.6
Host is up, received arp-response (0.67s latency).
Scanned at 2021-08-19 14:32:45 EDT for 225s
Not shown: 999 closed ports
Reason: 999 resets
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
MAC Address: 00:50:56:A2:0C:0D (VMware)

Nmap scan report for 10.142.111.48
Host is up, received arp-response (0.50s latency).
Scanned at 2021-08-19 14:32:45 EDT for 230s
Not shown: 996 closed ports
Reason: 996 resets
PORT     STATE SERVICE       REASON
135/tcp  open  msrpc         syn-ack ttl 128
139/tcp  open  netbios-ssn   syn-ack ttl 128
445/tcp  open  microsoft-ds  syn-ack ttl 128
3389/tcp open  ms-wbt-server syn-ack ttl 128
MAC Address: 00:50:56:A2:6F:BF (VMware)

Nmap scan report for 10.142.111.96
Host is up, received arp-response (0.53s latency).
Scanned at 2021-08-19 14:32:45 EDT for 228s
Not shown: 999 closed ports
Reason: 999 resets
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
MAC Address: 00:50:56:A2:93:F4 (VMware)

Nmap scan report for 10.142.111.99
Host is up, received arp-response (0.51s latency).
Scanned at 2021-08-19 14:32:45 EDT for 249s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
53/tcp open  domain  syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 00:50:56:A2:37:9C (VMware)

Nmap scan report for 10.142.111.100
Host is up, received arp-response (0.55s latency).
All 1000 scanned ports on 10.142.111.100 are closed because of 1000 resets
MAC Address: 00:50:56:A2:93:F4 (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 6 IP addresses (6 hosts up) scanned in 249.37 seconds
           Raw packets sent: 8318 (365.896KB) | Rcvd: 4337 (174.320KB)
                                                                                  
┌──(kali㉿kali)-[~]

now that we have results from the syn scan, we will go ahead and try to determine the Os and versions that are running the above hosts, by using -sV and -O, also lets use a option -A

  • -sV Version scan

  • -O for the os detection.

  • -A is for aggressive scanning (it runs NSE scripts like vuln to detect the vulnerabilities)

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -O -A 10.142.111.1,6,48,96,99,100 -vv
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-19 14:42 EDT
NSE: Loaded 154 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:42
Completed NSE at 14:42, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:42
Completed NSE at 14:42, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:42
Completed NSE at 14:42, 0.00s elapsed
Initiating ARP Ping Scan at 14:42
Scanning 6 hosts [1 port/host]
Completed ARP Ping Scan at 14:42, 0.86s elapsed (6 total hosts)
Initiating Parallel DNS resolution of 6 hosts. at 14:42
Completed Parallel DNS resolution of 6 hosts. at 14:42, 0.04s elapsed
Initiating SYN Stealth Scan at 14:42
Scanning 6 hosts [1000 ports/host]
Discovered open port 3389/tcp on 10.142.111.48
Discovered open port 139/tcp on 10.142.111.48
Discovered open port 445/tcp on 10.142.111.48
Discovered open port 22/tcp on 10.142.111.6
Discovered open port 135/tcp on 10.142.111.48
Discovered open port 80/tcp on 10.142.111.96
Discovered open port 53/tcp on 10.142.111.1
Discovered open port 53/tcp on 10.142.111.99
Discovered open port 22/tcp on 10.142.111.99
Discovered open port 22/tcp on 10.142.111.1
Discovered open port 80/tcp on 10.142.111.99
Discovered open port 80/tcp on 10.142.111.1
SYN Stealth Scan Timing: About 27.97% done; ETC: 14:44 (0:01:20 remaining)
SYN Stealth Scan Timing: About 44.04% done; ETC: 14:45 (0:01:37 remaining)
SYN Stealth Scan Timing: About 60.00% done; ETC: 14:45 (0:01:21 remaining)
SYN Stealth Scan Timing: About 72.81% done; ETC: 14:45 (0:00:56 remaining)
Completed SYN Stealth Scan against 10.142.111.100 in 189.20s (5 hosts left)
Completed SYN Stealth Scan against 10.142.111.6 in 191.32s (4 hosts left)
Completed SYN Stealth Scan against 10.142.111.48 in 191.83s (3 hosts left)
Completed SYN Stealth Scan against 10.142.111.96 in 195.28s (2 hosts left)
Completed SYN Stealth Scan against 10.142.111.99 in 209.13s (1 host left)
Completed SYN Stealth Scan at 14:45, 211.78s elapsed (6000 total ports)
Initiating Service scan at 14:45
Scanning 12 services on 6 hosts
Completed Service scan at 14:46, 8.59s elapsed (12 services on 6 hosts)
Initiating OS detection (try #1) against 6 hosts
Retrying OS detection (try #2) against 6 hosts
NSE: Script scanning 6 hosts.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:46
NSE Timing: About 99.76% done; ETC: 14:46 (0:00:00 remaining)
NSE Timing: About 99.82% done; ETC: 14:47 (0:00:00 remaining)
NSE Timing: About 99.82% done; ETC: 14:47 (0:00:00 remaining)
NSE Timing: About 99.82% done; ETC: 14:48 (0:00:00 remaining)
NSE Timing: About 99.82% done; ETC: 14:48 (0:00:00 remaining)
NSE Timing: About 99.82% done; ETC: 14:49 (0:00:00 remaining)
Completed NSE at 14:49, 189.90s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:49
Completed NSE at 14:49, 5.55s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:49
Completed NSE at 14:49, 0.01s elapsed
Nmap scan report for 10.142.111.1
Host is up, received arp-response (0.46s latency).
Scanned at 2021-08-19 14:42:19 EDT for 434s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 5.4p1 (FreeBSD 20100308; protocol 2.0)
| ssh-hostkey: 
|   1024 02:a7:49:05:97:c7:34:7b:c1:09:8a:15:56:9f:b6:90 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBANoDEbC9I9J+DOEJ0yoRSd5+EyaLRHuH0u5VSOxTDww+RXkr9OohcDzx5RK9RRMswreyZpIAvt7x+BLAy65peqoGIAMU327Ja80QeAdIOidi6YRGsToV5h0/wwAkdkAdjUWrt3VcBU3erHkFN7tocIIxjWwiAnv5HCRvocanYDKJAAAAFQDGJIT4KT6iLg/V9yBLH0OW8A9abQAAAIBZRRDUmu7sgPQUzB+JGCqIbShhpaSckQh+Dognf70IyNZb+xJYCnbLBSRogm6IITZG+bZiJzsBP45zuIxCKmbYPQeWntAA7r07SjTa98DTgnPLFeKJjt9C3PqJW2r0s4crzcjjn9bNNS8eBoxW3KY3maDzsGSzOVmnopiJSmNtQAAAAIEAjiTO0/+td3tMw3Ci0RCYRWrZETMVG+eCYGd2NrwGXxiPBUhDT/xI55F95Mss7ol9j3htUgxFX0ixdFJKZkGtHD0jHYUAmowoyLQ3zuiwpeUUuPp9FbiYRXK2KftCo2VYBgpto51zead8dpHAj3A7YdGjXHaIE/CKRtDswXULmpo=
|   2048 c8:e5:29:d8:71:e3:67:eb:45:57:53:f8:2f:ff:e2:9a (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDETwLE0XXGWbIK97M0oXZYic5uyprf1K9FmvXcFmLFnmd64a0Sff23SYzLRRBqd9/AlfmBD97UWB0AOlY5f4aPKejuyJwwQhMtjCxL4yufFRBLmOgd5QbpLfJBdm5Gt5Z7eGetajWi1XDi0PZo9JQFhMEHIvO/GM2Ylzh0qr/CIUBClGm0vZ0eCpPCke8piDA0gFlSGkkc8jWTsELV+72vUhCn7Fze7Yx+IG8OHgtopP5MpnwDxu2g8/guC3NsgavF7lfH2/Zpi6AJCucymE9yshNdfLHWnC4o7yVMceTwWqP45HIaKRKy+5Mrbh+IVSM5r3ZhbpHIAe8DzVxRnQOP
53/tcp open  domain  syn-ack ttl 64 dnsmasq 2.55
| dns-nsid: 
|_  bind.version: dnsmasq-2.55
80/tcp open  http    syn-ack ttl 64 lighttpd 1.4.29
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: 082559A7867CF27ACAB7E9867A8B320F
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.29
|_http-title: Login
| http-vulners-regex: 
|   /default.asp: 
|_    cpe:/a:lighttpd:lighttpd:1.4.29
MAC Address: 00:50:56:A2:0C:BA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|media device|broadband router
Running (JUST GUESSING): OpenBSD 4.X|3.X|5.X (94%), FreeBSD 9.X|7.X (86%), Comau embedded (86%), Apple Apple TV 5.X (85%), Scientific Atlanta embedded (85%)
OS CPE: cpe:/o:openbsd:openbsd:4.3 cpe:/o:freebsd:freebsd:9.1 cpe:/o:freebsd:freebsd:7.0 cpe:/o:openbsd:openbsd:3 cpe:/o:openbsd:openbsd:4 cpe:/a:apple:apple_tv:5.2.1 cpe:/a:apple:apple_tv:5.3 cpe:/h:scientificatlanta:webstar_dpc2100
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: OpenBSD 4.3 (94%), FreeBSD 9.1-PRERELEASE (86%), Comau C4G robot control unit (86%), FreeBSD 7.0-RELEASE (86%), OpenBSD 3.8 - 4.7 (85%), OpenBSD 4.1 (85%), OpenBSD 4.9 - 5.1 (85%), OpenBSD 5.2 (85%), Apple TV 5.2.1 or 5.3 (85%), Scientific Atlanta WebSTAR DPC2100 cable modem (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=8/19%OT=22%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=005056%TM=611EA7BD%P=x86_64-pc-linux-gnu)
SEQ(SP=100%GCD=1%ISR=107%TI=RD%II=RI%TS=21)
OPS(O1=M4E7NW7ST11%O2=M4E7NW7ST11%O3=M280NW7NNT11%O4=M4E7NW7ST11%O5=M218NW7ST11%O6=M109ST11)
WIN(W1=FECC%W2=FECC%W3=FECC%W4=FECC%W5=FECC%W6=FECC)
ECN(R=Y%DF=Y%TG=40%W=FECC%O=M4E7NW7SLL%CC=N%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=S%TG=40%CD=S)

Uptime guess: 0.002 days (since Thu Aug 19 14:46:10 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

TRACEROUTE
HOP RTT       ADDRESS
1   459.41 ms 10.142.111.1

Nmap scan report for 10.142.111.6
Host is up, received arp-response (0.49s latency).
Scanned at 2021-08-19 14:42:19 EDT for 434s
Not shown: 999 closed ports
Reason: 999 resets
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
| ssh-hostkey: 
|   1024 6d:4b:da:62:f8:ce:cb:17:e7:d3:5b:20:af:58:a7:61 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAPtmacG40+zihDdUo8DellV3efkA88nkiNqE/GlYjZtUfJy0TVFZm3d9i0mx83RNhNL5gHa0Ue+r9ZfQj/5maz0LHevNoq31yIlTIOYtZZsOvAM+0Ta9ScI1uP04L2MP6Ry6vEy+Fm+4UMV1K0AxToVh7J4oaWE4yRjuXvT0JhrrAAAAFQC3777+0B88W3cHoKeoP04D8kbQzQAAAIB36MmEeb2rvlvxiEc3JNVJCEBX/PZcMWVAk4P2aotCfzKP9pnIFfG6qDMibhOyIQDLuCVn2TF6MGK1cIa6sMwgHbw56VfkAQ7cjXC1YbWv01Al4eATpoLkvj8l66edCRLsptiyu/F/NsLkqV6dO/eqeGvD7a/qKk6F0fovXHfcIAAAAIBDbu8/Wn6b9EaRXkncaUd9fRio9q3PT6jBaaegTjhf34TZgKh6OX78elD5Eo8oiK+94OJRQ05D+svDA/QF5Tfe0Z7sEL6vHrek7GE0dDNZe82foRfk3pS3jf/+QIS1q1mWPz+O9yYlIGeoLEyeW1FF7SHoyIRdNnRNMhiavRGJAQ==
|   2048 4b:d2:c8:f7:82:ab:30:01:ba:fb:c0:95:06:5a:ba:7b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5vd0yqtyt6i9EByYlSNeSOuiBSEs42uTUZOn4gU/NaH8ll9uPONCwqQVK5M8N/Dh4znfe0XS/mF1kZPEwj3w2i6cZwiqYtFB6Lih+RB1MpsDx/vmw6XD171uBKCCY+hr7B6z3XlloyNSHxfBgxkTJkigTuWn/T3kUGu3cXohsf1VJfn761UXVs2MRqKcpPwSAvzRytQqGg8OHWRezhtFtefcQgnllqoGpC+eW9ID5QizYmTcCl7zGwJ9u3YDi0RvdSIqZ+3L99mk+7kjtsGhKgB/Ryx2b+LwLTT/+qTTD+l7VS1GZkhDiygGkbtE64nPnVReOPFFmLk5e5ns3PjEh
|   256 03:4b:f6:bd:2f:e0:69:79:11:77:c1:e5:ef:20:53:a6 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGhQx46ka09qJblC8KKWlXph4kOdx3dsqMs+sW+R9A7uvKbTZdJUD8yxDPyVLlPuOw35EruNtBbUfvbbkw0jZ/s=
MAC Address: 00:50:56:A2:0C:0D (VMware)
OS fingerprint not ideal because: maxTimingRatio (1.546000e+00) is greater than 1.4
Aggressive OS guesses: Linux 3.2 (95%), Linux 3.2 - 3.10 (95%), Linux 3.2 - 3.16 (95%), XBMCbuntu Frodo v12.2 (Linux 3.X) (95%), Olivetti 65C-9 printer (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 2.6.32 - 3.10 (94%), Linux 2.6.32 - 3.9 (94%), Linux 3.5 (93%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=8/19%OT=22%CT=1%CU=40894%PV=Y%DS=1%DC=D%G=N%M=005056%TM=611EA7BD%P=x86_64-pc-linux-gnu)
SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)
OPS(O1=M4E7ST11NW2%O2=M4E7ST11NW2%O3=M4E7NNT11NW2%O4=M4E7ST11NW2%O5=M4E7ST11NW2%O6=M4E7ST11)
WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)
ECN(R=Y%DF=Y%T=40%W=3908%O=M4E7NNSNW2%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.061 days (since Thu Aug 19 13:21:10 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT       ADDRESS
1   488.56 ms 10.142.111.6

Nmap scan report for 10.142.111.48
Host is up, received arp-response (0.46s latency).
Scanned at 2021-08-19 14:42:19 EDT for 434s
Not shown: 996 closed ports
Reason: 996 resets
PORT     STATE SERVICE       REASON          VERSION
135/tcp  open  msrpc         syn-ack ttl 128 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 128 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  syn-ack ttl 128 Windows XP microsoft-ds
3389/tcp open  ms-wbt-server syn-ack ttl 128 Microsoft Terminal Services
MAC Address: 00:50:56:A2:6F:BF (VMware)
OS fingerprint not ideal because: maxTimingRatio (1.546000e+00) is greater than 1.4
Aggressive OS guesses: Microsoft Windows XP SP3 (97%), Microsoft Windows XP SP2 or SP3, or Windows Embedded Standard 2009 (96%), Microsoft Windows XP SP2 or SP3, or Windows Server 2003 (96%), Microsoft Windows XP Professional SP2 (96%), Microsoft Windows XP SP2 (96%), Microsoft Windows XP SP2 or SP3 (96%), Microsoft Windows Mobile 6 (CE OS 5.0 - 5.2) (94%), Microsoft Windows Mobile 6.0 - 6.1 (94%), Microsoft Windows Server 2003 SP2 (94%), Microsoft Windows XP SP0 (94%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=8/19%OT=135%CT=1%CU=43475%PV=Y%DS=1%DC=D%G=N%M=005056%TM=611EA7BD%P=x86_64-pc-linux-gnu)
SEQ(SP=107%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=0)
OPS(O1=M4E7NW0NNT00NNS%O2=M4E7NW0NNT00NNS%O3=M4E7NW0NNT00%O4=M4E7NW0NNT00NNS%O5=M4E7NW0NNT00NNS%O6=M4E7NNT00NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)
ECN(R=Y%DF=Y%T=80%W=FFFF%O=M4E7NW0NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=80%W=FFFF%S=O%A=S+%F=AS%O=M4E7NW0NNT00NNS%RD=0%Q=)
T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=80%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=S%T=80%CD=Z)

Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

Host script results:
|_clock-skew: mean: 3h30m28s, deviation: 4h57m00s, median: 27s
| nbstat: NetBIOS name: ELS-WINXP, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:a2:6f:bf (VMware)
| Names:
|   ELS-WINXP<00>        Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   ELS-WINXP<20>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
| Statistics:
|   00 50 56 a2 6f bf 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 52772/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 39155/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 62148/udp): CLEAN (Failed to receive data)
|   Check 4 (port 36793/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: els-winxp
|   NetBIOS computer name: ELS-WINXP\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-08-19T11:46:47-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT       ADDRESS
1   455.67 ms 10.142.111.48

Nmap scan report for 10.142.111.96
Host is up, received arp-response (0.48s latency).
Scanned at 2021-08-19 14:42:19 EDT for 434s
Not shown: 999 closed ports
Reason: 999 resets
PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.2.22 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: AwdMgmt
| http-vulners-regex: 
|   /index.php: 
|_    cpe:/a:php:php:5.4.4-14
MAC Address: 00:50:56:A2:0C:0D (VMware)
OS fingerprint not ideal because: maxTimingRatio (1.546000e+00) is greater than 1.4
Aggressive OS guesses: Linux 3.2 - 3.10 (95%), Linux 3.2 - 3.16 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.2 (95%), Olivetti 65C-9 printer (95%), Linux 3.16 (95%), Linux 3.5 (94%), XBMCbuntu Frodo v12.2 (Linux 3.X) (94%), Linux 2.6.32 - 3.10 (94%), Linux 2.6.32 - 3.9 (94%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=8/19%OT=80%CT=1%CU=31932%PV=Y%DS=1%DC=D%G=N%M=005056%TM=611EA7BD%P=x86_64-pc-linux-gnu)
SEQ(SP=FB%GCD=1%ISR=104%TI=Z%CI=I%II=I%TS=8)
OPS(O1=M4E7ST11NW2%O2=M4E7ST11NW2%O3=M4E7NNT11NW2%O4=M4E7ST11NW2%O5=M4E7ST11NW2%O6=M4E7ST11)
WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)
ECN(R=Y%DF=Y%T=40%W=3908%O=M4E7NNSNW2%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.061 days (since Thu Aug 19 13:21:10 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=247 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT       ADDRESS
1   476.19 ms 10.142.111.96

Nmap scan report for 10.142.111.99
Host is up, received arp-response (0.46s latency).
Scanned at 2021-08-19 14:42:19 EDT for 434s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 5.4p1 (FreeBSD 20100308; protocol 2.0)
| ssh-hostkey: 
|   1024 02:a7:49:05:97:c7:34:7b:c1:09:8a:15:56:9f:b6:90 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBANoDEbC9I9J+DOEJ0yoRSd5+EyaLRHuH0u5VSOxTDww+RXkr9OohcDzx5RK9RRMswreyZpIAvt7x+BLAy65peqoGIAMU327Ja80QeAdIOidi6YRGsToV5h0/wwAkdkAdjUWrt3VcBU3erHkFN7tocIIxjWwiAnv5HCRvocanYDKJAAAAFQDGJIT4KT6iLg/V9yBLH0OW8A9abQAAAIBZRRDUmu7sgPQUzB+JGCqIbShhpaSckQh+Dognf70IyNZb+xJYCnbLBSRogm6IITZG+bZiJzsBP45zuIxCKmbYPQeWntAA7r07SjTa98DTgnPLFeKJjt9C3PqJW2r0s4crzcjjn9bNNS8eBoxW3KY3maDzsGSzOVmnopiJSmNtQAAAAIEAjiTO0/+td3tMw3Ci0RCYRWrZETMVG+eCYGd2NrwGXxiPBUhDT/xI55F95Mss7ol9j3htUgxFX0ixdFJKZkGtHD0jHYUAmowoyLQ3zuiwpeUUuPp9FbiYRXK2KftCo2VYBgpto51zead8dpHAj3A7YdGjXHaIE/CKRtDswXULmpo=
|   2048 c8:e5:29:d8:71:e3:67:eb:45:57:53:f8:2f:ff:e2:9a (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDETwLE0XXGWbIK97M0oXZYic5uyprf1K9FmvXcFmLFnmd64a0Sff23SYzLRRBqd9/AlfmBD97UWB0AOlY5f4aPKejuyJwwQhMtjCxL4yufFRBLmOgd5QbpLfJBdm5Gt5Z7eGetajWi1XDi0PZo9JQFhMEHIvO/GM2Ylzh0qr/CIUBClGm0vZ0eCpPCke8piDA0gFlSGkkc8jWTsELV+72vUhCn7Fze7Yx+IG8OHgtopP5MpnwDxu2g8/guC3NsgavF7lfH2/Zpi6AJCucymE9yshNdfLHWnC4o7yVMceTwWqP45HIaKRKy+5Mrbh+IVSM5r3ZhbpHIAe8DzVxRnQOP
53/tcp open  domain  syn-ack ttl 64 dnsmasq 2.55
| dns-nsid: 
|_  bind.version: dnsmasq-2.55
80/tcp open  http    syn-ack ttl 64 lighttpd 1.4.29
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: 082559A7867CF27ACAB7E9867A8B320F
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.29
|_http-title: Login
| http-vulners-regex: 
|   /default.asp: 
|_    cpe:/a:lighttpd:lighttpd:1.4.29
MAC Address: 00:50:56:A2:37:9C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|media device|broadband router
Running (JUST GUESSING): OpenBSD 4.X|5.X (87%), FreeBSD 9.X (86%), Apple Apple TV 5.X (85%), Scientific Atlanta embedded (85%)
OS CPE: cpe:/o:openbsd:openbsd:4.3 cpe:/o:freebsd:freebsd:9.1 cpe:/o:openbsd:openbsd:5.2 cpe:/a:apple:apple_tv:5.2.1 cpe:/a:apple:apple_tv:5.3 cpe:/h:scientificatlanta:webstar_dpc2100
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: OpenBSD 4.3 (87%), FreeBSD 9.1-PRERELEASE (86%), OpenBSD 5.2 (85%), Apple TV 5.2.1 or 5.3 (85%), Scientific Atlanta WebSTAR DPC2100 cable modem (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=8/19%OT=22%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=005056%TM=611EA7BD%P=x86_64-pc-linux-gnu)
SEQ(SP=105%GCD=1%ISR=109%TI=RD%II=RI%TS=20)
OPS(O1=M4E7NW7ST11%O2=M4E7NW7ST11%O3=M280NW7NNT11%O4=M4E7NW7ST11%O5=M218NW7ST11%O6=M109ST11)
WIN(W1=FECC%W2=FECC%W3=FECC%W4=FECC%W5=FECC%W6=FECC)
ECN(R=Y%DF=Y%TG=40%W=FECC%O=M4E7NW7SLL%CC=N%Q=)
T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=S%TG=40%CD=S)

Uptime guess: 0.002 days (since Thu Aug 19 14:46:07 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

TRACEROUTE
HOP RTT       ADDRESS
1   458.23 ms 10.142.111.99

Nmap scan report for 10.142.111.100
Host is up, received arp-response (0.49s latency).
All 1000 scanned ports on 10.142.111.100 are closed because of 1000 resets
MAC Address: 00:50:56:A2:0C:0D (VMware)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=8/19%OT=%CT=1%CU=42698%PV=Y%DS=1%DC=D%G=N%M=005056%TM=611EA7BD%P=x86_64-pc-linux-gnu)
SEQ(CI=I%II=I)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT       ADDRESS
1   487.81 ms 10.142.111.100

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:49
Completed NSE at 14:49, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:49
Completed NSE at 14:49, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:49
Completed NSE at 14:49, 0.00s elapsed
Post-scan script results:
| ssh-hostkey: Possible duplicate hosts
| Key 1024 02:a7:49:05:97:c7:34:7b:c1:09:8a:15:56:9f:b6:90 (DSA) used by:
|   10.142.111.1
|   10.142.111.99
| Key 2048 c8:e5:29:d8:71:e3:67:eb:45:57:53:f8:2f:ff:e2:9a (RSA) used by:
|   10.142.111.1
|_  10.142.111.99
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 6 IP addresses (6 hosts up) scanned in 436.78 seconds
           Raw packets sent: 8515 (387.596KB) | Rcvd: 4407 (183.512KB)
                                                                                                                                                                        
┌──(kali㉿kali)-[~]
└─$

This table below summarizes the results:

Host

OS

Confidence

10.142.111.1

OpenBSD

92%

10.142.111.1

FreeBSD

87%

10.142.111.6

Unknown Linux

10.142.111.48

Windows XP SP3

100%

10.142.111.96

Unknown Linux

10.142.111.99

OpenBSD

92%

10.142.111.99

FreeBSD

87%

10.142.111.100

Unknown

10.142.111.213

Unknown Linux

i think that completes the scanning and Os fingerprinting. I recommend going through the nmap manual once before using the tools.

For more nmap commands and cheat sheet click here.

That it for today see ya, until next time bye 🥰

PreviousFind the secret ServerNextVulnerability Assessment (Nessus)

Last updated

Was this helpful?