Security Basics
Re: nmap port name question? Sep 18 2013 10:19PM
ToddAndMargo (ToddAndMargo zoho com)
>> 2013/9/17 ToddAndMargo <ToddAndMargo (at) zoho (dot) com [email concealed]
>> <mailto:ToddAndMargo (at) zoho (dot) com [email concealed]>>
>>
>> Hi All,
>>
>> When nmap tells you a service associated with a
>> port, for example,
>>
>> 137/tcp closed netbios-ns reset
>>
>> does nmap get the name of the port from my /etc/services,
>> or is the name hard coded into nmap?
>>
>> Many thansk,
>> -T

On 09/18/2013 02:19 PM, Molinero wrote:
> "While Nmap does many things, its most fundamental feature is port
> scanning. Point Nmap at a remote machine, and it might tell you that
> ports |25/tcp|, |80/tcp|, and |53/udp| are open. Using its
> |nmap-services| database of more than 2,200 well-known services, Nmap
> would report that those ports probably correspond to a mail server
> (SMTP), web server (HTTP), and name server (DNS) respectively..."

Hi Molinero,

My main focus was that nmap was using its own updates tables.
My /etc/services comes from RHEL, which, by Red Hat's design, is
purposfully "out-of-date". I wanted to make sure I was
not missing any new services. Thank you for the help!

This is what blew my mind:

# nmap --reason 192.168.255.112

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-16 19:42 PDT
Nmap scan report for KVM-W7.rent-a-nerd.local (192.168.255.112)
Host is up, received arp-response (0.00044s latency).
Not shown: 989 closed ports
Reason: 989 resets
PORT STATE SERVICE REASON
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
1110/tcp filtered nfsd-status no-response
5357/tcp open wsdapi syn-ack
49152/tcp open unknown syn-ack
49153/tcp open unknown syn-ack
49154/tcp open unknown syn-ack
49155/tcp open unknown syn-ack
49156/tcp open unknown syn-ack
49157/tcp open unknown syn-ack

What were all these 4915x ports? Turned out they were
all M$ RPC ports.

Reference:
http://serverfault.com/questions/526607/what-is-msrpc-needed-for-on-a-wi
ndows-7-workstation

Port Serv Process name
49152, msrpc [wininit.exe]
49153, msrpc [svchost.exe, Eventlog]
49154, msrpc [svchost.exe, Schedule]
49155, msrpc [lsass.exe]
49157, msrpc [services.exe]
49159, msrpc [svchost.exe, PolicyAgent]

Many thanks,
-T

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computers are like air conditioners.
They malfunction when you open windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus