Scanning hosts with nmap is a lot of fun.

I am trying out Nmap to scan hosts on the Internet, which works out quite well.

┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos]
└───────────────────────────&gt;$ sudo nmap -A -T4 -P0 194.113.195.41
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 07:32 AEDT
Nmap scan report for 194.113.195.41
Host is up (0.34s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=MzcJfS6lZV
| Not valid before: 2023-01-09T11:46:54
|_Not valid after:  2023-07-11T11:46:54
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): FreeBSD 6.X (85%)
OS CPE: cpe:/o:freebsd:freebsd:6.2
Aggressive OS guesses: FreeBSD 6.2-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 11 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
TRACEROUTE (using port 3389/tcp)
HOP RTT       ADDRESS
1   0.23 ms   DESKTOP-PF01IEE.mshome.net (172.23.208.1)
2   1.76 ms   192.168.1.1
3   ... 4
5   22.13 ms  be106-99.bdr02.syd11.nsw.vocus.network (114.31.200.184)
6   169.58 ms be116.cor02.syd04.nsw.vocus.network (114.31.192.62)
7   172.69 ms be202.bdr03.sjc01.ca.us.vocus.network (114.31.199.43)
8   ... 9
10  239.00 ms 69.174.5.90
11  483.80 ms 194.113.195.41
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.73 seconds

The host above has Microsoft Terminal Services exposed on the Internet and an SSL cert. This is very interesting.

This is another very interesting host.

┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos]
└───────────────────────────&gt;$ sudo nmap -A -T4 -P0 84.17.51.27
[sudo] password for john: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 07:24 AEDT
Nmap scan report for unn-84-17-51-27.cdn77.com (84.17.51.27)
Host is up (0.28s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE          VERSION
443/tcp  open  openvpn          OpenVPN
8080/tcp open  http-proxy?
8081/tcp open  blackice-icecap?
8443/tcp open  https-alt?
Aggressive OS guesses: Linux 5.0 (92%), Linux 5.0 - 5.4 (92%), Linux 5.4 (91%), HP P2000 G3 NAS device (90%), Linux 4.15 - 5.6 (90%), Linux 5.3 - 5.4 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Linux 3.7 (89%), Linux 5.0 - 5.3 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 16 hops
 
TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   0.17 ms   DESKTOP-PF01IEE.mshome.net (172.23.208.1)
2   0.82 ms   192.168.1.1
3   ... 4
5   19.76 ms  be106-99.bdr01.syd14.nsw.vocus.network (175.45.103.109)
6   111.58 ms be117.cor01.syd11.nsw.vocus.network (114.31.192.68)
7   111.54 ms be200.lsr01.dody.nsw.vocus.network (103.1.77.16)
8   112.11 ms be803.lsr01.prth.wa.vocus.network (103.1.76.147)
9   113.79 ms be200.cor01.per04.wa.vocus.network (103.1.77.113)
10  112.19 ms be201.bdr01.sin01.sin.vocus.network (114.31.206.51)
11  ... 12
13  248.66 ms gce-mrs.cdn77.com (84.17.32.154)
14  279.68 ms vl1101.lon-tel-core-1.cdn77.com (185.229.188.17)
15  ...
16  278.00 ms unn-84-17-51-27.cdn77.com (84.17.51.27)
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.09 seconds

Below is an example of how to scan an IP address range, this will return scans for every host found. This can be very useful for scanning for any valid IP address on a network.

┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos]
└───────────────────────────&gt;$ sudo nmap -A -T4 -P0 84.17.51.20-27

Another way would be to apply a ping sweep scan, this will scan a full IP address range very quickly and return all valid IP addresses.

┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos]
└───────────────────────────&gt;$ sudo nmap -sP -P0 84.17.51.*
[sudo] password for john: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 08:04 AEDT
Nmap scan report for 84.17.51.0
Host is up.
Nmap scan report for unn-84-17-51-1.cdn77.com (84.17.51.1)
Host is up.
Nmap scan report for unn-84-17-51-2.cdn77.com (84.17.51.2)
Host is up.
Nmap scan report for unn-84-17-51-3.cdn77.com (84.17.51.3)
Host is up.
Nmap scan report for unn-84-17-51-4.cdn77.com (84.17.51.4)
Host is up.
Nmap scan report for unn-84-17-51-5.cdn77.com (84.17.51.5)
Host is up.
Nmap scan report for unn-84-17-51-6.cdn77.com (84.17.51.6)
Host is up.
Nmap scan report for unn-84-17-51-7.cdn77.com (84.17.51.7)
Host is up.
Nmap scan report for unn-84-17-51-8.cdn77.com (84.17.51.8)
Host is up.
Nmap scan report for unn-84-17-51-9.cdn77.com (84.17.51.9)
Host is up.
Nmap scan report for unn-84-17-51-10.cdn77.com (84.17.51.10)
Host is up.
Nmap scan report for unn-84-17-51-11.cdn77.com (84.17.51.11)
Host is up.
Nmap scan report for unn-84-17-51-12.cdn77.com (84.17.51.12)
Host is up.
Nmap scan report for unn-84-17-51-13.cdn77.com (84.17.51.13)
Host is up.
Nmap scan report for unn-84-17-51-14.cdn77.com (84.17.51.14)
Host is up.
Nmap scan report for unn-84-17-51-15.cdn77.com (84.17.51.15)
Host is up.
Nmap scan report for unn-84-17-51-16.cdn77.com (84.17.51.16)
Host is up.
Nmap scan report for unn-84-17-51-17.cdn77.com (84.17.51.17)
Host is up.
Nmap scan report for unn-84-17-51-18.cdn77.com (84.17.51.18)
Host is up.
Nmap scan report for unn-84-17-51-19.cdn77.com (84.17.51.19)
Host is up.

Use the -p parameter for Nmap to scan for all open ports only.

┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos]
└───────────────────────────&gt;$ sudo nmap -p 20-3000 84.17.51.27
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 08:16 AEDT
Nmap scan report for unn-84-17-51-27.cdn77.com (84.17.51.27)
Host is up (0.28s latency).
Not shown: 2979 closed tcp ports (reset)
PORT     STATE SERVICE
443/tcp  open  https
1337/tcp open  waste
 
Nmap done: 1 IP address (1 host up) scanned in 11.23 seconds

This is how to scan for open ports easily.

It is also possible to focus more on OS detection and use the -O parameter to use.

┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos]
└───────────────────────────&gt;$ sudo nmap -A -T4 181.177.101.133 -O
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 08:49 AEDT
Nmap scan report for 181.177.101.133
Host is up (0.24s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE    SERVICE     VERSION
80/tcp    open     http-proxy  3Proxy http proxy
|_http-title: 407 Proxy Authentication Required
646/tcp   filtered ldp
1234/tcp  open     http-proxy  3Proxy http proxy
|_http-title: 407 Proxy Authentication Required
4444/tcp  open     socks-proxy Socks4A
7777/tcp  open     http-proxy  3Proxy http proxy
|_http-title: 407 Proxy Authentication Required
12345/tcp open     http-proxy  3Proxy http proxy
|_http-title: 407 Proxy Authentication Required
55555/tcp open     http-proxy  3Proxy http proxy
|_http-title: 407 Proxy Authentication Required
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4444-TCP:V=7.93%I=7%D=3/29%Time=642360FA%P=x86_64-pc-linux-gnu%r(NU
SF:LL,8,"\0\[\0\0\0\0\0\0");
Aggressive OS guesses: HP P2000 G3 NAS device (89%), Linux 3.10 - 4.11 (89%), Linux 3.7 (89%), Linux 5.4 (89%), Linux 2.6.32 - 3.13 (88%), Linux 3.0 - 3.2 (88%), Linux 2.6.32 (88%), Linux 2.6.32 - 3.1 (88%), Infomir MAG-250 set-top box (88%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops
 
TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   0.12 ms   DESKTOP-PF01IEE.mshome.net (172.23.208.1)
2   0.55 ms   192.168.1.1
3   ... 4
5   21.64 ms  be106-99.bdr01.syd14.nsw.vocus.network (175.45.103.109)
6   182.79 ms be116.cor02.syd04.nsw.vocus.network (114.31.192.62)
7   ... 12
13  251.58 ms 181.177.101.133
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.45 seconds

┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos] └───────────────────────────>$ sudo nmap -A -T4 181.177.101.133 -O Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 08:49 AEDT Nmap scan report for 181.177.101.133 Host is up (0.24s latency). Not shown: 993 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 646/tcp filtered ldp 1234/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 4444/tcp open socks-proxy Socks4A 7777/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 12345/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 55555/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port4444-TCP:V=7.93%I=7%D=3/29%Time=642360FA%P=x86_64-pc-linux-gnu%r(NU SF:LL,8,"\0\[\0\0\0\0\0\0"); Aggressive OS guesses: HP P2000 G3 NAS device (89%), Linux 3.10 - 4.11 (89%), Linux 3.7 (89%), Linux 5.4 (89%), Linux 2.6.32 - 3.13 (88%), Linux 3.0 - 3.2 (88%), Linux 2.6.32 (88%), Linux 2.6.32 - 3.1 (88%), Infomir MAG-250 set-top box (88%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 13 hops TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 0.12 ms DESKTOP-PF01IEE.mshome.net (172.23.208.1) 2 0.55 ms 192.168.1.1 3 ... 4 5 21.64 ms be106-99.bdr01.syd14.nsw.vocus.network (175.45.103.109) 6 182.79 ms be116.cor02.syd04.nsw.vocus.network (114.31.192.62) 7 ... 12 13 251.58 ms 181.177.101.133 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 73.45 seconds

Finally, it is possible to get the uptime of a remote web server using Hping3. This does work well.

┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos]
└───────────────────────────>$ sudo hping3 --tcp-timestamp -S 84.17.51.27 -p 8080
HPING 84.17.51.27 (eth0 84.17.51.27): S set, 40 headers + 0 data bytes
len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=0 win=65160 rtt=289.9 ms
  TCP timestamp: tcpts=3787958806
 
len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=1 win=65160 rtt=289.8 ms
  TCP timestamp: tcpts=3787959807
  HZ seems hz=1000
  System uptime seems: 43 days, 20 hours, 12 minutes, 39 seconds
 
len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=2 win=65160 rtt=289.8 ms
  TCP timestamp: tcpts=3787960806
  HZ seems hz=1000
  System uptime seems: 43 days, 20 hours, 12 minutes, 40 seconds
 
len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=3 win=65160 rtt=289.6 ms
  TCP timestamp: tcpts=3787961807
  HZ seems hz=1000
  System uptime seems: 43 days, 20 hours, 12 minutes, 41 seconds
 
len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=4 win=65160 rtt=279.6 ms
  TCP timestamp: tcpts=3787962807
  HZ seems hz=1000
  System uptime seems: 43 days, 20 hours, 12 minutes, 42 seconds
 
len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=5 win=65160 rtt=279.3 ms
  TCP timestamp: tcpts=3787963806
  HZ seems hz=1000
  System uptime seems: 43 days, 20 hours, 12 minutes, 43 seconds
 
len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=6 win=65160 rtt=279.2 ms
  TCP timestamp: tcpts=3787964808
  HZ seems hz=1000
  System uptime seems: 43 days, 20 hours, 12 minutes, 44 seconds
 
^C
--- 84.17.51.27 hping statistic ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 279.2/285.3/289.9 ms

And finally, another nmap example shows a lot of open ports.

╭──(john㉿DESKTOP-PF01IEE)-[~]
╰───────────────────────────╾┋ sudo nmap -A -T4 -P0 109.248.129.213
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 11:01 AEDT
Nmap scan report for 109.248.129.213
Host is up (0.34s latency).
Not shown: 560 filtered tcp ports (no-response), 430 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
1050/tcp open  http-proxy  3Proxy http proxy
|_http-title: 407 Proxy Authentication Required
1051/tcp open  socks-proxy Socks4A
2200/tcp open  http-proxy  3Proxy http proxy
|_http-title: 407 Proxy Authentication Required
3000/tcp open  http-proxy  3Proxy http proxy
3001/tcp open  socks-proxy Socks4A
5500/tcp open  http-proxy  3Proxy http proxy
8000/tcp open  http-proxy  3Proxy http proxy
|_http-title: 407 Proxy Authentication Required
8001/tcp open  socks-proxy Socks4A
9100/tcp open  jetdirect?
9101/tcp open  jetdirect?
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1051-TCP:V=7.93%I=7%D=4/1%Time=64277489%P=x86_64-pc-linux-gnu%r(NUL
SF:L,8,"\0\[\0\0\0\0\0\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3001-TCP:V=7.93%I=7%D=4/1%Time=64277489%P=x86_64-pc-linux-gnu%r(NUL
SF:L,8,"\0\[\0\0\0\0\0\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8001-TCP:V=7.93%I=7%D=4/1%Time=64277489%P=x86_64-pc-linux-gnu%r(NUL
SF:L,8,"\0\[\0\0\0\0\0\0");
Aggressive OS guesses: Linux 5.0 - 5.4 (93%), Linux 5.0 (92%), Linux 5.4 (92%), HP P2000 G3 NAS device (90%), Linux 4.15 - 5.6 (90%), Linux 5.3 - 5.4 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Infomir MAG-250 set-top box (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 16 hops
 
TRACEROUTE (using port 3306/tcp)
HOP RTT       ADDRESS
1   0.17 ms   DESKTOP-PF01IEE.mshome.net (172.23.208.1)
2   2.33 ms   192.168.1.1
3   ... 4
5   21.21 ms  be106-99.bdr01.syd14.nsw.vocus.network (175.45.103.109)
6   170.71 ms be117.cor02.syd04.nsw.vocus.network (114.31.192.66)
7   172.29 ms be202.bdr03.sjc01.ca.us.vocus.network (114.31.199.43)
8   ...
9   172.04 ms port-channel10.core3.sjc2.he.net (184.104.196.34)
10  ...
11  232.09 ms 100ge0-31.core1.ewr5.he.net (184.104.196.134)
12  326.68 ms ve951.core2.cph1.he.net (184.104.196.97)
13  ...
14  320.52 ms port-channel4.core2.hel1.he.net (184.104.192.106)
15  ...
16  338.99 ms 109.248.129.213
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.89 seconds

╭──(john㉿DESKTOP-PF01IEE)-[~] ╰───────────────────────────╾┋ sudo nmap -A -T4 -P0 109.248.129.213 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 11:01 AEDT Nmap scan report for 109.248.129.213 Host is up (0.34s latency). Not shown: 560 filtered tcp ports (no-response), 430 closed tcp ports (reset) PORT STATE SERVICE VERSION 1050/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 1051/tcp open socks-proxy Socks4A 2200/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 3000/tcp open http-proxy 3Proxy http proxy 3001/tcp open socks-proxy Socks4A 5500/tcp open http-proxy 3Proxy http proxy 8000/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 8001/tcp open socks-proxy Socks4A 9100/tcp open jetdirect? 9101/tcp open jetdirect? 3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port1051-TCP:V=7.93%I=7%D=4/1%Time=64277489%P=x86_64-pc-linux-gnu%r(NUL SF:L,8,"\0\[\0\0\0\0\0\0"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port3001-TCP:V=7.93%I=7%D=4/1%Time=64277489%P=x86_64-pc-linux-gnu%r(NUL SF:L,8,"\0\[\0\0\0\0\0\0"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8001-TCP:V=7.93%I=7%D=4/1%Time=64277489%P=x86_64-pc-linux-gnu%r(NUL SF:L,8,"\0\[\0\0\0\0\0\0"); Aggressive OS guesses: Linux 5.0 - 5.4 (93%), Linux 5.0 (92%), Linux 5.4 (92%), HP P2000 G3 NAS device (90%), Linux 4.15 - 5.6 (90%), Linux 5.3 - 5.4 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Infomir MAG-250 set-top box (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 16 hops TRACEROUTE (using port 3306/tcp) HOP RTT ADDRESS 1 0.17 ms DESKTOP-PF01IEE.mshome.net (172.23.208.1) 2 2.33 ms 192.168.1.1 3 ... 4 5 21.21 ms be106-99.bdr01.syd14.nsw.vocus.network (175.45.103.109) 6 170.71 ms be117.cor02.syd04.nsw.vocus.network (114.31.192.66) 7 172.29 ms be202.bdr03.sjc01.ca.us.vocus.network (114.31.199.43) 8 ... 9 172.04 ms port-channel10.core3.sjc2.he.net (184.104.196.34) 10 ... 11 232.09 ms 100ge0-31.core1.ewr5.he.net (184.104.196.134) 12 326.68 ms ve951.core2.cph1.he.net (184.104.196.97) 13 ... 14 320.52 ms port-channel4.core2.hel1.he.net (184.104.192.106) 15 ... 16 338.99 ms 109.248.129.213 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 56.89 seconds

HP Jetdirect is the name of a technology sold by Hewlett-Packard that allows computer printers to be directly attached to a Local Area Network. The “Jetdirect” designation covers a range of models from the external 1 and 3-port parallel print servers known as the 300x and 500x, to the internal EIO print servers for use with HP printers. The Jetdirect series also includes wireless print server (Bluetooth, 802.11b and g) models, as well as gigabit Ethernet and IPv6-compliant internal cards.

Leave a Comment Cancel reply