I am trying out Nmap to scan hosts on the Internet, which works out quite well.
┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos] └───────────────────────────>$ sudo nmap -A -T4 -P0 194.113.195.41 Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 07:32 AEDT Nmap scan report for 194.113.195.41 Host is up (0.34s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=MzcJfS6lZV | Not valid before: 2023-01-09T11:46:54 |_Not valid after: 2023-07-11T11:46:54 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): FreeBSD 6.X (85%) OS CPE: cpe:/o:freebsd:freebsd:6.2 Aggressive OS guesses: FreeBSD 6.2-RELEASE (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 11 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows TRACEROUTE (using port 3389/tcp) HOP RTT ADDRESS 1 0.23 ms DESKTOP-PF01IEE.mshome.net (172.23.208.1) 2 1.76 ms 192.168.1.1 3 ... 4 5 22.13 ms be106-99.bdr02.syd11.nsw.vocus.network (114.31.200.184) 6 169.58 ms be116.cor02.syd04.nsw.vocus.network (114.31.192.62) 7 172.69 ms be202.bdr03.sjc01.ca.us.vocus.network (114.31.199.43) 8 ... 9 10 239.00 ms 69.174.5.90 11 483.80 ms 194.113.195.41 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 82.73 seconds |
The host above has Microsoft Terminal Services exposed on the Internet and an SSL cert. This is very interesting.
This is another very interesting host.
┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos] └───────────────────────────>$ sudo nmap -A -T4 -P0 84.17.51.27 [sudo] password for john: Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 07:24 AEDT Nmap scan report for unn-84-17-51-27.cdn77.com (84.17.51.27) Host is up (0.28s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 443/tcp open openvpn OpenVPN 8080/tcp open http-proxy? 8081/tcp open blackice-icecap? 8443/tcp open https-alt? Aggressive OS guesses: Linux 5.0 (92%), Linux 5.0 - 5.4 (92%), Linux 5.4 (91%), HP P2000 G3 NAS device (90%), Linux 4.15 - 5.6 (90%), Linux 5.3 - 5.4 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Linux 3.7 (89%), Linux 5.0 - 5.3 (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 16 hops TRACEROUTE (using port 587/tcp) HOP RTT ADDRESS 1 0.17 ms DESKTOP-PF01IEE.mshome.net (172.23.208.1) 2 0.82 ms 192.168.1.1 3 ... 4 5 19.76 ms be106-99.bdr01.syd14.nsw.vocus.network (175.45.103.109) 6 111.58 ms be117.cor01.syd11.nsw.vocus.network (114.31.192.68) 7 111.54 ms be200.lsr01.dody.nsw.vocus.network (103.1.77.16) 8 112.11 ms be803.lsr01.prth.wa.vocus.network (103.1.76.147) 9 113.79 ms be200.cor01.per04.wa.vocus.network (103.1.77.113) 10 112.19 ms be201.bdr01.sin01.sin.vocus.network (114.31.206.51) 11 ... 12 13 248.66 ms gce-mrs.cdn77.com (84.17.32.154) 14 279.68 ms vl1101.lon-tel-core-1.cdn77.com (185.229.188.17) 15 ... 16 278.00 ms unn-84-17-51-27.cdn77.com (84.17.51.27) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 91.09 seconds |
Below is an example of how to scan an IP address range, this will return scans for every host found. This can be very useful for scanning for any valid IP address on a network.
┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos] └───────────────────────────>$ sudo nmap -A -T4 -P0 84.17.51.20-27 |
Another way would be to apply a ping sweep scan, this will scan a full IP address range very quickly and return all valid IP addresses.
┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos] └───────────────────────────>$ sudo nmap -sP -P0 84.17.51.* [sudo] password for john: Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 08:04 AEDT Nmap scan report for 84.17.51.0 Host is up. Nmap scan report for unn-84-17-51-1.cdn77.com (84.17.51.1) Host is up. Nmap scan report for unn-84-17-51-2.cdn77.com (84.17.51.2) Host is up. Nmap scan report for unn-84-17-51-3.cdn77.com (84.17.51.3) Host is up. Nmap scan report for unn-84-17-51-4.cdn77.com (84.17.51.4) Host is up. Nmap scan report for unn-84-17-51-5.cdn77.com (84.17.51.5) Host is up. Nmap scan report for unn-84-17-51-6.cdn77.com (84.17.51.6) Host is up. Nmap scan report for unn-84-17-51-7.cdn77.com (84.17.51.7) Host is up. Nmap scan report for unn-84-17-51-8.cdn77.com (84.17.51.8) Host is up. Nmap scan report for unn-84-17-51-9.cdn77.com (84.17.51.9) Host is up. Nmap scan report for unn-84-17-51-10.cdn77.com (84.17.51.10) Host is up. Nmap scan report for unn-84-17-51-11.cdn77.com (84.17.51.11) Host is up. Nmap scan report for unn-84-17-51-12.cdn77.com (84.17.51.12) Host is up. Nmap scan report for unn-84-17-51-13.cdn77.com (84.17.51.13) Host is up. Nmap scan report for unn-84-17-51-14.cdn77.com (84.17.51.14) Host is up. Nmap scan report for unn-84-17-51-15.cdn77.com (84.17.51.15) Host is up. Nmap scan report for unn-84-17-51-16.cdn77.com (84.17.51.16) Host is up. Nmap scan report for unn-84-17-51-17.cdn77.com (84.17.51.17) Host is up. Nmap scan report for unn-84-17-51-18.cdn77.com (84.17.51.18) Host is up. Nmap scan report for unn-84-17-51-19.cdn77.com (84.17.51.19) Host is up. |
Use the -p parameter for Nmap to scan for all open ports only.
┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos] └───────────────────────────>$ sudo nmap -p 20-3000 84.17.51.27 Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 08:16 AEDT Nmap scan report for unn-84-17-51-27.cdn77.com (84.17.51.27) Host is up (0.28s latency). Not shown: 2979 closed tcp ports (reset) PORT STATE SERVICE 443/tcp open https 1337/tcp open waste Nmap done: 1 IP address (1 host up) scanned in 11.23 seconds |
This is how to scan for open ports easily.
It is also possible to focus more on OS detection and use the -O parameter to use.
┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos] └───────────────────────────>$ sudo nmap -A -T4 181.177.101.133 -O Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 08:49 AEDT Nmap scan report for 181.177.101.133 Host is up (0.24s latency). Not shown: 993 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 646/tcp filtered ldp 1234/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 4444/tcp open socks-proxy Socks4A 7777/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 12345/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 55555/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port4444-TCP:V=7.93%I=7%D=3/29%Time=642360FA%P=x86_64-pc-linux-gnu%r(NU SF:LL,8,"\0\[\0\0\0\0\0\0"); Aggressive OS guesses: HP P2000 G3 NAS device (89%), Linux 3.10 - 4.11 (89%), Linux 3.7 (89%), Linux 5.4 (89%), Linux 2.6.32 - 3.13 (88%), Linux 3.0 - 3.2 (88%), Linux 2.6.32 (88%), Linux 2.6.32 - 3.1 (88%), Infomir MAG-250 set-top box (88%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 13 hops TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 0.12 ms DESKTOP-PF01IEE.mshome.net (172.23.208.1) 2 0.55 ms 192.168.1.1 3 ... 4 5 21.64 ms be106-99.bdr01.syd14.nsw.vocus.network (175.45.103.109) 6 182.79 ms be116.cor02.syd04.nsw.vocus.network (114.31.192.62) 7 ... 12 13 251.58 ms 181.177.101.133 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 73.45 seconds |
Finally, it is possible to get the uptime of a remote web server using Hping3. This does work well.
┌──(john㉿DESKTOP-PF01IEE)-[/mnt/c/Users/Intel i5/Videos] └───────────────────────────>$ sudo hping3 --tcp-timestamp -S 84.17.51.27 -p 8080 HPING 84.17.51.27 (eth0 84.17.51.27): S set, 40 headers + 0 data bytes len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=0 win=65160 rtt=289.9 ms TCP timestamp: tcpts=3787958806 len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=1 win=65160 rtt=289.8 ms TCP timestamp: tcpts=3787959807 HZ seems hz=1000 System uptime seems: 43 days, 20 hours, 12 minutes, 39 seconds len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=2 win=65160 rtt=289.8 ms TCP timestamp: tcpts=3787960806 HZ seems hz=1000 System uptime seems: 43 days, 20 hours, 12 minutes, 40 seconds len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=3 win=65160 rtt=289.6 ms TCP timestamp: tcpts=3787961807 HZ seems hz=1000 System uptime seems: 43 days, 20 hours, 12 minutes, 41 seconds len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=4 win=65160 rtt=279.6 ms TCP timestamp: tcpts=3787962807 HZ seems hz=1000 System uptime seems: 43 days, 20 hours, 12 minutes, 42 seconds len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=5 win=65160 rtt=279.3 ms TCP timestamp: tcpts=3787963806 HZ seems hz=1000 System uptime seems: 43 days, 20 hours, 12 minutes, 43 seconds len=56 ip=84.17.51.27 ttl=51 DF id=0 sport=8080 flags=SA seq=6 win=65160 rtt=279.2 ms TCP timestamp: tcpts=3787964808 HZ seems hz=1000 System uptime seems: 43 days, 20 hours, 12 minutes, 44 seconds ^C --- 84.17.51.27 hping statistic --- 7 packets transmitted, 7 packets received, 0% packet loss round-trip min/avg/max = 279.2/285.3/289.9 ms |
And finally, another nmap example shows a lot of open ports.
╭──(john㉿DESKTOP-PF01IEE)-[~] ╰───────────────────────────╾┋ sudo nmap -A -T4 -P0 109.248.129.213 Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 11:01 AEDT Nmap scan report for 109.248.129.213 Host is up (0.34s latency). Not shown: 560 filtered tcp ports (no-response), 430 closed tcp ports (reset) PORT STATE SERVICE VERSION 1050/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 1051/tcp open socks-proxy Socks4A 2200/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 3000/tcp open http-proxy 3Proxy http proxy 3001/tcp open socks-proxy Socks4A 5500/tcp open http-proxy 3Proxy http proxy 8000/tcp open http-proxy 3Proxy http proxy |_http-title: 407 Proxy Authentication Required 8001/tcp open socks-proxy Socks4A 9100/tcp open jetdirect? 9101/tcp open jetdirect? 3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port1051-TCP:V=7.93%I=7%D=4/1%Time=64277489%P=x86_64-pc-linux-gnu%r(NUL SF:L,8,"\0\[\0\0\0\0\0\0"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port3001-TCP:V=7.93%I=7%D=4/1%Time=64277489%P=x86_64-pc-linux-gnu%r(NUL SF:L,8,"\0\[\0\0\0\0\0\0"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8001-TCP:V=7.93%I=7%D=4/1%Time=64277489%P=x86_64-pc-linux-gnu%r(NUL SF:L,8,"\0\[\0\0\0\0\0\0"); Aggressive OS guesses: Linux 5.0 - 5.4 (93%), Linux 5.0 (92%), Linux 5.4 (92%), HP P2000 G3 NAS device (90%), Linux 4.15 - 5.6 (90%), Linux 5.3 - 5.4 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Infomir MAG-250 set-top box (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 16 hops TRACEROUTE (using port 3306/tcp) HOP RTT ADDRESS 1 0.17 ms DESKTOP-PF01IEE.mshome.net (172.23.208.1) 2 2.33 ms 192.168.1.1 3 ... 4 5 21.21 ms be106-99.bdr01.syd14.nsw.vocus.network (175.45.103.109) 6 170.71 ms be117.cor02.syd04.nsw.vocus.network (114.31.192.66) 7 172.29 ms be202.bdr03.sjc01.ca.us.vocus.network (114.31.199.43) 8 ... 9 172.04 ms port-channel10.core3.sjc2.he.net (184.104.196.34) 10 ... 11 232.09 ms 100ge0-31.core1.ewr5.he.net (184.104.196.134) 12 326.68 ms ve951.core2.cph1.he.net (184.104.196.97) 13 ... 14 320.52 ms port-channel4.core2.hel1.he.net (184.104.192.106) 15 ... 16 338.99 ms 109.248.129.213 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 56.89 seconds |
HP Jetdirect is the name of a technology sold by Hewlett-Packard that allows computer printers to be directly attached to a Local Area Network. The “Jetdirect” designation covers a range of models from the external 1 and 3-port parallel print servers known as the 300x and 500x, to the internal EIO print servers for use with HP printers. The Jetdirect series also includes wireless print server (Bluetooth, 802.11b and g) models, as well as gigabit Ethernet and IPv6-compliant internal cards.