NMAP Results are.....Disappointing.

[crazyralph]

Just got backtrack up and running and was so excited to use Armitage's Nmap scan feature that identifies every last detail of target computer, even suggesting attacks but.....totally lame.

It can't identify OS, device type, or anything of use.

So, I tried Zenmap.

Still....nothing but '1 service recognized.'

I then tried the standard Nmap in Metasploit.

Same deal.

The strange thing is that via a line of code from statcounter.com I was able to receive OS, Browser, and IP on target.

Um....I must be doing something wrong, right?

[sickness]

NMAP is a very effective tool, I suggest you go through the help manual or different tutorials.

[maverik35]

Would you please give more info as nmap parameters used, lan type auditing (If any vlan, broadcast domains, simple and plain LAN, etc), any firewalls in targets (if you know of any in the LAN's systems)...

Some OS fingerprints are not recognized by nmap, if so, you can send fingerprint to nmap and specify the exact OS to be incorporated in nmap..

To detect an OS, there must be at least one TCP and one UDP ports open..That is stated clearly by nmap since it uses TCP and UDP packages to send to remote system and analyze bits received..there are 15000 fingerprints in nmap database.

You might be auditing ports from 1-1024, the default for nmap..If you have any tcp or udp service listening beyond port 1024, you need to specify it with "-p-" or -p1-65535.

Hope it helps.

Luck.

[thorin]

You might be auditing ports from 1-1024, the default for nmap...

It's a minor detail but that's actually NOT correct. By default nmap uses what a lot of research has identified as the 1000 most common ports/services.

[maverik35]

It's a minor detail but that's actually NOT correct. By default nmap uses what a lot of research has identified as the 1000 most common ports/services.

Still stick to 1-1024, you can refer to the "man nmap" if any doubt. It states as "The first 1024"..

But one thing is for sure, the most common ports used (and assigned) are the first 1024...

[jnpa123]

Sorry but if your nmap man says it scans ports 1-1024 by default , it's probably the only one that does that.

"PORT SPECIFICATION AND SCAN ORDER
In addition to all of the scan methods discussed previously, Nmap offers options for specifying which ports are scanned and whether the scan order is
randomized or sequential. By default, Nmap scans the most common 1,000 ports for each protocol."

just like thorin said it scans the most common 1000 ports, that surely includes lots of ports in the 1-1024 ports, but not all of them.Databases default ports and other common services are also included in that default 1000 list.

[thorin]

Still stick to 1-1024, you can refer to the "man nmap" if any doubt. It states as "The first 1024"..

From the "hourse's mouth" so to speak:
http://nmap.org/book/man-port-specification.html

By default, Nmap scans the most common 1,000 ports for each protocol.

From "man nmap" v6.00 on an Ubuntu box:

PORT SPECIFICATION AND SCAN ORDER
In addition to all of the scan methods discussed previously, Nmap offers options for specifying which ports are scanned and whether the scan order is randomized or sequential. By default, Nmap
scans the most common 1,000 ports for each protocol.

As you can see from the nmap 5 announcement:
http://nmap.org/5/

Host discovery and port scanning performance and features

Nmap has been doing host discovery and port scanning since its release in '97, but we continue to improve this core functionality. We've added many new features and dramatically improved performance! Here are the biggest enhancements since 4.50:

* Nmap now scans the most common 1,000 ports by default in either protocol (UDP scan is still optional). These were determined by spending months scanning tens of millions of IPs on the Internet. This makes Nmap faster (used to scan 1,715 TCP ports by default) and yet more comprehensive since the smaller number of ports are better chosen.

<snip>

* The --top-ports option lets you specify the number of ports you wish to scan in each protocol, and will pick the most popular ports for you based on the new frequency data. For both TCP and UDP, the top 10 ports gets you roughly half of the open ports. The top 1,000 (out of 65,536 possible) finds roughly 93% of the open TCP ports and more than 95% of the open UDP ports.

The man page does use 1-1023 as an example, but that has nothing to do with the default.

-p port ranges (Only scan specified ports) .
This option specifies which ports you want to scan and overrides
the default. Individual port numbers are OK, as are ranges
separated by a hyphen (e.g. 1-1023).
<snip>

But one thing is for sure, the most common ports used (and assigned) are the first 1024...

No, No, 1000 times no.

If you check https://svn.nmap.org/nmap/nmap-services, you can pull it into Excel (or whatever) in order to sort and filter. As an example you can see sorting tcp protocol services/ports descending by open-frequency that 3389 (RDP/Terminal Services) is 7th on the list, if you did 1-1023 you'd miss it (not to mention numerous others in the top 1000).

[ShadowMaster]

Port numbering aside, funny as this was to read , what more can you tell us about the computer you are trying to scan in regards to firewalls and network location relative to your computer?

[thorin]

Ok ya so I kinda got a bit off track Thanks ShadowMaster

Back to the OP. What happens when you run nmap directly? Is there a host firewall on the target system? What about HIPS? Are there any network devices between you and the other system? Assuming the target is a window system, when you're actually on that system what output does:

Code:

netstat -an|find "LISTENING"

give you?

[ShadowMaster]

Thorin, it always amuses me to see someone who really has no idea what he is talking about shown up by those who do. But again, back to OP, besides for all the obvious things, are you scanning a vm hackme, a targeted host on your own LAN, or an actual attack scenario? Cuz people here won't help with the last one, which is kinda what it sounds like...