Follow us on Twitter!
Hacking isn't just Computers & Exploits. It's a Philosophy. - Mr_Cheese
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 20
Guests Online: 20
Members Online: 0

Registered Members: 82822
Newest Member: TheBunter
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

Nmap help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-12-05 13:43
Hello, I am trying to use nmap to see what ports are open etc on a PC on my network.

I do the simple: nmap ipaddress
It says that all of the 1670 ports scanned are filtered - what does this mean please.
And I get a mac address - I have heard this is quite useful and that you can do stuff with it, but after resaerch I could not find anything.

Cheers anyone
Author

RE: Nmap help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-12-05 14:26
It means those 1670 ports are checked to make sure whats connecting to them I THINK. But there are 65535 ports I think so it means litte really what you are looking for is open ports running services.


Author

RE: Nmap help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-12-05 14:28
An easier port scanner is Superscan 3 (don't like 4). But in my opnion nMap is much better than superscan.


Author

RE: Nmap help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-12-05 14:32
Bluesportscanner I reckon is the best I'm not sure of the name though.


Author

RE: Nmap help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-12-05 14:40
I have actualy been trying quite a few of these scanners and yes it is blues port scanner.

Superscan 3 gives two open ports: 80 and 110 which are http and pop3.

I guess now Ive got to try and find some exploits for these or could I telnet to one of these?
cheers
Author

RE: Nmap help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-12-05 14:41
well telneting to an open port wont help unless it has a service with vunerability


Author

RE: Nmap help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-12-05 14:46
Fair enough, how would i find a service with a vunerability. So you mean if i telneted to these ports and ip then it would only be of use if i found a vunerability there, is this the right idea?
Thanks
Author

RE: Nmap help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-12-05 15:06
telnet to the ip on the specific port if a service is running it will 'reply' then you just look around for a vunerability, like on my favorite
http://packetstormsecurity.nl/ http://www.securityfocus.net/
http://www.frsirt.com/




Author

RE: Nmap help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-12-05 15:42
Thanks for the good links, i had a look around on the firsr one, did not see many exploits for 110, but lots for 80.

Im a newbie to this realy. When i telnet or raw using putty to the ip address of a different pc on my network at prot 80 it does not give me any banners, should it?

Im trying to understand how this works by using my own network. Is there a way I can free up more ports than shown above on the pc im targeting
Author

RE: Nmap help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-12-05 15:45
I'm no an expert on these but I'm pretty sure that those are mostly for servers running websites, but then I'm not a expert.


Author

RE: Nmap help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-12-05 17:45
Can you give me an example of a very simple exploit for port 80 if you know one.

And what would be the reason for only two prots showing up on nmap for a computer on my network. Feel like im getting nowhere.

thanks
Author

RE: Nmap help

n3w7yp3
Member

Your avatar

Posts: 358
Location: USA
Joined: 19.03.05
Rank:
Moderate
Posted on 26-12-05 17:48
okay, when you run nmap, it scans the IANA known ports, and the ports found in the nmap-services file (about 1670 by deafult).

So, yes, it checked 1670 ports. If you want it to check all ports, give the argument -p0- that will check from 0 to 65535. However, it will also take longer.

Now, regarding the state, closed means that it returnd an RST/ACK. Open indicates the return of a SYN/ACK, and filtered means that it is filtered. This*usually* indicates a firewall, although it can be a sign that there is a device that simply filters packets with a certian flag set (eg: a router 1 or 2 hops before the target that drops all packets with the SYN flag set).

If a port is reported as filtered, it probably either:

1) returned an ICMP Code 13 message (Probihited)

OR

2) didn't return anything

There is also a 4th state, unfiltered. You only get this if you do an ACK scan (or soemthing else designed to elict RST replys from the target) and if most of the port scanned were filtered (as best as nmap can tell).

I'd say if you're new, stick with TCP connect() (-sT) or SYN stealth (-sS). The others can be somewhat confusing, especially when a FIN scan says a port is open, and yet you can't telnet (or otherwise connect) to the port.

BTW, if you really want to map out rulesets, take a look at firewalk, hping2, and the --scanflags option of nmap.


"Root is a state of mind" -- K0resh
Author

RE: Nmap help

n3w7yp3
Member

Your avatar

Posts: 358
Location: USA
Joined: 19.03.05
Rank:
Moderate
Posted on 26-12-05 18:00
Okay, sorry about the double post, but my first one was getting long.

Okay, with a MAC address, you can implement a man in the middle attack. This is only useful on a LAN or a WAN, and probably won't help you much in this situation. (If you want more info on a MiTM attack, pm me. Or if enough people want to know about it, i'll post how to do a simple on here).

As for banners, if you telnet to port 80 and type:
Code

HEAD / HTTP/1.0




The server will reply with its version. That is needed to run an exploit against it. If the banner says Apache 2.0.54, an IIS unicode exploit will not work. So, use your head.

POP3 (Post Office Protocol 3) runs on 110. This is what most non-technical users use to retrieve email. Telnetting to port 110 will not turn up anything that appears to be useful, but say you know the persons account (john@example.com), you can then either read thier email or bruteforce the password (which i will not cover).

To use the username and password to login, you'd connect and type:
Code

USER john
PASS password




And then you can use the RETR command to read this emails and LIST to view a list of email in the inbox.

BTW, if you want to make nmap grab banners use the -sV option.

And as for a sample explit, its not gonna do you any good if we show you one, cause like i said, say i showed you how to do an IIS uudecode exploit against a Windows 2000 box, and you're attacking a Linux box with apache 1.3.32. Not gonna work.

wolfmankurd: personally, I telnet to all the open ports I find. you'd be amazed at what you can get simply by connecting. For instance, you can connect a Cisco router to a remote X server if you know what you're doing ;)


"Root is a state of mind" -- K0resh

Edited by n3w7yp3 on 26-12-05 18:09