nmap.txt

`Subject: Re: CERT Summary CS-99-03  
To: [email protected]   
  
  
>From the CERT Summary released yesterday:  
  
  
> 1. RPC Vulnerabilities  
> We have received many reports of exploitations involving three RPC  
> vulnerabilties. Such exploitations can lead to root compromise on  
> systems that implement these RPC services.  
  
  
> 3. Continued Widespread Scans  
> We are still receiving daily reports of intruders using tools to  
> scan networks for multiple vulnerabilities. Intruder scanning  
> tools continue to become more sophisticated,  
  
  
Unfortunately, it is often difficult for admins to scan their networks for  
vulnerable RPC services since you never know for sure what ports they  
will be listening on. Thus I have released a version of Nmap that will  
query open TCP and UDP ports to determine whether they are RPC as well as  
their program name, number and version(s). This allows you to map all the  
RPC services on a given network and then upgrade or eliminate the  
exploitable ones. Of course you can obtain the same info from 'rpcinfo  
-p', but portmapper is often unavailable due to firewalls or IP  
restrictions (libwrap). Further, it can be painful to locate and  
'rpcinfo' every host on a large network. And there are occasional cases  
where a vulnerable service could be running but not registered. In  
addition, rpcinfo won't give you the OS type, which is important in  
determining whether a machine is vulnerable.  
  
  
Nmap is available at http://www.insecure.org/nmap/ and compiles/runs  
on most common UNIX platforms. The latest version also contains many more  
OS fingerprints, speed optimizations, bug fixes, etc.  
  
  
Here is a quick example of how to use the new RPC functionality  
against a stock Solaris 7 box:  
  
  
amy# ./nmap -sRUS -p 7,9,13,19,21,23,25,37,42,79,111,32760-32785 xanadu  
Starting nmap V. 2.3BETA1 by Fyodor ([email protected],www.insecure.org/nmap/)  
Interesting ports on xanadu.yuma.net (192.168.0.10):  
Port State Protocol Service (RPC)  
7 open udp echo (Non-RPC)  
7 open tcp echo (Non-RPC)  
9 open udp discard (Non-RPC)  
9 open tcp discard (Non-RPC)  
13 open udp daytime (Non-RPC)  
13 open tcp daytime (Non-RPC)  
19 open udp chargen (Non-RPC)  
19 open tcp chargen (Non-RPC)  
21 open tcp ftp (Non-RPC)  
23 open tcp telnet (Non-RPC)  
25 open tcp smtp (Non-RPC)  
37 open udp time (Non-RPC)  
37 open tcp time (Non-RPC)  
42 open udp nameserver (Non-RPC)  
79 open tcp finger (Non-RPC)  
111 open udp sunrpc (portmapper V2-4)  
111 open tcp sunrpc (portmapper V2-4)  
32771 open udp (Non-RPC)  
32771 open tcp (status V1)  
32772 open udp (status V1)  
32772 open tcp (Non-RPC)  
32773 open udp (sadmind V10)  
32773 open tcp (ttdbserverd V1)  
32774 open udp (rquotad V1)  
32774 open tcp (Non-RPC)  
32775 open udp (rusersd V2-3)  
32775 open tcp (cachefsd V1)  
32776 open udp (sprayd V1)  
32776 open tcp (Non-RPC)  
32777 open udp (walld V1)  
32777 open tcp (cmsd V2-5)  
32778 open udp (rstatd V2-4)  
32779 open udp (cmsd V2-5)  
  
  
Nmap run completed -- 1 IP address (1 host up) scanned in 30 seconds  
amy#  
  
  
Cheers,  
Fyodor  
  
  
  
--  
Fyodor 'finger [email protected] | pgp -fka'  
"The percentage of users running Windows NT Workstation 4.0 whose PCs  
stopped working more than once a month was less than half that of Windows  
95 users."-- microsoft.com/ntworkstation/overview/Reliability/Highest.asp  
`