xeno:~# nmap -A 10.99.1.31 -S 10.99.1.1 -O -vv WARNING: If -S is being used to fake your source address, you may also have touse -e and -P0 . If you are using it to specify your real source address, you can ignore this warning. Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-06-19 11:43 CEST Initiating SYN Stealth Scan against www1 (10.99.1.31) [1663 ports] at 11:43 Discovered open port 21/tcp on 10.99.1.31 Discovered open port 25/tcp on 10.99.1.31 Discovered open port 23/tcp on 10.99.1.31 Discovered open port 111/tcp on 10.99.1.31 Discovered open port 512/tcp on 10.99.1.31 Discovered open port 13/tcp on 10.99.1.31 Discovered open port 199/tcp on 10.99.1.31 Discovered open port 657/tcp on 10.99.1.31 Discovered open port 32771/tcp on 10.99.1.31 Discovered open port 514/tcp on 10.99.1.31 Discovered open port 513/tcp on 10.99.1.31 Discovered open port 37/tcp on 10.99.1.31 The SYN Stealth Scan took 2.94s to scan 1663 total ports. Initiating service scan against 12 services on www1 (10.99.1.31) at 11:43 The service scan took 100.02s to scan 12 services on 1 host. Initiating RPCGrind Scan against www1 (10.99.1.31) at 11:45 The RPCGrind Scan took 4.43s to scan 2 ports on www1 (10.99.1.31). For OSScan assuming port 13 is open, 1 is closed, and neither are firewalled For OSScan assuming port 13 is open, 1 is closed, and neither are firewalled For OSScan assuming port 13 is open, 1 is closed, and neither are firewalled Host www1 (10.99.1.31) appears to be up ... good. Interesting ports on www1 (10.99.1.31): (The 1651 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 13/tcp open daytime 21/tcp open ftp HP-UX 10.x ftpd 4.2 23/tcp open telnet AIX telnetd 25/tcp open smtp Sendmail smtpd Tue, 19 Jun 2007 04:27:59 -0500..214-2.0.0 This is 37/tcp open time? 111/tcp open rpcbind 2-4 (rpc #100000) 199/tcp open smux? 512/tcp open exec AIX rexecd 513/tcp open rlogin 514/tcp open shell? 657/tcp open unknown 32771/tcp open nlockmgr 1-4 (rpc #100021) 1 service unrecognized despite returning data. If you know the service/version,please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port37-TCP:V=3.81%D=6/19%Time=4677A53F%P=i686-pc-linux-gnu%r(NULL,4,"\x SF:ca\"\x20\x1f")%r(GenericLines,4,"\xca\"\x20\x1f")%r(GetRequest,4,"\xca\ SF:"\x20\x1f")%r(HTTPOptions,4,"\xca\"\x20\x1f")%r(RTSPRequest,4,"\xca\"\x SF:20\x1f")%r(RPCCheck,4,"\xca\"\x20\x1f")%r(DNSVersionBindReq,4,"\xca\"\x SF:20\x1f")%r(DNSStatusRequest,4,"\xca\"\x20\x1f")%r(Help,4,"\xca\"\x20\x1 SF:f")%r(SSLSessionReq,4,"\xca\"\x20\x1f")%r(SMBProgNeg,4,"\xca\"\x20\x1f" SF:)%r(X11Probe,4,"\xca\"\x20\x1f")%r(LPDString,4,"\xca\"\x20\x1f")%r(LDAP SF:BindReq,4,"\xca\"\x20\x1f")%r(LANDesk-RC,4,"\xca\"\x20\x1f")%r(Terminal SF:Server,4,"\xca\"\x20\x1f")%r(NCP,4,"\xca\"\x20\x1f")%r(NotesRPC,4,"\xca SF:\"\x20\x1f")%r(WMSRequest,4,"\xca\"\x20\x1f")%r(oracle-tns,4,"\xca\"\x2 SF:0\x1f"); MAC Address: 00:04:AC:97:7F:F2 (IBM) No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=3.81%P=i686-pc-linux-gnu%D=6/19%Tm=4677A5B2%O=13%C=1%M=0004AC) TSeq(Class=TR%IPID=I%TS=U) T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=M) T2(Resp=N) T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=M) T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=15C%RID=E%RIPCK=F%UCK=0%ULEN=134%DAT=E) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) TCP ISN Seq. Numbers: D9FB66D2 B228D1C0 C0366EA7 38B09AD2 71A46F17 84665E5A IPID Sequence Generation: Incremental Nmap finished: 1 IP address (1 host up) scanned in 117.652 seconds Raw packets sent: 1783 (72.1KB) | Rcvd: 1703 (78.4KB) xeno:~# rpcinfo -p 10.99.1.31 program wer. proto port 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100021 1 udp 32773 nlockmgr 100021 2 udp 32773 nlockmgr 100021 3 udp 32773 nlockmgr 100021 4 udp 32773 nlockmgr 100021 1 tcp 32771 nlockmgr 100021 2 tcp 32771 nlockmgr 100021 3 tcp 32771 nlockmgr 100021 4 tcp 32771 nlockmgr