xeno:/home/vnull# nmap -e vmnet3 -S 10.97.1.1 -sS -p 22,111,23,21 -T Insane 10.97.1.3 -O -vv WARNING: If -S is being used to fake your source address, you may also have touse -e and -P0 . If you are using it to specify your real source address, you can ignore this warning. Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-13 19:39 CEST Initiating SYN Stealth Scan against 10.97.1.3 [4 ports] at 19:39 Discovered open port 22/tcp on 10.97.1.3 Discovered open port 23/tcp on 10.97.1.3 Discovered open port 111/tcp on 10.97.1.3 The SYN Stealth Scan took 1.11s to scan 4 total ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port For OSScan assuming port 22 is open, 30215 is closed, and neither are firewalled For OSScan assuming port 22 is open, 40153 is closed, and neither are firewalled For OSScan assuming port 22 is open, 31627 is closed, and neither are firewalled Host 10.97.1.3 appears to be up ... good. Interesting ports on 10.97.1.3: PORT STATE SERVICE 21/tcp filtered ftp 22/tcp open ssh 23/tcp open telnet 111/tcp open rpcbind MAC Address: 00:0C:29:BD:CF:6F (VMware) Device type: general purpose|webcam Running (JUST GUESSING) : Microsoft Windows NT/2K/XP (87%), AXIS embedded (86%) Aggressive OS guesses: Microsoft Windows XP Pro SP1 (87%), Microsoft Windows XPPro SP1 or Windows 2000 SP3 (87%), Axis 200+ Web Camera running OS v1.42 (86%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SInfo(V=3.81%P=i686-pc-linux-gnu%D=8/13%Tm=44DF63D4%O=22%C=-1%M=000C29) TSeq(Class=TR%IPID=I%TS=100HZ) T1(Resp=Y%DF=Y%W=C0B7%ACK=S++%Flags=AS%Ops=NNTMNW) T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) T3(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T4(Resp=N) T5(Resp=N) T6(Resp=N) T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=N) Uptime 0.050 days (since Sun Aug 13 18:27:03 2006) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) TCP ISN Seq. Numbers: 6020EA1C 4ABD6DD4 3A711035 923DF94C A98FE1AF 72021BA5 IPID Sequence Generation: Incremental Nmap finished: 1 IP address (1 host up) scanned in 11.068 seconds Raw packets sent: 55 (3148B) | Rcvd: 34 (1858B)