nmap -v -A -Pn scratch.mit.edu

_Tectonic_

root@kali:~# nmap -v -A -Pn scratch.mit.edu

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 20:43 UTC
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:43
Completed NSE at 20:43, 0.00s elapsed
Initiating NSE at 20:43
Completed NSE at 20:43, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 20:43
Completed Parallel DNS resolution of 1 host. at 20:43, 0.05s elapsed
Initiating SYN Stealth Scan at 20:43
Scanning scratch.mit.edu (23.235.37.162)
Discovered open port 443/tcp on 23.235.37.162
Discovered open port 21/tcp on 23.235.37.162
Discovered open port 554/tcp on 23.235.37.162
Discovered open port 80/tcp on 23.235.37.162
Discovered open port 7070/tcp on 23.235.37.162
Increasing send delay for 23.235.37.162 from 0 to 5 due to 11 out of 16 dropped probes since last increase.
Completed SYN Stealth Scan at 20:43, 42.42s elapsed (1000 total ports)
Initiating Service scan at 20:43
Scanning 5 services on scratch.mit.edu (23.235.37.162)
Service scan Timing: About 60.00% done; ETC: 20:47 (0:01:31 remaining)
Completed Service scan at 20:46, 136.26s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against scratch.mit.edu (23.235.37.162)
Initiating Traceroute at 20:46
Completed Traceroute at 20:46, 3.02s elapsed
Initiating Parallel DNS resolution of 7 hosts. at 20:46
Completed Parallel DNS resolution of 7 hosts. at 20:46, 0.06s elapsed
NSE: Script scanning 23.235.37.162.
Initiating NSE at 20:46
Completed NSE at 20:46, 30.93s elapsed
Initiating NSE at 20:46
Completed NSE at 20:46, 0.00s elapsed
Nmap scan report for scratch.mit.edu (23.235.37.162)
Host is up (0.025s latency).
Other addresses for scratch.mit.edu (not scanned): 23.235.33.162
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
|_ftp-bounce: no banner
80/tcp open http-proxy Varnish
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Varnish
|_http-title: Did not follow redirect to https://scratch.mit.edu/
443/tcp open tcpwrapped
|_http-favicon: Unknown favicon MD5: D87FA1FD90A60EA12AA77F10872FC6A0
| http-methods:
|_ Supported Methods: GET HEAD
| http-robots.txt: 9 disallowed entries
| /explore/ /internalapi/ /projects/embed/
|_/cloudmonitor/ /varserver/ /tags/ /site-api/ /api/ /scratchr2/static/
| http-server-header:
| AmazonS3
|_ Varnish
|_http-title: Scratch - Imagine, Program, Share
| ssl-cert: Subject: commonName=scratch.mit.edu/organizationName=Massachusetts Institute of Technology/stateOrProvinceName=Ma/countryName=US
| Issuer: commonName=InCommon RSA Server CA/organizationName=Internet2/stateOrProvinceName=MI/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2014-11-19T00:00:00
| Not valid after: 2017-11-18T23:59:59
| MD5: 62f6 737a 6e23 ea91 7c35 252d 85cb ef6a
|_SHA-1: c31e e937 8801 568b 5689 6b70 df98 4e2c 51e7 6f0c
|_ssl-date: TLS randomness does not represent time
554/tcp open rtsp?
7070/tcp open realserver?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: broadband router
Running: Scientific Atlanta embedded
OS CPE: cpeh:scientificatlanta:webstar_dpc2100r2
OS details: Scientific Atlanta WebSTAR DPC2100R2 cable modem
Network Distance: 11 hops
TCP Sequence Prediction: Difficulty=205 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 7.23 ms 10.0.1.1
2 10.11 ms 10.0.0.1
3 …
4 17.52 ms be-10026-sur03.santaclara.ca.sfba.comcast.net (68.85.190.249)
5 21.49 ms hu-0-3-0-6-ar01.santaclara.ca.sfba.comcast.net (68.87.192.185)
6 …
7 24.17 ms be-10925-cr01.9greatoaks.ca.ibone.comcast.net (68.86.87.158)
8 22.94 ms be-11-pe02.11greatoaks.ca.ibone.comcast.net (68.86.82.86)
9 … 10
11 18.09 ms 23.235.37.162

NSE: Script Post-scanning.
Initiating NSE at 20:46
Completed NSE at 20:46, 0.00s elapsed
Initiating NSE at 20:46
Completed NSE at 20:46, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 215.75 seconds
Raw packets sent: 2070 (92.886KB) | Rcvd: 50 (3.236KB)

liam48D

Why did you post the output of that command here..?

Also, please use [code]/* code */[/code] tags :P

MegaApuTurkUltra

Good work, you just nmap'd fastly!

Not sure what you expect to get from this

_Tectonic_

liam48D wrote:
Why did you post the output of that command here..?

Also, please use [code]/* code */[/code] tags :P

idk, just wanted it to be somewhere…

P.S. didn't know about these [code] tags

_Tectonic_

This was done on my USB copy of Kali Linux.

comp09

The origin server at 18.85.28.66 is much more interesting:

andrew@newton:~$ sudo nmap -v -A -Pn -O --osscan-guess 18.85.28.66

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 22:38 EDT
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:38
Completed NSE at 22:38, 0.00s elapsed
Initiating NSE at 22:38
Completed NSE at 22:38, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 22:38
Completed Parallel DNS resolution of 1 host. at 22:38, 0.02s elapsed
Initiating SYN Stealth Scan at 22:38
Scanning femto.media.mit.edu (18.85.28.66) [1000 ports]
Discovered open port 80/tcp on 18.85.28.66
Discovered open port 443/tcp on 18.85.28.66
Completed SYN Stealth Scan at 22:38, 22.82s elapsed (1000 total ports)
Initiating Service scan at 22:38
Scanning 2 services on femto.media.mit.edu (18.85.28.66)
Completed Service scan at 22:38, 12.26s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against femto.media.mit.edu (18.85.28.66)
Initiating Traceroute at 22:38
Completed Traceroute at 22:38, 3.06s elapsed
Initiating Parallel DNS resolution of 12 hosts. at 22:38
Completed Parallel DNS resolution of 12 hosts. at 22:38, 0.09s elapsed
NSE: Script scanning 18.85.28.66.
Initiating NSE at 22:38
Completed NSE at 22:38, 1.93s elapsed
Initiating NSE at 22:38
Completed NSE at 22:38, 0.00s elapsed
Nmap scan report for femto.media.mit.edu (18.85.28.66)
Host is up (0.036s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE    VERSION
80/tcp  open  http-proxy Varnish
|_http-server-header: Varnish
|_http-title: 403. Hmm, something doesn't look right about that URL...
443/tcp open  ssl/http   nginx
|_http-favicon: Unknown favicon MD5: 6E841A8651FD5D5770FF5A5C0A0F65B8
| http-methods: 
|_  Supported Methods: GET HEAD
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: nginx
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=scratch.mit.edu/organizationName=Massachusetts Institute of Technology/stateOrProvinceName=Ma/countryName=US
| Issuer: commonName=InCommon RSA Server CA/organizationName=Internet2/stateOrProvinceName=MI/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2014-11-19T00:00:00
| Not valid after:  2017-11-18T23:59:59
| MD5:   62f6 737a 6e23 ea91 7c35 252d 85cb ef6a
|_SHA-1: c31e e937 8801 568b 5689 6b70 df98 4e2c 51e7 6f0c
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg: 
|_  http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.11 - 4.1
Uptime guess: 55.148 days (since Mon Apr  4 19:06:16 2016)
Network Distance: 17 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   2.04 ms  192.168.1.1
2   12.20 ms L101.BSTNMA-VFTTP-66.verizon-gni.net (96.233.107.1)
3   15.09 ms G102-0-0-2.BSTNMA-LCR-21.verizon-gni.net (100.41.212.42)
4   ... 5
6   20.40 ms 0.ae3.BR2.NYC4.ALTER.NET (140.222.231.133)
7   ...
8   82.33 ms ae-3-80.edge3.Washington4.Level3.net (4.69.149.146)
9   22.30 ms ae-2-70.edge3.Washington4.Level3.net (4.69.149.82)
10  26.33 ms level3-pni.iad1.us.voxel.net (4.53.116.2)
11  30.67 ms unknown.prolexic.com (209.200.144.200)
12  35.51 ms unknown.prolexic.com (209.200.144.205)
13  ...
14  32.54 ms dmz-rtr-1-external-rtr-3.mit.edu (18.192.7.1)
15  ...
16  30.20 ms media-lab-dmz-rtr-2.mit.edu (18.4.11.65)
17  30.39 ms femto.media.mit.edu (18.85.28.66)

NSE: Script Post-scanning.
Initiating NSE at 22:38
Completed NSE at 22:38, 0.00s elapsed
Initiating NSE at 22:38
Completed NSE at 22:38, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.07 seconds
           Raw packets sent: 3088 (138.110KB) | Rcvd: 58 (3.772KB)

Takeways:

There is no SSH service
The server is running some version of Linux 3 or 4
The server itself may have been up for at least 55 days; the ST should probably patch the kernel with those recent security fixes
nginx behind Varnish, blah blah blah, nothing exciting
MIT Media Lab uses Prolexic for DDoS mitigation, now actually Akamai

Last edited by comp09 (May 30, 2016 02:42:34)

_Tectonic_

Interesting!

thisrunShubhankar

_Tectonic_ wrote:
root@kali:~# nmap -v -A -Pn scratch.mit.edu

Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-29 20:43 UTC
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:43
Completed NSE at 20:43, 0.00s elapsed
Initiating NSE at 20:43
Completed NSE at 20:43, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 20:43
Completed Parallel DNS resolution of 1 host. at 20:43, 0.05s elapsed
Initiating SYN Stealth Scan at 20:43
Scanning scratch.mit.edu (23.235.37.162)
Discovered open port 443/tcp on 23.235.37.162
Discovered open port 21/tcp on 23.235.37.162
Discovered open port 554/tcp on 23.235.37.162
Discovered open port 80/tcp on 23.235.37.162
Discovered open port 7070/tcp on 23.235.37.162
Increasing send delay for 23.235.37.162 from 0 to 5 due to 11 out of 16 dropped probes since last increase.
Completed SYN Stealth Scan at 20:43, 42.42s elapsed (1000 total ports)
Initiating Service scan at 20:43
Scanning 5 services on scratch.mit.edu (23.235.37.162)
Service scan Timing: About 60.00% done; ETC: 20:47 (0:01:31 remaining)
Completed Service scan at 20:46, 136.26s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against scratch.mit.edu (23.235.37.162)
Initiating Traceroute at 20:46
Completed Traceroute at 20:46, 3.02s elapsed
Initiating Parallel DNS resolution of 7 hosts. at 20:46
Completed Parallel DNS resolution of 7 hosts. at 20:46, 0.06s elapsed
NSE: Script scanning 23.235.37.162.
Initiating NSE at 20:46
Completed NSE at 20:46, 30.93s elapsed
Initiating NSE at 20:46
Completed NSE at 20:46, 0.00s elapsed
Nmap scan report for scratch.mit.edu (23.235.37.162)
Host is up (0.025s latency).
Other addresses for scratch.mit.edu (not scanned): 23.235.33.162
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
|_ftp-bounce: no banner
80/tcp open http-proxy Varnish
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Varnish
|_http-title: Did not follow redirect to https://scratch.mit.edu/
443/tcp open tcpwrapped
|_http-favicon: Unknown favicon MD5: D87FA1FD90A60EA12AA77F10872FC6A0
| http-methods:
|_ Supported Methods: GET HEAD
| http-robots.txt: 9 disallowed entries
| /explore/ /internalapi/ /projects/embed/
|_/cloudmonitor/ /varserver/ /tags/ /site-api/ /api/ /scratchr2/static/
| http-server-header:
| AmazonS3
|_ Varnish
|_http-title: Scratch - Imagine, Program, Share
| ssl-cert: Subject: commonName=scratch.mit.edu/organizationName=Massachusetts Institute of Technology/stateOrProvinceName=Ma/countryName=US
| Issuer: commonName=InCommon RSA Server CA/organizationName=Internet2/stateOrProvinceName=MI/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2014-11-19T00:00:00
| Not valid after: 2017-11-18T23:59:59
| MD5: 62f6 737a 6e23 ea91 7c35 252d 85cb ef6a
|_SHA-1: c31e e937 8801 568b 5689 6b70 df98 4e2c 51e7 6f0c
|_ssl-date: TLS randomness does not represent time
554/tcp open rtsp?
7070/tcp open realserver?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: broadband router
Running: Scientific Atlanta embedded
OS CPE: cpeh:scientificatlanta:webstar_dpc2100r2
OS details: Scientific Atlanta WebSTAR DPC2100R2 cable modem
Network Distance: 11 hops
TCP Sequence Prediction: Difficulty=205 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 7.23 ms 10.0.1.1
2 10.11 ms 10.0.0.1
3 …
4 17.52 ms be-10026-sur03.santaclara.ca.sfba.comcast.net (68.85.190.249)
5 21.49 ms hu-0-3-0-6-ar01.santaclara.ca.sfba.comcast.net (68.87.192.185)
6 …
7 24.17 ms be-10925-cr01.9greatoaks.ca.ibone.comcast.net (68.86.87.158)
8 22.94 ms be-11-pe02.11greatoaks.ca.ibone.comcast.net (68.86.82.86)
9 … 10
11 18.09 ms 23.235.37.162

NSE: Script Post-scanning.
Initiating NSE at 20:46
Completed NSE at 20:46, 0.00s elapsed
Initiating NSE at 20:46
Completed NSE at 20:46, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 215.75 seconds
Raw packets sent: 2070 (92.886KB) | Rcvd: 50 (3.236KB)

shubhankar-Inspiron-1525 shubhankar # nmap -v -A scratch.mit.edu -Pn

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-03 21:58 BST
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:58
Completed Parallel DNS resolution of 1 host. at 21:58, 0.10s elapsed
Initiating SYN Stealth Scan at 21:58
Scanning scratch.mit.edu (151.101.66.133)
Discovered open port 80/tcp on 151.101.66.133
Discovered open port 443/tcp on 151.101.66.133
Completed SYN Stealth Scan at 21:59, 8.26s elapsed (1000 total ports)
Initiating Service scan at 21:59
Scanning 2 services on scratch.mit.edu (151.101.66.133)
Completed Service scan at 21:59, 12.42s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against scratch.mit.edu (151.101.66.133)
Retrying OS detection (try #2) against scratch.mit.edu (151.101.66.133)
Initiating Traceroute at 21:59
Completed Traceroute at 21:59, 3.02s elapsed
Initiating Parallel DNS resolution of 4 hosts. at 21:59
Completed Parallel DNS resolution of 4 hosts. at 21:59, 0.05s elapsed
NSE: Script scanning 151.101.66.133.
Initiating NSE at 21:59
Completed NSE at 21:59, 3.82s elapsed
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Nmap scan report for scratch.mit.edu (151.101.66.133)
Host is up (0.025s latency).
Other addresses for scratch.mit.edu (not scanned): 151.101.194.133 151.101.130.133 151.101.2.133
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http-proxy Varnish
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Varnish
|_http-title: Did not follow redirect to https://scratch.mit.edu/
443/tcp open ssl/http-proxy Varnish
|_http-favicon: Unknown favicon MD5: D87FA1FD90A60EA12AA77F10872FC6A0
| http-methods:
|_ Supported Methods: GET HEAD
| http-robots.txt: 9 disallowed entries
| /internalapi/ /projects/embed/ /cloudmonitor/
| /varserver/ /tags/ /site-api/ /api/ /scratchr2/static/
|_/scratch_1.4/
|_http-server-header: Varnish
|_http-title: Scratch - Imagine, Program, Share
| ssl-cert: Subject: commonName=*.scratch.mit.edu
| Issuer: commonName=COMODO RSA Domain Validation Secure Server CA/organizationName=COMODO CA Limited/stateOrProvinceName=Greater Manchester/countryName=GB
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-08-02T00:00:00
| Not valid after: 2020-10-11T23:59:59
| MD5: a395 72e0 ce52 3883 35e2 bf5a 56fc 23ad
|_SHA-1: 1e0c 644d a22d e11d 893e 3b49 54ec 4e6c 4e66 5461
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Crestron XPanel control system (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (88%), OpenWrt White Russian 0.9 (Linux 2.4.30) (88%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (88%), OpenBSD 4.3 (88%), Asus RT-AC66U router (Linux 2.6) (87%), Asus RT-N10 router or AXIS 211A Network Camera (Linux 2.6) (87%), Linux 2.6.18 (87%), Asus RT-N16 WAP (Linux 2.6) (87%), Asus RT-N66U WAP (Linux 2.6) (87%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.000 days (since Wed Apr 3 21:59:17 2019)
Network Distance: 5 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 4.26 ms SkyRouter.Home (192.168.0.1)
2 …
3 26.91 ms be381.pr2.hobir.isp.sky.com (2.120.8.150)
4 24.72 ms 027ff185.bb.sky.com (2.127.241.133)
5 23.98 ms 151.101.66.133

NSE: Script Post-scanning.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.30 seconds
Raw packets sent: 2101 (96.602KB) | Rcvd: 51 (3.426KB)

LuckyLucky7

What is an nmap?

Discuss Scratch