{\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe2052{\fonttbl{\f0\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f13\fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};} {\f18\fmodern\fcharset136\fprq1{\*\panose 02020309000000000000}MingLiU{\*\falt \'b2\'d3\'a9\'fa\'c5\'e9};}{\f36\fnil\fcharset134\fprq2{\*\panose 02010600030101010101}@\'cb\'ce\'cc\'e5;} {\f82\fmodern\fcharset136\fprq1{\*\panose 02020309000000000000}@MingLiU;}{\f179\froman\fcharset238\fprq2 Times New Roman CE;}{\f180\froman\fcharset204\fprq2 Times New Roman Cyr;}{\f182\froman\fcharset161\fprq2 Times New Roman Greek;} {\f183\froman\fcharset162\fprq2 Times New Roman Tur;}{\f184\fbidi \froman\fcharset177\fprq2 Times New Roman (Hebrew);}{\f185\fbidi \froman\fcharset178\fprq2 Times New Roman (Arabic);}{\f186\froman\fcharset186\fprq2 Times New Roman Baltic;} {\f187\froman\fcharset163\fprq2 Times New Roman (Vietnamese);}{\f311\fnil\fcharset0\fprq2 SimSun Western{\*\falt SimSun};}{\f361\fmodern\fcharset0\fprq1 MingLiU Western{\*\falt \'b2\'d3\'a9\'fa\'c5\'e9};} {\f541\fnil\fcharset0\fprq2 @\'cb\'ce\'cc\'e5 Western;}{\f1001\fmodern\fcharset0\fprq1 @MingLiU Western;}}{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0; \red255\green255\blue0;\red255\green255\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;\red192\green192\blue192;\red255\green153\blue0;} {\stylesheet{\qj \li0\ri0\nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \rtlch\fcs1 \af0\afs24\alang1025 \ltrch\fcs0 \fs21\lang1033\langfe2052\kerning2\loch\f0\hich\af0\dbch\af13\cgrid\langnp1033\langfenp2052 \snext0 Normal;} {\*\cs10 \additive \ssemihidden Default Paragraph Font;}{\* \ts11\tsrowd\trftsWidthB3\trpaddl108\trpaddr108\trpaddfl3\trpaddft3\trpaddfb3\trpaddfr3\trcbpat1\trcfpat1\tblind0\tblindtype3\tscellwidthfts0\tsvertalt\tsbrdrt\tsbrdrl\tsbrdrb\tsbrdrr\tsbrdrdgl\tsbrdrdgr\tsbrdrh\tsbrdrv \ql \li0\ri0\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \rtlch\fcs1 \af0\afs20 \ltrch\fcs0 \fs20\lang1024\langfe1024\loch\f0\hich\af0\dbch\af13\cgrid\langnp1024\langfenp1024 \snext11 \ssemihidden Normal Table;}{ \s15\qc \li0\ri0\nowidctlpar\brdrb\brdrs\brdrw15\brsp20 \tqc\tx4153\tqr\tx8306\wrapdefault\aspalpha\aspnum\faauto\nosnaplinegrid\adjustright\rin0\lin0\itap0 \rtlch\fcs1 \af0\afs18\alang1025 \ltrch\fcs0 \fs18\lang1033\langfe2052\kerning2\loch\f0\hich\af0\dbch\af13\cgrid\langnp1033\langfenp2052 \sbasedon0 \snext15 \styrsid15098623 header;}{\s16\ql \li0\ri0\nowidctlpar \tqc\tx4153\tqr\tx8306\wrapdefault\aspalpha\aspnum\faauto\nosnaplinegrid\adjustright\rin0\lin0\itap0 \rtlch\fcs1 \af0\afs18\alang1025 \ltrch\fcs0 \fs18\lang1033\langfe2052\kerning2\loch\f0\hich\af0\dbch\af13\cgrid\langnp1033\langfenp2052 \sbasedon0 \snext16 \styrsid15098623 footer;}{\*\cs17 \additive \rtlch\fcs1 \af0 \ltrch\fcs0 \ul\cf2 \sbasedon10 \styrsid15098623 Hyperlink;}}{\*\latentstyles\lsdstimax156\lsdlockeddef0}{\*\pgptbl {\pgp\ipgp0\itap0\li0\ri0\sb0\sa0}}{\*\rsidtbl \rsid655764 \rsid811358\rsid1069012\rsid1074055\rsid1318786\rsid1462542\rsid2231290\rsid2847010\rsid2909350\rsid3146529\rsid3152368\rsid3153644\rsid3409549\rsid3869496\rsid4001084\rsid4197693\rsid4419642\rsid4477090\rsid5848812\rsid6441775\rsid6492656\rsid6493368 \rsid7939098\rsid8674677\rsid8869018\rsid8944438\rsid9449096\rsid10106844\rsid10236727\rsid10246904\rsid10505668\rsid10707375\rsid10897542\rsid11282186\rsid11941893\rsid12669821\rsid13312263\rsid13773176\rsid14707564\rsid14892288\rsid15098623\rsid15222873 \rsid15611782\rsid15665703\rsid15817367\rsid15866361\rsid16080730\rsid16195404\rsid16517661\rsid16546564\rsid16607898}{\*\generator Microsoft Word 11.0.0000;}{\info{\title }{\subject }{\author Document Search} {\keywords Document Search}{\doccomm http://www.downhi.com/txt/Dcr5sp7JdHNK.html}{\operator www.downhi.com}{\creatim\yr2010\mo9\dy28\hr22\min9}{\revtim\yr2014\mo4\dy4\hr1\min23}{\version26}{\edmins1077}{\nofpages1}{\nofwords27}{\nofchars168}{\*\manager http://www.downhi.com/} {\*\company http://www.downhi.com/}{\*\category Document Search}{\nofcharsws186}{\vern24617}{\*\password 00000000}}{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}{\xmlns2 urn:schemas-microsoft-com:office:smarttags}} \paperw11906\paperh16838\margl1134\margr1134\margt1134\margb1134\gutter0\ltrsect \deftab420\ftnbj\aenddoc\donotembedsysfont1\donotembedlingdata0\grfdocevents0\validatexml1\showplaceholdtext0\ignoremixedcontent0\saveinvalidxml0\showxmlerrors1\formshade\horzdoc\dgmargin\dghspace180\dgvspace156\dghorigin1134\dgvorigin1134\dghshow0 \dgvshow2\jcompress\lnongrid\viewkind1\viewscale85\splytwnine\ftnlytwnine\htmautsp\useltbaln\alntblind\lytcalctblwd\lyttblrtgr\lnbrkrule\nobrkwrptbl\snaptogridincell\allowfieldendsel\wrppunct\asianbrkrule\rsidroot3869496\newtblstyruls\nogrowautofit {\*\fchars !),.:\'3b?]\'7d\'a1\'a7\'a1\'a4\'a1\'a6\'a1\'a5\'a8\'44\'a1\'ac\'a1\'af\'a1\'b1\'a1\'ad\'a1\'c3\'a1\'a2\'a1\'a3\'a1\'a8\'a1\'a9\'a1\'b5\'a1\'b7\'a1\'b9\'a1\'bb\'a1\'bf\'a1\'b3\'a1\'bd\'a3\'a1\'a3\'a2\'a3\'a7\'a3\'a9\'a3\'ac\'a3\'ae\'a3\'ba\'a3\'bb\'a3\'bf\'a3\'dd\'a3\'e0\'a3\'fc\'a3\'fd\'a1\'ab\'a1\'e9 }{\*\lchars ([\'7b\'a1\'a4\'a1\'ae\'a1\'b0\'a1\'b4\'a1\'b6\'a1\'b8\'a1\'ba\'a1\'be\'a1\'b2\'a1\'bc\'a3\'a8\'a3\'ae\'a3\'db\'a3\'fb\'a1\'ea\'a3\'a4}\fet0{\*\wgrffmtfilter 013f}\ilfomacatclnup0{\*\template C:\\Documents and Settings\\Administrator\\\'d7\'c0\'c3\'e6\\doc.dot}{\*\ftnsep \ltrpar \pard\plain \ltrpar\qj \li0\ri0\nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \rtlch\fcs1 \af0\afs24\alang1025 \ltrch\fcs0 \fs21\lang1033\langfe2052\kerning2\loch\af0\hich\af0\dbch\af13\cgrid\langnp1033\langfenp2052 {\rtlch\fcs1 \af0 \ltrch\fcs0 \insrsid14707564 \chftnsep \par }}{\*\ftnsepc \ltrpar \pard\plain \ltrpar\qj \li0\ri0\nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \rtlch\fcs1 \af0\afs24\alang1025 \ltrch\fcs0 \fs21\lang1033\langfe2052\kerning2\loch\af0\hich\af0\dbch\af13\cgrid\langnp1033\langfenp2052 {\rtlch\fcs1 \af0 \ltrch\fcs0 \insrsid14707564 \chftnsepc \par }}{\*\aftnsep \ltrpar \pard\plain \ltrpar\qj \li0\ri0\nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \rtlch\fcs1 \af0\afs24\alang1025 \ltrch\fcs0 \fs21\lang1033\langfe2052\kerning2\loch\af0\hich\af0\dbch\af13\cgrid\langnp1033\langfenp2052 {\rtlch\fcs1 \af0 \ltrch\fcs0 \insrsid14707564 \chftnsep \par }}{\*\aftnsepc \ltrpar \pard\plain \ltrpar\qj \li0\ri0\nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \rtlch\fcs1 \af0\afs24\alang1025 \ltrch\fcs0 \fs21\lang1033\langfe2052\kerning2\loch\af0\hich\af0\dbch\af13\cgrid\langnp1033\langfenp2052 {\rtlch\fcs1 \af0 \ltrch\fcs0 \insrsid14707564 \chftnsepc \par }}\ltrpar \sectd \ltrsect\linex0\headery851\footery992\colsx425\endnhere\sectlinegrid312\sectspecifyl\sectrsid6493368\sftnbj {\headerr \ltrpar \pard\plain \ltrpar\s15\qc \li0\ri0\nowidctlpar\brdrb\brdrs\brdrw15\brsp20 \tqc\tx4153\tqr\tx8306\wrapdefault\aspalpha\aspnum\faauto\nosnaplinegrid\adjustright\rin0\lin0\itap0 \rtlch\fcs1 \af0\afs18\alang1025 \ltrch\fcs0 \fs18\lang1033\langfe2052\kerning2\loch\af0\hich\af0\dbch\af13\cgrid\langnp1033\langfenp2052 {\rtlch\fcs1 \af0\afs30 \ltrch\fcs0 \b\f13\fs30\cf6\insrsid1074055\charrsid1074055 \hich\af13\dbch\af13\loch\f13 Free Document Search and Download}{\rtlch\fcs1 \af0\afs30 \ltrch\fcs0 \b\fs30\cf6\loch\af13\insrsid6493368\charrsid1074055 \par }{\field{\*\fldinst {\rtlch\fcs1 \af0\afs32 \ltrch\fcs0 \f13\fs32\cf6\insrsid14892288 \hich\af13\dbch\af13\loch\f13 HYPERLINK "http://www.downhi.com/" }{\rtlch\fcs1 \af0\afs32 \ltrch\fcs0 \fs32\cf6\loch\af13\insrsid10707375\charrsid14892288 {\*\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b4e00000068007400740070003a002f002f00770065006e00640061006e0067002e0064006f00630073006f0075002e0063006f006d002f000000795881f43b1d7f48af2c825dc485276300000000a5ab0000000000}} }{\fldrslt {\rtlch\fcs1 \af0\afs32 \ltrch\fcs0 \cs17\f13\fs32\ul\cf2\insrsid3146529\charrsid14892288 \hich\af13\dbch\af13\loch\f13 http://www.downhi.com/}}}\sectd \linex0\endnhere\sectdefaultcl\sftnbj {\rtlch\fcs1 \af0\afs32 \ltrch\fcs0 \fs32\cf6\loch\af13\insrsid6493368\charrsid15098623 \par }}{\*\pnseclvl1\pnucrm\pnstart1\pnindent720\pnhang {\pntxta \dbch .}}{\*\pnseclvl2\pnucltr\pnstart1\pnindent720\pnhang {\pntxta \dbch .}}{\*\pnseclvl3\pndec\pnstart1\pnindent720\pnhang {\pntxta \dbch .}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang {\pntxta \dbch )}}{\*\pnseclvl5\pndec\pnstart1\pnindent720\pnhang {\pntxtb \dbch (}{\pntxta \dbch )}}{\*\pnseclvl6\pnlcltr\pnstart1\pnindent720\pnhang {\pntxtb \dbch (}{\pntxta \dbch )}}{\*\pnseclvl7\pnlcrm\pnstart1\pnindent720\pnhang {\pntxtb \dbch (} {\pntxta \dbch )}}{\*\pnseclvl8\pnlcltr\pnstart1\pnindent720\pnhang {\pntxtb \dbch (}{\pntxta \dbch )}}{\*\pnseclvl9\pnlcrm\pnstart1\pnindent720\pnhang {\pntxtb \dbch (}{\pntxta \dbch )}}\pard\plain \ltrpar\qj \li0\ri0\sl180\slmult0 \nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid6493368 \rtlch\fcs1 \af0\afs24\alang1025 \ltrch\fcs0 \fs21\lang1033\langfe2052\kerning2\loch\af0\hich\af0\dbch\af13\cgrid\langnp1033\langfenp2052 {\rtlch\fcs1 \af0 \ltrch\fcs0 \insrsid6493368\charrsid1074055 \loch\af0\hich\af0\dbch\f13 \'a1\'a1\'a1\'a1}{\rtlch\fcs1 \af0 \ltrch\fcs0 \insrsid6493368\charrsid1074055 \par }\pard \ltrpar\qc \li0\ri0\sl180\slmult0\nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid1318786 {\rtlch\fcs1 \af0\afs36 \ltrch\fcs0 \b\fs36\insrsid1318786\charrsid1074055 \hich\af0\dbch\af13\loch\f0 \par }\pard \ltrpar\qj \li0\ri0\sl180\slmult0\nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid1074055 {\rtlch\fcs1 \af0 \ltrch\fcs0 \fs24\insrsid6493368\charrsid1074055 \loch\af0\hich\af0\dbch\f13 \'a3\'ba}{\rtlch\fcs1 \af0 \ltrch\fcs0 \fs24\insrsid6493368\charrsid1074055 \par }\pard \ltrpar\qc \li0\ri0\sl180\slmult0\nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid3869496 {\field{\*\fldinst {\rtlch\fcs1 \af0 \ltrch\fcs0 \fs24\insrsid1074055 \hich\af0\dbch\af13\loch\f0 \hich\af0\dbch\af13\loch\f0 HYPERLINK "http://www.downhi.com/"\hich\af0\dbch\af13\loch\f0 }{\rtlch\fcs1 \af0 \ltrch\fcs0 \fs24\insrsid13719882\charrsid1074055 {\*\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b4600000068007400740070003a002f002f007700770077002e0064006f0077006e00680069002e0063006f006d002f000000795881f43b1d7f48af2c825dc485276300000000a5ab0000}}}{\fldrslt { \rtlch\fcs1 \af0 \ltrch\fcs0 \cs17\fs24\ul\cf2\insrsid3869496\charrsid1074055 \hich\af0\dbch\af13\loch\f0 http://www.downhi.com/txt/Dcr5sp7JdHNK.html}{\rtlch\fcs1 \af0 \ltrch\fcs0 \cs17\fs24\ul\cf2\insrsid6493368\charrsid1074055 \par }\pard \ltrpar\qj \li0\ri0\sl180\slmult0\nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid6493368 }}\pard\plain \ltrpar\qj \li0\ri0\sl180\slmult0 \nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid6493368 \rtlch\fcs1 \af0\afs24\alang1025 \ltrch\fcs0 \fs21\lang1033\langfe2052\kerning2\loch\af0\hich\af0\dbch\af13\cgrid\langnp1033\langfenp2052 \sectd \linex0\headery851\footery992\colsx425\endnhere\sectlinegrid312\sectspecifyl\sectrsid6493368\sftnbj {\rtlch\fcs1 \af0 \ltrch\fcs0 \insrsid6493368\charrsid1074055 \par }{\rtlch\fcs1 \af0 \ltrch\fcs0 \insrsid6493368\charrsid1074055 \par }\pard \ltrpar\qj \li0\ri0\sl360\slmult1\nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15866361 {\rtlch\fcs1 \af0 \ltrch\fcs0 \fs24\insrsid3869496\charrsid1074055 \hich\af0\dbch\af13\loch\f0 \par\par \par \par\par \par \par\par \par \par\par \par \par Last login: Sun Nov 24 03:10:44 on ttyp1\par Welcome to Darwin!\par [Uisce:~] mcarroll% ssh red.ils.unc.edu\par mcarroll@red.ils.unc.edu's password: \par Last login: Sat Nov 23 17:36:24 2002 from rdu57-242-138.nc.rr.com\par [mcarroll@red mcarroll]$ nmap -sF 66.57.242.138 \par \par Starting nmap V. 3.00 ( www.insecure.org/nmap/ )\par You requested a scan type which requires r00t privileges, and you do not have them.\par \par QUITTING!\par [mcarroll@red mcarroll]$ sudo nmap -sF 66.57.242.138\par Password:\par \par Starting nmap V. 3.00 ( www.insecure.org/nmap/ )\par Note: Host seems down. If it is really up, but blocking our ping probes, try -P0\par Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds\par [mcarroll@red mcarroll]$ sudo nmap -sP 66.57.242.138\par \par Starting nmap V. 3.00 ( www.insecure.org/nmap/ )\par Note: Host seems down. If it is really up, but blocking our ping probes, try -P0\par Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds\par [mcarroll@red mcarroll]$ nmap -sF 66.57.242.132 \par \par Starting nmap V. 3.00 ( www.insecure.org/nmap/ )\par You requested a scan type which requires r00t privileges, and you do not have them.\par \par QUITTING!\par [mcarroll@red mcarroll]$ sudo nmap -sF 66.57.242.132 \par \par Starting nmap V. 3.00 ( www.insecure.org/nmap/ )\par Interesting ports on rdu57-242-132.nc.rr.com (66.57.242.132):\par (The 1596 ports scanned but not shown below are in state: closed)\par Port State Service\par 69/tcp filtered tftp \par 137/tcp open netbios-ns \par 138/tcp open netbios-dgm \par 139/tcp open netbios-ssn \par 445/tcp open microsoft-ds \par \par Nmap run completed -- 1 IP address (1 host up) scanned in 16 seconds\par [mcarroll@red mcarroll]$ echo this is a neighb http://www.downhi.com/txt/Dcr5sp7JdHNK.html or!man nmap\par echo this is a neighborman nmap nmap\par this is a neighborman nmap nmap\par [mcarroll@red mcarroll]$ man nmap \par NMAP(1) NMAP(1)\par \par NAME\par nmap - Network exploration tool and security scanner\par \par NAME\par nmap - Network exploration tool and security scanner\par \par SYNOPSIS\par nmap [Scan Type(s)] [Options] \par \par DESCRIPTION\par Nmap is designed to allow system administrators and curious individuals to\par scan large networks to determine which hosts are up and what services they\par are offering. nmap supports a large number of scanning techniques such as:\par UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack),\par Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP\par Protocol, and Null scan. See the Scan Types section for more details.\par nmap also offers a number of advanced features such as remote OS detection\par via TCP/IP fingerprinting, stealth scanning, dynamic delay and retransmis-\par sion calculations, parallel scanning, detection of down hosts via parallel\par pings, decoy scanning, port filtering detection, direct (non-portmapper)\par RPC scanning, fragmentation scanning, and flexible target and port specifi-\par cation.\par \par Significant effort has been put into decent nmap performance for non-root\par users. Unfortunately, many critical kernel interfaces (such as raw sock-\par ets) require root privileges. nmap should be run as root whenever possible\par (not setuid root, of course).\par \par The result of running nmap is usually a list of interesting ports on the\par machine(s) being scanned (if any). Nmap always gives http://www.downhi.com/txt/Dcr5sp7JdHNK.html the port's "well\par known" service name (if any), number, state, and protocol. The state is\par either 'open', 'filtered', or 'unfiltered'. Open means that the target\par machine will accept() connections on that port. Filtered means that a\par firewall, filter, or other network obstacle is covering the port and pre-\par venting nmap from determining whether the port is open. Unfiltered means\par that the port is known by nmap to be closed and no firewall/filter seems to\par be interfering with nmap's attempts to determine this. Unfiltered ports\par are the common case and are only shown when most of the scanned ports are\par in the filtered state.\par \par Depending on options used, nmap may also report the following characteris-\par tics of the remote host: OS in use, TCP sequencability, usernames running\par the programs which have bound to each port, the DNS name, whether the host\par is a smurf address, and a few others.\par \par OPTIONS\par Options that make sense together can generally be combined. Some options\par are specific to certain scan modes. nmap tries to catch and warn the user\par about psychotic or unsupported option combinations.\par \par If you are impatient, you can skip to the examples section at the end,\par which demonstrates common usage. You can also run nmap -h for a quick ref-\par erence page listing all the options.\par \par SCAN TYPES\par \par -sS TCP SYN scan: This technique is often referred to as "half-open"\par scanning, because you don't open a full TCP connection. You send a\par SYN packet, as if you are going to open a real connection and you\par wait for a response. A SYN|ACK indicates the port is listening http://www.downhi.com/txt/Dcr5sp7JdHNK.html . A\par RST is indicative of a non-listener. If a SYN|ACK is received, a\par RST is immediately sent to tear down the connection (actually our OS\par kernel does this for us). The primary advantage to this scanning\par technique is that fewer sites will log it. Unfortunately you need\par root privileges to build these custom SYN packets. This is the\par default scan type for privileged users.\par \par -sT TCP connect() scan: This is the most basic form of TCP scanning. The\par connect() system call provided by your operating system is used to\par open a connection to every interesting port on the machine. If the\par port is listening, connect() will succeed, otherwise the port isn't\par reachable. One strong advantage to this technique is that you don't\par need any special privileges. Any user on most UNIX boxes is free to\par use this call.\par \par This sort of scan is easily detectable as target host logs will show\par a bunch of connection and error messages for the services which\par accept() the connection just to have it immediately shutdown. This\par is the default scan type for unprivileged users.\par \par -sF -sX -sN\par Stealth FIN, Xmas Tree, or Null scan modes: There are times when\par even SYN scanning isn't clandestine enough. Some firewalls and\par packet filters watch for SYNs to restricted ports, and programs like\par Synlogger and Courtney are available to detect these scans. These\par advanced scans, on the other hand, may be able to pass through unmo-\par lested.\par \par The idea is that cl http://www.downhi.com/txt/Dcr5sp7JdHNK.html osed ports are required to reply to your probe\par packet with an RST, while open ports must ignore the packets in\par question (see RFC 793 pp 64). The FIN scan uses a bare (surprise)\par FIN packet as the probe, while the Xmas tree scan turns on the FIN,\par URG, and PUSH flags. The Null scan turns off all flags. Unfortu-\par nately Microsoft (like usual) decided to completely ignore the stan-\par dard and do things their own way. Thus this scan type will not work\par against systems running Windows95/NT. On the positive side, this is\par a good way to distinguish between the two platforms. If the scan\par finds open ports, you know the machine is not a Windows box. If a\par -sF,-sX,or -sN scan shows all ports closed, yet a SYN (-sS) scan\par shows ports being opened, you are probably looking at a Windows box.\par This is less useful now that nmap has proper OS detection built in.\par There are also a few other systems that are broken in the same way\par Windows is. They include Cisco, BSDI, HP/UX, MVS, and IRIX. All of\par the above send resets from the open ports when they should just drop\par the packet.\par \par -sP Ping scanning: Sometimes you only want to know which hosts on a net-\par work are up. Nmap can do this by sending ICMP echo request packets\par to every IP address on the networks you specify. Hosts that respond\par are up. Unfortunately, some sites such as microsoft.com block echo\par request packets. Thus nmap can also send a TCP ack packet to (by\par default) port 80. If we get an RST back, that machine is up. A\par th http://www.downhi.com/txt/Dcr5sp7JdHNK.html ird technique involves sending a SYN packet and waiting for a RST\par or a SYN/ACK. For non-root users, a connect() method is used.\par \par By default (for root users), nmap uses both the ICMP and ACK tech-\par niques in parallel. You can change the -P option described later.\par \par Note that pinging is done by default anyway, and only hosts that\par respond are scanned. Only use this option if you wish to ping sweep\par without doing any actual port scans.\par \par -sU UDP scans: This method is used to determine which UDP (User Datagram\par Protocol, RFC 768) ports are open on a host. The technique is to\par send 0 byte udp packets to each port on the target machine. If we\par receive an ICMP port unreachable message, then the port is closed.\par Otherwise we assume it is open.\par \par Some people think UDP scanning is pointless. I usually remind them\par of the recent Solaris rcpbind hole. Rpcbind can be found hiding on\par an undocumented UDP port somewhere above 32770. So it doesn't matter\par that 111 is blocked by the firewall. But can you find which of the\par more than 30,000 high ports it is listening on? With a UDP scanner\par you can! There is also the cDc Back Orifice backdoor program which\par hides on a configurable UDP port on Windows machines. Not to men-\par tion the many commonly vulnerable services that utilize UDP such as\par snmp, tftp, NFS, etc.\par \par Unfortunately UDP scanning is sometimes painfully slow since most\par hosts implement a suggestion in RFC 1812 (section 4.3.2.8) of limit-\par ing the ICMP error messa http://www.downhi.com/txt/Dcr5sp7JdHNK.html ge rate. For example, the Linux kernel (in\par net/ipv4/icmp.h) limits destination unreachable message generation\par to 80 per 4 seconds, with a 1/4 second penalty if that is exceeded.\par Solaris has much more strict limits (about 2 messages per second)\par and thus takes even longer to scan. nmap detects this rate limiting\par and slows down accordingly, rather than flood the network with use-\par less packets that will be ignored by the target machine.\par \par As is typical, Microsoft ignored the suggestion of the RFC and does\par not seem to do any rate limiting at all on Win95 and NT machines.\par Thus we can scan all 65K ports of a Windows machine very quickly.\par Woop!\par \par -sO IP protocol scans: This method is used to determine which IP proto-\par cols are supported on a host. The technique is to send raw IP pack-\par ets without any further protocol header to each specified protocol\par on the target machine. If we receive an ICMP protocol unreachable\par message, then the protocol is not in use. Otherwise we assume it is\par open. Note that some hosts (AIX, HP-UX, Digital UNIX) and firewalls\par may not send protocol unreachable messages. This causes all of the\par protocols to appear "open".\par \par Because the implemented technique is very similar to UDP port scan-\par ning, ICMP rate limit might apply too. But the IP protocol field has\par only 8 bits, so at most 256 protocols can be probed which should be\par possible in reasonable time anyway.\par \par -sI \par Idlescan: This advanced scan method a http://www.downhi.com/txt/Dcr5sp7JdHNK.html llows for a truly blind TCP\par port scan of the target (meaning no packets are sent to the target\par from your real IP address). Instead, a unique side-channel attack\par exploits predictable "IP fragmentation ID" sequence generation on\par the zombie host to glean information about the open ports on the\par target. IDS systems will display the scan as coming from the zombie\par machine you specify (which must be up and meet certain criteria). I\par am planning to put a more detailed explanation up at\par http://www.insecure.org/nmap/nmap_documentation.html in the near\par future.\par \par Besides being extraordinarily stealthy (due to its blind nature),\par this scan type permits mapping out IP-based trust relationships\par between machines. The port listing shows open ports from the per-\par spective of the zombie host. So you can try scanning a target using\par various zombies that you think might be trusted (via router/packet\par filter rules). Obviously this is crucial information when priori-\par tizing attack targets. Otherwise, you penetration testers might\par have to expend considerable resources "owning" an intermediate sys-\par tem, only to find out that its IP isn't even trusted by the target\par host/network you are ultimately after.\par \par You can add a colon followed by a port number if you wish to probe a\par particular port on the zombie host for IPID changes. Otherwise Nmap\par will use the port it uses by default for "tcp pings".\par \par -sA ACK scan: This advanced method is usually used to map http://www.downhi.com/txt/Dcr5sp7JdHNK.html out firewall\par rulesets. In particular, it can help determine whether a firewall\par is stateful or just a simple packet filter that blocks incoming SYN\par packets.\par \par This scan type sends an ACK packet (with random looking acknowledge-\par ment/sequence numbers) to the ports specified. If a RST comes back,\par the ports is classified as "unfiltered". If nothing comes back (or\par if an ICMP unreachable is returned), the port is classified as "fil-\par tered". Note that nmap usually doesn't print "unfiltered" ports, so\par getting no ports shown in the output is usually a sign that all the\par probes got through (and returned RSTs). This scan will obviously\par never show ports in the "open" state.\par \par -sW Window scan: This advanced scan is very similar to the ACK scan,\par except that it can sometimes detect open ports as well as fil-\par tered/nonfiltered due to an anomaly in the TCP window size reporting\par by some operating systems. Systems vulnerable to this include at\par least some versions of AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX,\par DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS,\par NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX,\par and VxWorks. See the nmap-hackers mailing list archive for a full\par list.\par \par -sR RPC scan. This method works in combination with the various port\par scan methods of Nmap. It takes all the TCP/UDP ports found open and\par then floods them with SunRPC program NULL commands in an attempt to\par determine whether they are R http://www.downhi.com/txt/Dcr5sp7JdHNK.html PC ports, and if so, what program and\par version number they serve up. Thus you can effectively obtain the\par same info as firewall (or protected by TCP wrappers). Decoys do not\par currently work with RPC scan, at some point I may add decoy support\par for UDP RPC scans.\par \par -sL List scan. This method simply generates and prints a list of\par IPs/Names without actually pinging or port scanning them. DNS name\par resolution will be performed unless you use -n.\par \par -b \par FTP bounce attack: An interesting "feature" of the ftp protocol (RFC\par 959) is support for "proxy" ftp connections. In other words, I\par should be able to connect from evil.com to the FTP server of tar-\par get.com and request that the server send a file ANYWHERE on the\par internet! Now this may have worked well in 1985 when the RFC was\par written. But in today's Internet, we can't have people hijacking ftp\par servers and requesting that data be spit out to arbitrary points on\par the internet. As *Hobbit* wrote back in 1995, this protocol flaw\par "can be used to post virtually untraceable mail and news, hammer on\par servers at various sites, fill up disks, try to hop firewalls, and\par generally be annoying and hard to track down at the same time." What\par we will exploit this for is to (surprise, surprise) scan TCP ports\par from a "proxy" ftp server. Thus you could connect to an ftp server\par behind a firewall, and then scan ports that are more likely to be\par blocked (139 is a good one). If the ftp server allows reading from\par http://www.downhi.com/txt/Dcr5sp7JdHNK.html and writing to some directory (such as /incoming), you can send\par arbitrary data to ports that you do find open (nmap doesn't do this\par for you though).\par \par The argument passed to the 'b' option is the host you want to use as\par a proxy, in standard URL notation. The format is: username:pass-\par word@server:port. Everything but server is optional. To determine\par what servers are vulnerable to this attack, you can see my article\par in Phrack 51. And updated version is available at the nmap URL\par (http://www.insecure.org/nmap).\par \par GENERAL OPTIONS\par None of these are required but some can be quite useful.\par \par -P0 Do not try and ping hosts at all before scanning them. This allows\par the scanning of networks that don't allow ICMP echo requests (or\par responses) through their firewall. microsoft.com is an example of\par such a network, and thus you should always use -P0 or -PT80 when\par portscanning microsoft.com.\par \par -PT Use TCP "ping" to determine what hosts are up. Instead of sending\par ICMP echo request packets and waiting for a response, we spew out\par TCP ACK packets throughout the target network (or to a single\par machine) and then wait for responses to trickle back. Hosts that\par are up should respond with a RST. This option preserves the effi-\par ciency of only scanning hosts that are up while still allowing you\par to scan networks/hosts that block ping packets. For non root users,\par we use connect(). To set the destination port of the probe packets\par use - http://www.downhi.com/txt/Dcr5sp7JdHNK.html PT. The default port is 80, since this port is\par often not filtered out.\par \par -PS This option uses SYN (connection request) packets instead of ACK\par packets for root users. Hosts that are up should respond with a RST\par (or, rarely, a SYN|ACK). You can set the destination port in the\par same manner as -PT above.\par \par -PI This option uses a true ping (ICMP echo request) packet. It finds\par hosts that are up and also looks for subnet-directed broadcast\par addresses on your network. These are IP addresses which are exter-\par nally reachable and translate to a broadcast of incomming IP packets\par to a subnet of computers. These should be eliminated if found as\par they allow for numerous denial of service attacks (Smurf is the most\par common).\par \par -PP Uses an ICMP timestamp request (code 13) packet to find listening\par hosts.\par \par -PM Same as -PI and -PP except uses a netmask request (ICMP code 17).\par \par -PB This is the default ping type. It uses both the ACK ( -PT ) and\par ICMP echo request ( -PI ) sweeps in parallel. This way you can get\par firewalls that filter either one (but not both). The TCP probe des-\par tination port can be set in the same manner as with -PT above.\par \par -O This option activates remote host identification via TCP/IP finger-\par printing. In other words, it uses a bunch of techniques to detect\par subtleties in the underlying operating system network stack of the\par computers you are scanning. It uses this information to create a\par firewalls that filter either o http://www.downhi.com/txt/Dcr5sp7JdHNK.html ne (but not both). The TCP probe des-\par tination port can be set in the same manner as with -PT above.\par \par -O This option activates remote host identification via TCP/IP finger-\par printing. In other words, it uses a bunch of techniques to detect\par subtleties in the underlying operating system network stack of the\par computers you are scanning. It uses this information to create a\par 'fingerprint' which it compares with its database of known OS fin-\par gerprints (the nmap-os-fingerprints file) to decide what type of\par system you are scanning.\par \par If Nmap is unable to guess the OS of a machine, and conditions are\par good (eg at least one open port), Nmap will provide a URL you can\par use to submit the fingerprint if you know (for sure) the OS running\par on the machine. By doing this you contribute to the pool of operat-\par ing systems known to nmap and thus it will be more accurate for\par everyone. Note that if you leave an IP address on the form, the\par machine may be scanned when we add the fingerprint (to validate that\par it works).\par \par The -O option also enables several other tests. One is the "Uptime"\par measurement, which uses the TCP timestamp option (RFC 1323) to guess\par when a machine was last rebooted. This is only reported for\par machines which provide this information.\par \par Another test enabled by -O is TCP Sequence Predictability Classifi-\par cation. This is a measure that describes approximately how hard it\par is to establish a forged TCP connection against the remote host.\pa http://www.downhi.com/txt/Dcr5sp7JdHNK.html r This is useful for exploiting source-IP based trust relationships\par (rlogin, firewall filters, etc) or for hiding the source of an\par attack. The actual difficulty number is based on statistical sam-\par pling and may fluctuate. It is generally better to use the English\par classification such as "worthy challenge" or "trivial joke". This\par is only reported in normal output with -v.\par \par [mcarroll@red mcarroll]$ sudo nmap -sA -O 66.57.242.138\par Password:\par \par Starting nmap V. 3.00 ( www.insecure.org/nmap/ )\par Note: Host seems down. If it is really up, but blocking our ping probes, try -P0\par Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds\par [mcarroll@red mcarroll]$ sudo nmap -sA -O 66.57.242.132\par \par Starting nmap V. 3.00 ( www.insecure.org/nmap/ )\par Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port\par Interesting ports on rdu57-242-132.nc.rr.com (66.57.242.132):\par (The 1596 ports scanned but not shown below are in state: UNfiltered)\par Port State Service\par 69/tcp filtered tftp \par 137/tcp filtered netbios-ns \par 138/tcp filtered netbios-dgm \par 139/tcp filtered netbios-ssn \par 445/tcp filtered microsoft-ds \par Too many fingerprints match this host for me to give an accurate OS guess\par \par Nmap run completed -- 1 IP address (1 host up) scanned in 31 seconds\par [mcarroll@red mcarroll]$ sudo nmap -sA -O -P0 66.57.242.132\par \par Starting nmap V. 3.00 ( www.insecure.org/nmap/ )\par Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port\par Interesting ports on rdu57-242-132.nc.rr.com (66.57.242.132):\p http://www.downhi.com/txt/Dcr5sp7JdHNK.html ar (The 1596 ports scanned but not shown below are in state: UNfiltered)\par Port State Service\par 69/tcp filtered tftp \par 137/tcp filtered netbios-ns \par 138/tcp filtered netbios-dgm \par 139/tcp filtered netbios-ssn \par 445/tcp filtered microsoft-ds \par Too many fingerprints match this host for me to give an accurate OS guess\par \par Nmap run completed -- 1 IP address (1 host up) scanned in 31 seconds\par [mcarroll@red mcarroll]$ sudo nmap -sA -O -P0 66.57.242.138\par \par Starting nmap V. 3.00 ( www.insecure.org/nmap/ )\par qcaught SIGINT signal, cleaning up\par [mcarroll@red mcarroll]$ finger 66.57.242.138 \par finger: 66.57.242.138: no such user.\par [mcarroll@red mcarroll]$ \par }{ \rtlch\fcs1 \af0 \ltrch\fcs0 \fs24\insrsid6493368\charrsid1074055 \par }\pard \ltrpar\qj \li0\ri0\sl180\slmult0\nowidctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid6493368 {\rtlch\fcs1 \af0 \ltrch\fcs0 \insrsid1074055 \par \par \par }{\rtlch\fcs1 \af0\afs30 \ltrch\fcs0 \fs30\cf17\dbch\af18\insrsid1074055\charrsid1074055 \hich\af0\dbch\af18\loch\f0 Free Document Search Engine. support all pdf,DOC,PPT,RTF,XLS,TXT\hich\af0\dbch\af18\loch\f0 ,Ebook! \hich\af0\dbch\af18\loch\f0 F \hich\af0\dbch\af18\loch\f0 ree\hich\af0\dbch\af18\loch\f0 \hich\af0\dbch\af18\loch\f0 download! You can search all kind of documents!}{\rtlch\fcs1 \af0\afs30 \ltrch\fcs0 \fs30\cf17\dbch\af18\insrsid6493368\charrsid1074055 \hich\af0\dbch\af18\loch\f0 }{ \rtlch\fcs1 \af0\afs30 \ltrch\fcs0 \fs30\cf17\insrsid1074055\charrsid1074055 \par }{\field\fldedit{\*\fldinst {\rtlch\fcs1 \af0\afs28 \ltrch\fcs0 \fs28\cf11\insrsid14892288\charrsid1074055 \hich\af0\dbch\af13\loch\f0 HYPERLINK "http://www.downhi.com/"}{\rtlch\fcs1 \af0\afs28 \ltrch\fcs0 \fs28\cf11\insrsid10707375\charrsid1074055 {\*\datafield 00d0c9ea79f9bace118c8200aa004ba90b0200000003000000e0c9ea79f9bace118c8200aa004ba90b4e00000068007400740070003a002f002f00770065006e00640061006e0067002e0064006f00630073006f0075002e0063006f006d002f000000795881f43b1d7f48af2c825dc485276300000000a5ab0000000000}} }{\fldrslt {\rtlch\fcs1 \af0\afs28 \ltrch\fcs0 \cs17\fs28\ul\cf2\insrsid14892288\charrsid1074055 \hich\af0\dbch\af13\loch\f0 http://www.downhi.com/}}}\sectd \linex0\headery851\footery992\colsx425\endnhere\sectlinegrid312\sectspecifyl\sectrsid6493368\sftnbj {\rtlch\fcs1 \af0\afs28 \ltrch\fcs0 \fs28\cf11\insrsid6493368\charrsid1074055 \par }{\rtlch\fcs1 \af0\afs28 \ltrch\fcs0 \fs28\cf11\insrsid15098623\charrsid1074055 \par }}