NMAP - OS Fingerprinting Ports Used in LANDesk

Version 2

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.x

    For community benefit, here are the ports that NMAP appears to use for OS Fingerprinting when called by LANDesk UDD.  I obtained these ports from the XML output file generated by NMAP during UDD/Fingerprinting, and cross referenced ports on the IANA database and supplemented "unknowns" from the list maintained by PC-LIBRARY.COM

     

    Please note that these ports are just services that are scanned by nmap to provide information about the device. The actual OS Fingerprinting is based on the TCP/IP fingerprint, if you'd like to read more about how nmap works I'd suggest to read this OS Detection document from nmap's official documentation.

     

    Also, here's the exact parameters that LANDesk calls NMAP with:

    NMAP.EXE -v -PN --min-hostgroup 128 --max-hostgroup 512 -T4 -sS -F -O -iL <LANDesk generated list of IP addresses to scan> -oX <XML output>

     

    -v increased verbosity
    -PN Treat all hosts as online (scan ports even if no ICMP response)
    -T4 Timing template 4
    -sS SYN scan technique
    -F Fast mode (fewer ports - limit to the 100 most common ports listed below)
    -O Enable OS detection

     

     

    7ECHO
    9DISCARD
    13DAYTIME
    21FTP
    22SSH
    23TELNET
    25SMTP
    26RSFTP
    37TIME
    53DNS
    79FINGER
    80HTTP
    81HOSTS2
    88KERBEROS
    1063COM-TSMUX
    110POP3
    111SUNRPC
    113AUTH
    119NNTP
    135EPMAP
    139NETBIOS-SSN
    143IMAP
    144UMA
    179BGP
    199SMUX
    389LDAP
    427SRVLOC
    443HTTPS
    444SNPP
    445MICROSOFT-DS
    465MACON-TCP
    513LOGIN
    514SYSLOG
    515TALK
    543KLOGIN
    544KSHELL
    548AFPOVERTCP
    554RTSP
    587SUBMISSION
    631IPP
    646LDP
    873RSYNC
    990FTPS
    993IMAPS
    995POP3S
    1025BLACKJACK
    1026CAP
    1027DEPRECATED
    1028DEPRECATED
    1029SOLID-MUX
    1110WEBADMSTART
    1433MS-SQL-S
    1720H3223HOSTCALL
    1723PPTP
    1755MS-SREAMING
    1900SSDP
    2000CISCO-SCCP
    2001DC
    2049SHILP
    2121SCIENTIA-SSDB
    2717PN-REQUESTER
    3000HBCI
    3128NDL-AAS
    3306MYSQL
    3389MS-WBT-SERVER
    3986MAPPER-WS_ETHD
    4899RADMIN-PORT
    5000COMMPLEX-MAIN
    5009WINFS
    5051ITA-AGENT
    5060SIP
    5101TALARIAN-TCP
    5190AOL
    5357WSDAPI
    5432POSTGRESQL
    5631PCANYWHEREDATA
    5666UNASSIGNED
    5800UNASSIGNED
    5900RFB
    6000X11
    6001X11
    6646UNASSIGNED
    7070ARCP
    8000IRDMI
    8008HTTP-ALT
    8009NETWARE-HTTP
    8080HTTP-ALT
    8081SUNPROXYADMIN
    8443PCSYNC-HTTPS
    8888DDI-TCP-1
    9100HP-PDL-DATASTR
    9999DISTINCT
    10000NDMP
    32768FILENET-TMS
    49152UTORRENT
    49153ANTLR(LANGUAGE RECOGNITION)
    49154PRIVATE/DYNAMIC
    49155PRIVATE/DYNAMIC
    49156VUZE/AZUREUS(TORRENT)
    49157PRIVATE/DYNAMIC