# ./nmap -sS -sU -O -v 10.0.0.138 Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host speedtouch.example.com (10.0.0.138) appears to be up ... good. Initiating SYN half-open stealth scan against speedtouch.example.com (10.0.0.138) Adding TCP port 1723 (state open). Adding TCP port 21 (state open). Adding TCP port 80 (state open). Adding TCP port 23 (state open). The SYN scan took 1 second to scan 1541 ports. Initiating FIN,NULL, UDP, or Xmas stealth scan against speedtouch.example.com (10.0.0.138) The UDP or stealth FIN/NULL/XMAS scan took 198 seconds to scan 1541 ports. For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled Interesting ports on speedtouch.example.com (10.0.0.138): (The 3073 ports scanned but not shown below are in state: closed) Port State Service 7/udp open echo 9/udp open discard 19/udp open chargen 21/tcp open ftp 23/tcp open telnet 53/udp open domain 69/udp open tftp 80/tcp open http 1723/tcp open pptp TCP Sequence Prediction: Class=64K rule Difficulty=1 (Trivial joke) Sequence numbers: 1B19801 1B29201 1B38C01 1B48601 1B58001 1B67A01 No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: TSeq(Class=64K) T1(Resp=Y%DF=N%W=1000%ACK=S++%Flags=AS%Ops=MNWNNT) T2(Resp=N) T3(Resp=Y%DF=N%W=1000%ACK=O%Flags=A%Ops=NNT) T4(Resp=Y%DF=N%W=1000%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=Y%DF=Y%TOS=0%IPLEN=38%RIPTL=148%RIPCK=0%UCK=E%ULEN=134%DAT=E) Nmap run completed -- 1 IP address (1 host up) scanned in 206 seconds