So, nmap 4.60 is accurately identifying the [iPhone 2.0] software as an “Apple iPhone mobile phone or iPod Touch audio player”. And that’s by using its single open TCP port — 62078.

Other Interesting Information

First, it’s reporting my last reboot as being Fri Oct 27 22:04:38 2006, which is highly incorrect. Even more interestingly, nmap is claiming that the sequence number prediction on the open port is weak (a trivial joke, as it were). That’s kind of 80’sish, so I didn’t believe it until I confirmed this via multiple connections to the port.

Listen

sudo tcpdump -nX -i en0 host 192.168.26.19

Push

nc 192.168.26.19 62078 < /dev/random

(snipped)

192.168.26.19.62078 > 192.168.26.25.61195: S 1615:1615(0) 
192.168.26.19.62078 > 192.168.26.25.61401: S 1649:1649(0)
192.168.26.19.62078 > 192.168.26.25.61411: S 1656:1656(0)
192.168.26.19.62078 > 192.168.26.25.61412: S 1659:1659(0)
192.168.26.19.62078 > 192.168.26.25.61413: S 1660:1660(0)

Yep, definitely some weak ISN sauce. I’ll have to research what that service is later.

Links

[ Previous iPhone Nmap Results | danielmiessler.com ]
[ An Nmap Primer | danielmiessler.com ]
[ Nmap | insecure.org ]
[ The Apple iPhone | apple.com ]