Как на днях просканил Samsung OfficeServ

         Самсун особо не админил, но тут он появился в сети и решил я его просканить интереса ради и вот что получил:

sudo nmap T4 -A -v 10.20.200.21

Starting Nmap 7.01 ( https://nmap.org ) at 2019-07-17 09:46 MSK
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:46
Completed NSE at 09:46, 0.00s elapsed
Initiating NSE at 09:46
Completed NSE at 09:46, 0.00s elapsed
Failed to resolve "T4".
Initiating ARP Ping Scan at 09:46
Scanning 10.20.200.21 [1 port]
Completed ARP Ping Scan at 09:46, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:46
Completed Parallel DNS resolution of 1 host. at 09:46, 0.00s elapsed
Initiating SYN Stealth Scan at 09:46
Scanning 10.20.200.21 [1000 ports]
Discovered open port 23/tcp on 10.20.200.21
Discovered open port 21/tcp on 10.20.200.21
Discovered open port 80/tcp on 10.20.200.21
Discovered open port 705/tcp on 10.20.200.21
Discovered open port 5003/tcp on 10.20.200.21
Discovered open port 5200/tcp on 10.20.200.21
Increasing send delay for 10.20.200.21 from 0 to 5 due to 93 out of 308 dropped probes since last increase.
Discovered open port 7000/tcp on 10.20.200.21
Discovered open port 5102/tcp on 10.20.200.21
Increasing send delay for 10.20.200.21 from 5 to 10 due to 76 out of 252 dropped probes since last increase.
Increasing send delay for 10.20.200.21 from 10 to 20 due to 11 out of 32 dropped probes since last increase.
Increasing send delay for 10.20.200.21 from 20 to 40 due to 11 out of 35 dropped probes since last increase.
Increasing send delay for 10.20.200.21 from 40 to 80 due to 11 out of 33 dropped probes since last increase.
Discovered open port 6100/tcp on 10.20.200.21
Discovered open port 8500/tcp on 10.20.200.21
Discovered open port 5002/tcp on 10.20.200.21
Discovered open port 5101/tcp on 10.20.200.21
Discovered open port 5100/tcp on 10.20.200.21
Completed SYN Stealth Scan at 09:47, 53.22s elapsed (1000 total ports)
Initiating Service scan at 09:47
Scanning 13 services on 10.20.200.21
Service scan Timing: About 46.15% done; ETC: 09:51 (0:01:57 remaining)
Service scan Timing: About 61.54% done; ETC: 09:51 (0:01:25 remaining)
Completed Service scan at 09:50, 141.07s elapsed (13 services on 1 host)
Initiating OS detection (try #1) against 10.20.200.21
adjust_timeouts2: packet supposedly had rtt of -174838 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -174838 microseconds.  Ignoring time.
Retrying OS detection (try #2) against 10.20.200.21
Retrying OS detection (try #3) against 10.20.200.21
Retrying OS detection (try #4) against 10.20.200.21
adjust_timeouts2: packet supposedly had rtt of -150123 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -150123 microseconds.  Ignoring time.
Retrying OS detection (try #5) against 10.20.200.21
adjust_timeouts2: packet supposedly had rtt of -175020 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -175020 microseconds.  Ignoring time.
NSE: Script scanning 10.20.200.21.
Initiating NSE at 09:50
Completed NSE at 09:50, 5.95s elapsed
Initiating NSE at 09:50
Completed NSE at 09:50, 0.00s elapsed
Nmap scan report for 10.20.200.21
Host is up (0.00049s latency).
Not shown: 987 closed ports
PORT     STATE SERVICE          VERSION
21/tcp   open  ftp              ProFTPD
23/tcp   open  telnet           VxWorks telnetd
80/tcp   open  http             WindWeb 4.00
| http-methods:
|_  Supported Methods: GET
|_http-server-header: WindWeb/4.00
|_http-title: OfficeServ DM
705/tcp  open  agentx?
5002/tcp open  rfe?
5003/tcp open  filemaker?
5100/tcp open  admd?
5101/tcp open  admdog?
5102/tcp open  admeng?
5200/tcp open  targus-getdata?
6100/tcp open  tcpwrapped
7000/tcp open  afs3-fileserver?
8500/tcp open  fmtp?
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5003-TCP:V=7.01%I=7%D=7/17%Time=5D2EC4A3%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,8,"\xfa\x13T\xff\0\x01\xff\0")%r(HTTPOptions,8,"\xfa\x13T\xff\
SF:0\x01\xff\0")%r(RTSPRequest,8,"\xfa\x13T\xff\0\x01\xff\0")%r(RPCCheck,8
SF:,"\xfa\x13\0\xff\0\x01\xff\x01")%r(DNSVersionBindReq,8,"\xfa\x13\0\xff\
SF:0\x01\xff\0")%r(DNSStatusRequest,8,"\xfa\x13\0\xff\0\x01\xff\0")%r(SSLS
SF:essionReq,8,"\xfa\x13\0\xff\0\x01\xff\0")%r(TLSSessionReq,8,"\xfa\x13\0
SF:\xff\0\x01\xff\0")%r(Kerberos,8,"\xfa\x13\0\xff\0\x01\xff\0")%r(SMBProg
SF:Neg,8,"\xfa\x13\0\xff\0\x01\xff\x01")%r(X11Probe,8,"\xfa\x13\x0b\xff\0\
SF:x01\xff\0")%r(FourOhFourRequest,8,"\xfa\x13T\xff\0\x01\xff\0")%r(LPDStr
SF:ing,8,"\xfa\x13e\xff\0\x01\xff\0")%r(LDAPBindReq,8,"\xfa\x13\x02\xff\0\
SF:x01\xff\0")%r(LANDesk-RC,8,"\xfa\x13M\xff\0\x01\xff\0")%r(TerminalServe
SF:r,8,"\xfa\x13\0\xff\0\x01\xff\0")%r(NCP,8,"\xfa\x13d\xff\0\x01\xff\0")%
SF:r(NotesRPC,8,"\xfa\x13\0\xff\0\x01\xff\x01")%r(WMSRequest,8,"\xfa\x13\0
SF:\xff\0\x01\xff\x01")%r(oracle-tns,8,"\xfa\x13\0\xff\0\x01\xff\x01")%r(a
SF:fp,8,"\xfa\x13\0\xff\0\x01\xff\x01")%r(kumo-server,8,"\xfa\x13\xcd\xff\
SF:0\x01\xff\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5200-TCP:V=7.01%I=7%D=7/17%Time=5D2EC4B7%P=x86_64-pc-linux-gnu%r(RP
SF:CCheck,24,"pr\0\0r\xfe\0\0\0\0\0\0\0\0\x14\0\0\0pr\0\0\x97\|\0\0\0\0\0\
SF:0\0\0\x14\0\0\0")%r(DNSVersionBindReq,12,"pr\0\0\x01\0\0\0\0\0\0\0\0\0\
SF:x14\0\0\0")%r(NCP,12,"prd\0\0\0\0\0\0\0\0\0\0\0\x14\0\0\0");
MAC Address: 00:16:32:CD:FC:33 (Samsung Electronics)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.01%E=4%D=7/17%OT=21%CT=1%CU=37933%PV=Y%DS=1%DC=D%G=Y%M=001632%T
OS:M=5D2EC539%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10E%TI=I%CI=I%TS=U)
OS:SEQ(SP=106%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=100%GCD=1%ISR=1
OS:09%TI=I%TS=U)OPS(O1=M5B4%O2=M5B4%O3=M5B4%O4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=
OS:4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000)ECN(R=Y%DF=Y%T=40%W=4000%O=
OS:M5B4%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T
OS:=40%W=4000%S=O%A=S+%F=AS%O=M5B4%RD=0%Q=)T4(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%
OS:Q=)U1(R=Y%DF=N%T=40%IPL=70%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=0%RUD=G)IE(R=Y
OS:%DFI=S%T=40%CD=S)

Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: Tornado-vxWorks; OSs: Unix, VxWorks; CPE: cpe:/o:windriver:vxworks

TRACEROUTE
HOP RTT     ADDRESS
1   0.49 ms 10.20.200.21

NSE: Script Post-scanning.
Initiating NSE at 09:50
Completed NSE at 09:50, 0.00s elapsed
Initiating NSE at 09:50
Completed NSE at 09:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 215.88 seconds
 Raw packets sent: 2194 (104.214KB) | Rcvd: 1395 (59.654KB)

     Из анализа ясно, что это производитель Самсунг, что модель OfficeServ.
Что открыты стандартные порты теленат и ftp, http - причем по вебу он не админится, но веб сервер на нем есть и настроек фаервола на нем не нашел, сама АТС управляется через java-приложение.
     Обратил внимание что на 23 порту запущен  демон telnetd на VxWorks, а
VxWorks - это операционная система реального времени, думал честно говоря что все о ней уже забыли, в свое время телефоны Нортеля были на ней как раз, что по тем временам считалось очень крутым. Как оказалось она цветет и пахнет: последняя версия 6.9 (февраль 2011 г.) Зачем она на АТС и что делают вообще такое количество открытых портов и мне не знакомых, пока остается загадкой