ニトリのWiFi時計は2つのモードがある。

1. WiFi設定とタイムゾーンを設定するモード (WiFi AP として稼働)
2. 時計として稼働(WiFi 端末として稼働)

今回nmap で調べたのは1. の設定モード時の状態です。

% sudo nmap -O -A -sU -sT -T4 -p 0-65535 192.168.4.1

上記コマンドを実行した結果がこちらです。なお172.31.96.1というアドレスが出ていますがこれはnmap を実行したのがWSL 環境からだからですので一応念のため。

Starting Nmap 7.80 ( https://nmap.org ) at 2024-10-12 21:47 JST
Stats: 0:30:18 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 54.80% done; ETC: 22:42 (0:24:49 remaining)
Stats: 0:47:03 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 85.19% done; ETC: 22:42 (0:08:08 remaining)
Nmap scan report for 192.168.4.1
Host is up (0.0056s latency).
Not shown: 131068 closed ports
PORT     STATE         SERVICE    VERSION
80/tcp   open          http       lwIP/1.4.0
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest: 
|     HTTP/1.0 200 OK
|     Server: lwIP/1.4.0
|     Content-Type:text/html
|     Connection: keep-alive
|     Content-Length:185
|_    <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Smart Clock</title></head><body><script>window.location.href="/index.html" ;</script></body></html>
|_http-server-header: lwIP/1.4.0
|_http-title: Smart Clock
53/udp   open          domain?
| dns-nsid: 
|_  bind.version: \xA8\x04\x01
|_dns-recursion: Recursion appears to be enabled
| fingerprint-strings: 
|   DNS-SD: 
|     _services
|     _dns-sd
|     _udp
|     local
|   DNSVersionBindReq: 
|     version
|     bind
|   NBTStat: 
|     CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|   NTPRequest: 
|     O#Kq
|   SIPOptions: 
|     sip:nm SIP/2.0
|     Via: SIP/2.0/UDP nm;branch=foo;rport
|     From: <sip:nm@nm>;tag=root
|     <sip:nm2@nm2>
|     Call-ID: 50000
|     CSeq: 42 OPTIONS
|     Max-Forwards: 70
|     Content-Length: 0
|     Contact: <sip:nm@nm>
|     Accept: application/sdp
|   SNMPv1public: 
|_    public
4097/udp open|filtered patrolview
4791/udp open|filtered unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.80%I=7%D=10/12%Time=670A7D5C%P=x86_64-pc-linux-gnu%r(Get
SF:Request,124,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20lwIP/1\.4\.0\r\nConte
SF:nt-Type:text/html\r\nConnection:\x20keep-alive\r\nContent-Length:185\r\
SF:n\r\n<html><head><meta\x20http-equiv=\"Content-Type\"\x20content=\"text
SF:/html;\x20charset=UTF-8\"><title>Smart\x20Clock</title></head><body><sc
SF:ript>window\.location\.href=\"/index\.html\"\x20;</script></body></html
SF:>")%r(FourOhFourRequest,124,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20lwIP/
SF:1\.4\.0\r\nContent-Type:text/html\r\nConnection:\x20keep-alive\r\nConte
SF:nt-Length:185\r\n\r\n<html><head><meta\x20http-equiv=\"Content-Type\"\x
SF:20content=\"text/html;\x20charset=UTF-8\"><title>Smart\x20Clock</title>
SF:</head><body><script>window\.location\.href=\"/index\.html\"\x20;</scri
SF:pt></body></html>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-UDP:V=7.80%I=7%D=10/12%Time=670A7D5B%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReq,2E,"\0\x06\x81\x80\0\x01\0\x01\0\0\0\0\x07version\x04bin
SF:d\0\0\x10\0\x03\xc0\x0c\0\x01\0\x01\0\0\0\n\0\x04\xc0\xa8\x04\x01")%r(D
SF:NSStatusRequest,1C,"\0\0\x90\x80\0\0\0\x01\0\0\0\0\xc0\x0c\0\x01\0\x01\
SF:0\0\0\n\0\x04\xc0\xa8\x04\x01")%r(RPCCheck,38,"r\xfe\x9d\x93\0\0\0\x01\
SF:0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\xc0\x0c\0\x01\0\x01\0\0\0\n\0\x04\xc0\xa8\x04\x01")%r(NBTStat,42,"
SF:\x80\xf0\x80\x90\0\x01\0\x01\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SF:A\0\0!\0\x01\xc0\x0c\0\x01\0\x01\0\0\0\n\0\x04\xc0\xa8\x04\x01")%r(Help
SF:,18,"he\xec\xf0\r\n\r\x01\xc0\x0c\0\x01\0\x01\0\0\0\n\0\x04\xc0\xa8\x04
SF:\x01")%r(SIPOptions,F5,"OP\xd4\xc9ONS\x01sip:nm\x20SIP/2\.0\r\nVia:\x20
SF:SIP/2\.0/UDP\x20nm;branch=foo;rport\r\nFrom:\x20<sip:nm@nm>;tag=root\r\
SF:nTo:\x20<sip:nm2@nm2>\r\nCall-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\
SF:nMax-Forwards:\x2070\r\nContent-Length:\x200\r\nContact:\x20<sip:nm@nm>
SF:\r\nAccept:\x20application/sdp\r\n\r\n\xc0\x0c\0\x01\0\x01\0\0\0\n\0\x0
SF:4\xc0\xa8\x04\x01")%r(Sqlping,11,"\x02\xc0\x0c\0\x01\0\x01\0\0\0\n\0\x0
SF:4\xc0\xa8\x04\x01")%r(NTPRequest,40,"\xe3\0\x84\xfa\0\x01\0\x01\0\x01\0
SF:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xc5O#Kq\xb1R
SF:\xf3\xc0\x0c\0\x01\0\x01\0\0\0\n\0\x04\xc0\xa8\x04\x01")%r(SNMPv1public
SF:,43,"0\x82\x80\xaf\x02\x01\0\x01\x06public\xa0\x82\0\x20\x02\x04L3\xa7V
SF:\x02\x01\0\x02\x01\x000\x82\0\x100\x82\0\x0c\x06\x08\+\x06\x01\x02\x01\
SF:x01\x05\0\x05\0\xc0\x0c\0\x01\0\x01\0\0\0\n\0\x04\xc0\xa8\x04\x01")%r(S
SF:NMPv3GetRequest,4C,"0:\x82\x81\x030\x0f\x01\x02Ji\x02\x03\0\xff\xe3\x04
SF:\x01\x04\x02\x01\x03\x04\x100\x0e\x04\0\x02\x01\0\x02\x01\0\x04\0\x04\0
SF:\x04\x000\x12\x04\0\x04\0\xa0\x0c\x02\x027\xf0\x02\x01\0\x02\x01\x000\0
SF:\xc0\x0c\0\x01\0\x01\0\0\0\n\0\x04\xc0\xa8\x04\x01")%r(xdmcp,17,"\0\x01
SF:\x80\x82\0\x01\0\xc0\x0c\0\x01\0\x01\0\0\0\n\0\x04\xc0\xa8\x04\x01")%r(
SF:AFSVersionRequest,30,"\0\0\x83\xe7\0\0\0\x01\0\0\0e\0\0\0\0\0\0\0\0\r\x
SF:05\0\0\0\0\0\0\0\0\0\0\xc0\x0c\0\x01\0\x01\0\0\0\n\0\x04\xc0\xa8\x04\x0
SF:1")%r(DNS-SD,3E,"\0\0\x80\x80\0\x01\0\x01\0\0\0\0\t_services\x07_dns-sd
SF:\x04_udp\x05local\0\0\x0c\0\x01\xc0\x0c\0\x01\0\x01\0\0\0\n\0\x04\xc0\x
SF:a8\x04\x01");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=10/12%OT=80%CT=1%CU=1%PV=Y%DS=2%DC=T%G=Y%TM=670A7F9C%P
OS:=x86_64-pc-linux-gnu)SEQ(SP=2F%GCD=1%ISR=8C%TI=I%CI=I%II=RI%SS=O%TS=U)OP
OS:S(O1=M5B4%O2=M5B4%O3=M5B4%O4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=16D0%W2=16D0%W3
OS:=16D0%W4=16D0%W5=16D0%W6=16D0)ECN(R=Y%DF=N%T=80%W=16D0%O=M5B4%CC=N%Q=)T1
OS:(R=Y%DF=N%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=N%T=80%W=16
OS:D0%S=A+%A=S%F=AR%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=16D0%S=A%A=S+%F=AR%O=%RD=
OS:0%Q=)T6(R=Y%DF=N%T=80%W=16D0%S=A%A=S%F=AR%O=%RD=0%Q=)T7(R=Y%DF=N%T=80%W=
OS:16D0%S=A%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=38%UN=0%RIPL=G%RID=G%
OS:RIPCK=G%RUCK=3187%RUD=G)IE(R=Y%DFI=S%T=80%CD=S)

Network Distance: 2 hops

TRACEROUTE (using proto 1/icmp)
HOP RTT      ADDRESS
1   0.74 ms  172.31.96.1
2   26.26 ms 192.168.4.1

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4028.11 seconds

関連記事：例のニトリのWiFi 時計を買ったのでパッケージ写真とか - mmasudaのWEB日記 - Season4 -(不定期更新)