Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Skype -> upnp AddPortMapping port 4444?!
From: raffi at flossyourmind.com (Raffi Jamgotchian)
Date: Thu, 2 Apr 2009 07:42:46 -0400

It does use upnp by default. They use their own implementation of it

----
Raffi

On Apr 2, 2009, at 3:16 AM, Michel Lundell <michel at moose.se> wrote:

Hi l33t folks!

Does skype add a external port using upnp?
(and to the port 4444!!!?)
The port number seemes familiar ,o), also the AddPortMapping ...

This is a incident right? or does skype do this on the windows  
platform?
Cant detect this behaviour on a linux box...

Scanned the router, but nmap did not detect any open port, so it may
failed or was closed when I performed the scan... maybe it failed?

I have not permission to access the router config yet....

/M

#(26 - 8149) [2009-03-30 07:38:46] [local/100021] [snort/1:100021]   
to router traffic alert
IPv4: 192.168.1.2 -> 192.168.0.254
     hlen=5 TOS=0 dlen=903 ID=16342 flags=0 offset=0 TTL=128  
chksum=13386
TCP:  port=61432 -> dport: 4444  flags=***AP*** seq=1705820595
     ack=1383450833 off=5 res=0 win=64240 urp=0 chksum=15790
Payload: POST /wipconn HTTP/1.0<DIV class="nonascii">[2 non-ASCII  
characters]</DIV>Host: 192.168.0.254:4444<DIV class="nonascii">[2  
non-ASCII characters]</DIV>Content-Type: text/xml;  
charset="utf-8"<DIV class="nonascii">[2 non-ASCII characters]</ 
DIV>SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection: 
1#AddPortMapping"<DIV class="nonascii">[2 non-ASCII characters]</ 
DIV>Connection: close<DIV class="nonascii">[2 non-ASCII characters]</ 
DIV>Content-Length: 653<DIV class="nonascii">[4 non-ASCII  
characters]</DIV><?xml version="1.0" encoding="utf-8"?><DIV  
class="nonascii">[2 non-ASCII characters]</DIV><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/ 
" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";><DIV  
class="nonascii">[2 non-ASCII characters]</ 
DIV><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp- 
org:service:WANIPConnection:1"><DIV class="nonascii">[2 non-ASCII  
characters]</DIV><NewRemoteHost></NewRemoteHost><DIV  
class="nonascii">[2 non-ASCII characters]</ 
DIV><NewExternalPort>6895</NewExternalPort><DIV class="nonascii">[2  
non-ASCII characters]</DIV><NewProtocol>TCP</NewProtocol><DIV  
class="nonascii">[2 non-ASCII characters]</ 
DIV><NewInternalPort>6895</NewInternalPort><DIV class="nonascii">[2  
non-ASCII characters]</DIV><NewInternalClient>192.168.1.2</ 
NewInternalClient><DIV class="nonascii">[2 non-ASCII characters]</ 
DIV><NewEnabled>1</NewEnabled><DIV class="nonascii">[2 non-ASCII  
characters]</DIV><NewPortMappingDescription>Skype TCP at  
192.168.1.2:6895 (819)</NewPortMappingDescription><DIV  
class="nonascii">[2 non-ASCII characters]</DIV><NewLeaseDuration>0</ 
NewLeaseDuration><DIV class="nonascii">[2 non-ASCII characters]</ 
DIV></u:AddPortMapping></s:Body></s:Envelope><br><br>



_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault