Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] PC Anywhere protocol
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Wed, 6 Sep 2000 17:29:32 -0700

22   (UDP) Used in older versions, though newer version still use it for
backwards compatibility.

5632 (UDP) Used to "ping" the host in order to check its status (whether
the target host is running PCanywhere,
           and if the service is currently busy).

5631 (TCP) Remote control runs over this port

PCAnywhere listens on ports 22 (TCP and UDP), 5631 (TCP) "pcanywheredata",
and 5632 (TCP and UDP) "pcanywherestat), and 65301 (TCP).

Uses an "IP discovery protocol" to find other PCAnywhere servers on the
local segment, where the assumption is that the local segment is all IP
addresses between "xxx.xxx.xxx.1" to "xxx.xxx.xxx.254" (i.e. the local
class C allocation). Thus, cable-modem and DSL users will often see
connections to this port from other people that have PCAnywhere installed.
If you own PCAnywhere and want to turn this feature off, then you must
disable the "browsing" feature in the registry:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\pcANYWHERE\CurrentVersion\System
Value: TCPIPNetBroadcast
0 = Do not browse for the host.
1 = Browse for the host by sending 254 directed UDP packets per network
[DEFAULT] 2 = Browse for the host by sending one broadcast UDP packet per
network. [8.0 only]
(quoted from Symantec Website)
A machine that allows PCAnywhere control MUST be given a strong password.
Hackers regularly scan the Internet looking for open PCAnywhere machines,
break in, then use these machines to attack more interesting sites (like
the Pentagon, CIA, NSA, etc.).

From the Symtantec KB

How does encryption work?
Before each connection, the host and remote generate new public/private
keys. Immediately upon connection, before any other data is sent, the host
sends its public key to the remote and the remote sends its public key to
the host. The host encrypts its data stream with the remote's public key
and the remote encrypts its data stream with the host's public key.

The remote then decrypts the host's data stream using it's (the remote's)
private key, and the host decrypts the remote's data stream using it's (the
host's) private key. Even if someone captures the public keys, the
transmission is secure because the private key, which is never sent, is
required to decrypt the data stream.

How many bits does the encryption use?
The number of bits used to encrypt the pcAnywhere data stream depends on
what crypto providers you have installed. If you have installed the 40-bit
version of Internet Explorer 4.0 on Windows 9x or you are running the
40-bit version of Windows NT with Service Pack 3 or higher, then you will
be using 40 bits to encrypt the pcAnywhere data stream. If you have
installed the 128-bit versions of the Internet Explorer 4.0 or Windows NT
4.0, then you will be using 128 bits to encrypt the pcAnywhere data stream.

If you use public-key encryption, is all of the data encrypted with that
key pair?
The public key is only used to authenticate that you are who you say you
are. Once this authentication has been done, the rest of the data stream is
encrypted using a symmetric key pair that the host and remote generate
before each connection. This follows established procedures where public
key encryption is used for signature authentication and short data blocks.
Symmetric key pairs are used for bulk data encryption. This is done for
performance reasons.

NOTE: The pcAnywhere 8.0 negotiation phase, including login names and
passwords, are encrypted.

Also refer to
http://service1.symantec.com/SUPPORT/pca.nsf/docid/1997728131230 for more

At 02:51 PM 9/6/00 -0700, Heather Field wrote:
Actually you can limit it to tcp with a registry key, for version 9.

Heather Field
Cambridge Technology Partners, CNS
O: 310.563.4862
C: 310.489.5679
-----Original Message-----
From: Constable, Bryan [mailto:constablebk () MSX UPMC EDU]
Sent: Wednesday, September 06, 2000 10:57 AM
Subject: Re: [PEN-TEST] PC Anywhere protocol

It looks like the ports are udp-5630, tcp-5631,udp-5632, and udp
ssh-22.  I don't know if this helps

-----Original Message-----
From: Oliver Friedrichs
[<mailto:ofriedrichs () SECURITYFOCUS COM>mailto:ofriedrichs () SECURITYFOCUS COM]
Sent: Wednesday, September 06, 2000 12:44 PM

Subject: [PEN-TEST] PC Anywhere protocol

Does anyone know of any specifications that document the PC Anywhere
protocol.  I'm primarily interested in the initial authentication portions
of it.

- Oliver

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]