Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Port 2001 question

Re: [PEN-TEST] Port 2001 question

From: Brown, Matt <Matthew.Brown_at_GUARDENT.COM>
Date: Tue, 6 Mar 2001 14:47:22 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to:

http://advice.networkice.com/advice/exploits/ports/2001/default.htm

and

http://www.chebucto.ns.ca/~rakerman/port-table.html

this port can also be used for a "glimpserver" search engine.

Glimpse can be found at http://glimpse.cs.arizona.edu/index.html

Have you checked for this application?

Matt

- -----Original Message-----
From: Oliver Petruzel [mailto:oliverpetruzel_at_EMAIL.COM]
Sent: Tuesday, March 06, 2001 12:46 PM
To: PEN-TEST_at_SECURITYFOCUS.COM
Subject: [PEN-TEST] Port 2001 question

Alright friends,
I have discovered this during my current project and I have the
following nmap data for your review:

***

Starting nmapNT V. 2.53 by ryan_at_eEye.com
eEye Digital Security ( http://www.eEye.com )
based on nmap by fyodor_at_insecure.org ( www.insecure.org/nmap/ )

Host (x.x.x.x) appears to be up ... good.
Initiating SYN half-open stealth scan against (x.x.x.x)
Adding TCP port 23 (state open).
Adding TCP port 2001 (state open).
The SYN scan took 48 seconds to scan 2002 ports.
For OSScan assuming that port 23 is open and port 1 is closed and
neither are firewalled
For OSScan assuming that port 23 is open and port 1 is closed and
neither are firewalled
For OSScan assuming that port 23 is open and port 1 is closed and
neither are firewalled
Interesting ports on (x.x.x.x):
(The 1997 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp open telnet
137/tcp filtered unknown
138/tcp filtered unknown
139/tcp filtered unknown
2001/tcp open unknown

TCP Sequence Prediction: Class=random positive increments
Difficulty=93083 (Worthy challenge)

Sequence numbers: 4F8A9A07 4F95D37A 4FA1A007 4FAB4025 4FB77AF2
4FBFEB1C
No OS matches for host (If you know what OS is running on it, see
http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
TSeq(Class=RI%gcd=1%SI=20FF0)
TSeq(Class=RI%gcd=1%SI=10490)
TSeq(Class=RI%gcd=1%SI=16B9B)
T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=ME)
T2(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=)
T7(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=)
PU(Resp=N)

Nmap run completed -- 1 IP address (1 host up) scanned in 70 seconds

***

I have identified port 2001 to be a common Trojan port so this has me
concerned and interested. Is there a way to take advantage of
TrojanCow
installed by someone else? I have no experience with this particular
trojan, so any input would be much appreciated.

Also, are there any other known uses for this port? Because
TrojanCow
is a stupid little Windows manipulator so perhaps this is something
else.

Oliver Petruzel
Systems Security Engineer
Entercept Security Technologies
*Protecting Servers Everywhere!*

- -----------------------------------------------
FREE! The World's Best Email Address @email.com
Reserve your name now at http://www.email.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBOqU+yMlZX6EcKnzEEQL0zgCfWv3ajra4XXYSErX/azicJnJj8hwAoPqw
ezNPxcQdlcNJ0zI0QOfXmmZi
=kpGV
-----END PGP SIGNATURE-----
Received on Mar 06 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos