Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Port 2001 question

Re: [PEN-TEST] Port 2001 question

From: Fab Siciliano <fsiciliano_at_EARTHLINK.NET>
Date: Tue, 6 Mar 2001 16:11:49 -0500

In my past experiences, ports 2000, and 2001 were used by the app called
MDaemon. The web-config option opens up the port 2000. The web service,
opens up port 2001. But you never know!!!
            -Fab
----- Original Message -----
From: Oliver Petruzel <oliverpetruzel_at_EMAIL.COM>
To: <PEN-TEST_at_SECURITYFOCUS.COM>
Sent: Tuesday, March 06, 2001 1:46 PM
Subject: [PEN-TEST] Port 2001 question

> Alright friends,
> I have discovered this during my current project and I have the
> following nmap data for your review:
>
> ***
>
> Starting nmapNT V. 2.53 by ryan_at_eEye.com
> eEye Digital Security ( http://www.eEye.com )
> based on nmap by fyodor_at_insecure.org ( www.insecure.org/nmap/ )
>
> Host (x.x.x.x) appears to be up ... good.
> Initiating SYN half-open stealth scan against (x.x.x.x)
> Adding TCP port 23 (state open).
> Adding TCP port 2001 (state open).
> The SYN scan took 48 seconds to scan 2002 ports.
> For OSScan assuming that port 23 is open and port 1 is closed and
> neither are firewalled
> For OSScan assuming that port 23 is open and port 1 is closed and
> neither are firewalled
> For OSScan assuming that port 23 is open and port 1 is closed and
> neither are firewalled
> Interesting ports on (x.x.x.x):
> (The 1997 ports scanned but not shown below are in state: closed)
> Port State Service
> 23/tcp open telnet
> 137/tcp filtered unknown
> 138/tcp filtered unknown
> 139/tcp filtered unknown
> 2001/tcp open unknown
>
> TCP Sequence Prediction: Class=random positive increments
> Difficulty=93083 (Worthy challenge)
>
> Sequence numbers: 4F8A9A07 4F95D37A 4FA1A007 4FAB4025 4FB77AF2 4FBFEB1C
> No OS matches for host (If you know what OS is running on it, see
> http://www.insecure.org/cgi-bin/nmap-submit.cgi).
> TCP/IP fingerprint:
> TSeq(Class=RI%gcd=1%SI=20FF0)
> TSeq(Class=RI%gcd=1%SI=10490)
> TSeq(Class=RI%gcd=1%SI=16B9B)
> T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=ME)
> T2(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=)
> T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M)
> T4(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=)
> T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
> T6(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=)
> T7(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=)
> PU(Resp=N)
>
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 70 seconds
>
> ***
>
> I have identified port 2001 to be a common Trojan port so this has me
> concerned and interested. Is there a way to take advantage of TrojanCow
> installed by someone else? I have no experience with this particular
> trojan, so any input would be much appreciated.
>
> Also, are there any other known uses for this port? Because TrojanCow
> is a stupid little Windows manipulator so perhaps this is something
> else.
>
> Oliver Petruzel
> Systems Security Engineer
> Entercept Security Technologies
> *Protecting Servers Everywhere!*
>
>
> -----------------------------------------------
> FREE! The World's Best Email Address @email.com
> Reserve your name now at http://www.email.com
>
Received on Mar 06 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos