Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Service Identification
From: "J. Oquendo" <sil () politrix org>
Date: Mon, 8 Dec 2003 14:47:23 -0500 (EST)


Simplest answer would be to run an analyzer on the segment the machine is
on to see what information (if any) is going through the port. Remember
any program can be assigned to listen on any port, so just because you may
see something such as telnet mapped to port 23, it doesn't mean telnet is
indeed running on that port.

One thing to note also is, if indeed telnet is running on the port, it may
have been configured not to leak out information. In essence, anything can
be running on those ports... e.g.:

finger sil () kungfunix net

Don't be fooled by what you would see doing that finger. Everything is
false, usernames, etal...

$ grep finger /etc/inetd.conf
#finger  stream  tcp6    nowait  nobody  /usr/sbin/in.fingerd   in.fingerd
finger stream  tcp6    nowait  nobody   /export/c0t0d0s9/home/sil/./honey

It's a perl listener that catches e-tards doing stupid things. Sometimes I
configure my firewall to block out class ranges if I see multiple asinine
port connections, but it's mainly there for my amusement.

sil

I did try this. It was unable to identify the service. I contacted the
client and they stated these were indeed Telnet and SMTP but protected
by TCP wrappers.

Does this sound like the response I would get by a service protected by
TCP wrappers?

Thanks,
Bryan



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"I watch gangster flicks and root for the bad guy
and turn it off before it ends because the bad guy dies"
50 Cents -  'Assassins'

This is a farce confidential disclaimer intended to make you
aware that even though this may be priveledged information,
being it will become Google cache in the future, my original
intentions of keeping this message restricted and/or private
are thrown out the door. If you have received this e-mail in
error, please enjoy this signature and destroy this message
by dousing it in gasoline.

---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]