Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Some unusual network features
From: "Deckard, Jason" <Jason.Deckard () webmd net>
Date: Wed, 14 Jan 2004 05:38:07 -0600


Ports that hang open sound like proprietary connections.  If that is the
case, the applications on these ports are waiting for some sort of message
to process.  Something found in nearly all application layer protocols is a
means to determine message length.  Try sending messages with STX (hex 02)
up front and ETX (hex 03) at the back.  You might also want to try some sort
of length header, such as 2 byte binary before the message (try both big and
little endian).  An ASCII length header is also a possibility (something
that is fixed length but also plays well with atoi(), such as "00402").

The HTTP application sounds like a home grown application that doesn't
properly handle bad request methods.  If the ports that hang open turn out
to be proprietary apps built in-house, the possibility of a home grown HTTP
server seems high.

Best of luck.


-----Original Message-----
From: Paul Johnston [mailto:paul () westpoint ltd uk] 
Sent: Tuesday, January 13, 2004 3:46 AM
To: pen-test () securityfocus com
Subject: Some unusual network features


I've come accross the following anomoloies while auditing a network, can 
anyone help explain what they are:

1) Ports that "hang open" i.e. you can connect, send data ok, but the 
other end never sends any data and never closes the connection.
2) HTTP ports that function normally when you issue some methods, but on 
other methods (including the imaginary method "SILLY") cause the 
connection to "hang open" like in (1).
3) Ports where the TTL is different on the SYN reply to the rest of the 
connection. ipid's also imply that different hosts are handling the SYN 
and the rest of the connection.

I've got some theories, but I'm not sure how much I'm jumping to 


Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]