Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Nmap/netwag problem.
From: Irene Abezgauz <irene.abezgauz () gmail com>
Date: Thu, 11 Aug 2005 16:22:08 +0200

On 8/11/05, Pete Herzog <lists () isecom org> wrote:
...
Sorry if my post was confusing.  I'm saying that a complete handshake is
not the most reliable way to test for a service.  The matter in question
was what the most reliable way to test further is.  I'm not saying it
should always be done for efficiency sakes, but in matters of
discrepency as per the original post, going further to just look for the
handshake and not send proper data is unreliable.

I think this discussion got mixed between two entirely different
things. The first is identifying whether there is SOMETHING out there
that is listening on port X, and the second is identifying what that
something is.

a complete TCP handshake means a connection has been succesfully
established. that cannot be done with anything but an OPEN port
because closed and filtered ones are not that good at returning
syn-acks.

Now, once we have established there is a service running on our port
X, we want to determine what that service is.

What I do for that is the following:

First and most trivial - check out IANA. there's a chance they are
actually using the port number for what's intended. Then try and
determine whether that's really what's running there (meaning, if I
found port 80 and I suspect it's http, I'll try a GET / HTTP/1.0. If
it's a 25 I'll go for HELO, if it's an oracle listener I'll use an
oracle client, and so on).

Second (if the first fails) - telnet/netcat to it, try talking to it
abit, see whether it responds, and if it does - how it responds. it
might turn out very talkative and informative. (Hello User, I am
Utility X version 1.2.3)

Third - there is a bunch of tool that are good at service
fingerprinting. get one of those.

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]