Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: rewire the server room?
From: Volker Tanger <vtlists () wyae de>
Date: Tue, 4 Apr 2006 11:15:43 +0200

Good morning!

On Mon, 3 Apr 2006 17:31:04 +0100
Ade <adrian.bradshaw () gmail com> wrote:

During a recent scan of a subnet, using NMap, 

which version, with which command line switches?

One idea up front: if you used the new 4.x version of nmap scanning for
service and version (-sV) you get the first connect response / server
header on that port printed out (filtered according to protocol).

On a mailserver you might get "220 mail.example.test ESMTP Postfix" when
connecting with telnet - and nmap will thus print something like

        PORT    STATE   SERVICE VERSION
        25/tcp  open    smtp    Postfix

...unless the postfix admin changed the greeting message in
/etc/postfix/main.cf from
        smtpd_banner = $myhostname ESMTP Postfix
to
        smtpd_banner = $myhostname ESMTP Rewire your server room!

in which case you get with NMap

        PORT    STATE   SERVICE VERSION
        25/tcp  open    smtp    Rewire your server room!


Some services allow to set the server header by configuration (as with
e.g. Postfix, lighttpd, etc.), some need the change at compile time 
or in the binary with a hex editor.

Another option might be a custom inetd/xinetd running at a port
configured (on port tcp/81) like

        #-------------------------
        # xinetd.conf:
        #-------------------------
        service hello
        {
            port            = 81
            socket_type     = stream
            wait            = no
            user            = nobody
            server          = /bin/echo
            server_args     = "Rewire your server room"
            disable         = no
        }

Or the PC is using a simple auth service echoing a static string, a
static ("fake") fingerd, etc.

Maybe it is easiest to investigate on the machine you found that reply
from - and tell us what it was?   ;-)

Thanks

Volker


-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists () wyae de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault