Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Port 4662 exploitation
From: Christopher <c.boggs () gmail com>
Date: Mon, 15 Dec 2008 18:00:25 -0600

One can only hope it is some kind of nepenthes-like honeypot or something.  Wow.

My question is, out of all the ports found open on this host, why do
you single out 4662?

On 12/15/08, Dante Lanznaster <dantecl () gmail com> wrote:
I believe this scan was internal. I really hope so.

1) too many ports open / listening. You need to do service fingerprinting.
2) connecting via telnet to a listening port will always yield a
"connected" prompt and that's hardly a shell.


On Mon, Dec 15, 2008 at 9:24 AM, lgpmsec <lgpmsec () gmail com> wrote:
Hi again all,

Please find below the nmap results for the specific server, and let me
know
if it adds value:

bt ~ # nmap -sT -vv x.x.x.120

Starting Nmap 4.60 ( http://nmap.org ) at 2008-12-15 15:04 GMT
Initiating Ping Scan at 15:04
Scanning x.x.x.120 [2 ports]
Completed Ping Scan at 15:04, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:04
Completed Parallel DNS resolution of 1 host. at 15:04, 0.00s elapsed
Initiating SYN Stealth Scan at 15:04
Scanning x.y.com (x.x.x.120) [1715 ports]
Discovered open port 53/tcp on x.x.x.120
Discovered open port 443/tcp on x.x.x.120
Discovered open port 80/tcp on x.x.x.120
Discovered open port 113/tcp on x.x.x.120
Discovered open port 554/tcp on x.x.x.120
Discovered open port 22/tcp on x.x.x.120
Discovered open port 636/tcp on x.x.x.120
Discovered open port 25/tcp on x.x.x.120
Discovered open port 389/tcp on x.x.x.120
Discovered open port 21/tcp on x.x.x.120
Discovered open port 3389/tcp on x.x.x.120
Discovered open port 23/tcp on x.x.x.120
Discovered open port 1755/tcp on x.x.x.120
Discovered open port 749/tcp on x.x.x.120
Discovered open port 19/tcp on x.x.x.120
adjust_timeouts2: packet supposedly had rtt of 8544204 microseconds.
Ignoring time.
SYN Stealth Scan Timing: About 50.94% done; ETC: 15:06 (0:00:35 remaining)
Discovered open port 139/tcp on x.x.x.120
Discovered open port 3128/tcp on x.x.x.120
Discovered open port 70/tcp on x.x.x.120
SYN Stealth Scan Timing: About 42.74% done; ETC: 15:07 (0:01:36 remaining)
Discovered open port 465/tcp on x.x.x.120
Discovered open port 1494/tcp on x.x.x.120
Discovered open port 37/tcp on x.x.x.120
Discovered open port 110/tcp on x.x.x.120
Discovered open port 3268/tcp on x.x.x.120
Discovered open port 109/tcp on x.x.x.120
Increasing send delay for x.x.x.120 from 5 to 10 due to 25 out of 82
dropped
probes since last increase.
Discovered open port 7000/tcp on x.x.x.120
Increasing send delay for x.x.x.120 from 10 to 20 due to 11 out of 12
dropped probes since last increase.
Discovered open port 6699/tcp on x.x.x.120
Discovered open port 88/tcp on x.x.x.120
SYN Stealth Scan Timing: About 51.05% done; ETC: 15:16 (0:05:23 remaining)
Increasing send delay for x.x.x.120 from 20 to 40 due to 11 out of 13
dropped probes since last increase.
Discovered open port 43/tcp on x.x.x.120
Discovered open port 79/tcp on x.x.x.120
Increasing send delay for x.x.x.120 from 40 to 80 due to 11 out of 13
dropped probes since last increase.
Discovered open port 993/tcp on x.x.x.120
Increasing send delay for x.x.x.120 from 80 to 160 due to 11 out of 12
dropped probes since last increase.
Discovered open port 7070/tcp on x.x.x.120
Discovered open port 6666/tcp on x.x.x.120
Discovered open port 569/tcp on x.x.x.120
Discovered open port 4662/tcp on x.x.x.120
Discovered open port 17/tcp on x.x.x.120
Discovered open port 5060/tcp on x.x.x.120
Discovered open port 143/tcp on x.x.x.120
Discovered open port 3269/tcp on x.x.x.120
Discovered open port 513/tcp on x.x.x.120
Discovered open port 1720/tcp on x.x.x.120
Discovered open port 995/tcp on x.x.x.120
Discovered open port 13/tcp on x.x.x.120
Discovered open port 563/tcp on x.x.x.120
Discovered open port 1433/tcp on x.x.x.120
Discovered open port 9/tcp on x.x.x.120
Discovered open port 7/tcp on x.x.x.120
Discovered open port 119/tcp on x.x.x.120
Discovered open port 6667/tcp on x.x.x.120
Completed SYN Stealth Scan at 16:05, 3639.22s elapsed (1715 total ports)
Host x.y.com (x.x.x.120) appears to be up ... good.
Interesting ports on x.y.com (x.x.x.120):
Not shown: 1611 filtered ports, 55 closed ports
PORT     STATE SERVICE
7/tcp    open  echo
9/tcp    open  discard
13/tcp   open  daytime
17/tcp   open  qotd
19/tcp   open  chargen
20/tcp   open  ftp-data
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
37/tcp   open  time
43/tcp   open  whois
53/tcp   open  domain
70/tcp   open  gopher
79/tcp   open  finger
80/tcp   open  http
88/tcp   open  kerberos-sec
109/tcp  open  pop2
110/tcp  open  pop3
113/tcp  open  auth
119/tcp  open  nntp
139/tcp  open  netbios-ssn
143/tcp  open  imap
389/tcp  open  ldap
443/tcp  open  https
465/tcp  open  smtps
513/tcp  open  login
554/tcp  open  rtsp
563/tcp  open  snews
569/tcp  open  ms-rome
636/tcp  open  ldapssl
749/tcp  open  kerberos-adm
993/tcp  open  imaps
995/tcp  open  pop3s
1433/tcp open  ms-sql-s
1494/tcp open  citrix-ica
1720/tcp open  H.323/Q.931
1755/tcp open  wms
3128/tcp open  squid-http
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-term-serv
4662/tcp open  edonkey
6666/tcp open  irc
6667/tcp open  irc
6699/tcp open  napster
7000/tcp open  afs3-fileserver
7070/tcp open  realserver

Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3639.314 seconds
          Raw packets sent: 7086 (311.764KB) | Rcvd: 6864 (315.744KB)

I also telneted to the 4662 port, getting:

bt ~ # telnet x.x.x.120 4662
Trying x.x.x.120...
Connected to x.x.x.120.
Escape character is '^]'.
whoami




^QConnection closed by foreign host.

Please advise on how to proceed

Thank you,

-Mohamad.
________________________________________
From: RaptorX [mailto:graptorx () gmail com]
Sent: Monday, December 15, 2008 5:08 PM
To: Jeremi Gosney
Cc: James Bensley; Jorge L. Vazquez; Mohamad M; ArcSighter Elite
Subject: Re: Port 4662 exploitation

I agree with Jeremi.
On Sun, Dec 14, 2008 at 8:33 PM, Jeremi Gosney
<Jeremi.Gosney () motricity com>
wrote:
"when you telnet into an unknown port you are not doing it to get a
shell, but to get a tcp header and know what services might be running
on that port.."
That statement is most definitely false. While banner collection is
certainly one facet of penetration testing, you most definitely ARE
checking for things like rootkits. Discovering a shell listening on an
arbitrary port is clearly a most valuable find. Mr Bensley's follow-up
questions are most relevant here; surely you would have known what to do
if you discovered a shell listening on a port, so my assumption is you
are mis-using the word.

Looking forward to your answers.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of James Bensley
Sent: Saturday, December 13, 2008 12:20 PM
To: pen-test () securityfocus com; Jorge L. Vazquez
Cc: Mohamad M; ArcSighter Elite
Subject: Re: Port 4662 exploitation

Wel you telnet to that port do you get a heading in return?

or when you say a shell do you actually get a prompt to start entering
commands, whats the prompt you get if so? Also if ti is a full shell can
you run any commands, what is the output when you run "whoami" ??

Use the netstat command to list any connections (irrelivent of their
state i.e. established or listening) and display the program responsible
for the connection so you can see where it is comming from?

Send us your results ;)

2008/12/13 Jorge L. Vazquez <jlvazquez825 () gmail com>:
when you telnet into an unknown port you are not doing it to get a
shell, but to get a tcp header and know what services might be running

on that port..

-j0rg3
blog: www.pctechtips.org


Mohamad M wrote:
Hi again,

I agree it looks very weird; I simply started a Syn scan with nmap,
and got that tcp 4662 is open; when I telneted to 4662, I got shell,
but then did not know how to proceed, hence my email.

Thanks,

-----Original Message-----
From: ArcSighter Elite [mailto:arcsighter () gmail com]
Sent: Friday, December 12, 2008 11:43 PM
To: Mohamad M
Cc: pen-test () securityfocus com
Subject: Re: Port 4662 exploitation

Mohamad M wrote:
Hello All,

I'm doing a vulnerability assessment for my company, and saw that
port
4662
(edonkey) is open on 1 device facing the internet. I telneted to
4662, and
I
got connected; since I'm new to this domain, what are the steps
needed in
order to exploit this vulnerability?

Thanks,

./Lgpmsec



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



-- 
Sent from my mobile device

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]