Home page logo

pen-test logo Penetration Testing mailing list archives

Port 5357 -- Vista SP1 ???
From: jond <x () jond com>
Date: Tue, 22 Jul 2008 16:01:41 -0400

I have a homemade tripwire type program that alerted me to someone
connecting to port 5357 on my Vista SP1 box.
To my knowledge, I don't think I have this port open.
From a little time on google, it looks like some people are calling
this a potential info leak problem. I'm curious if anyone is going as
far as to manually block the port, and if so, if there are any
negative consequences?

In my opinion, if this is some sort of default vista webserver that
the firewall doesn't touch, it's but a matter of time.....

If I run  'netstat -anb | find "5357"'  it doesn't give the owning
process, it says:
 "x: Windows Sockets initialization failed: 5
  TCP               LISTENING
  TCP    [::]:5357              [::]:0                 LISTENING"

I tried hitting the port on another Vista computer and it looks like
it's some sort of built in webserver????
This is the response:

"C:\>nc 5357
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 22 Jul 2008 19:37:41 GMT
Connection: close
Content-Length: 326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/str
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>


If I try to hit the port with firefox, since it looks like a
webserver, I get this:
"HTTP Error 503. The service is unavailable."

Very different from hitting a port that's blocked.....

I'm curious what everyone else thinks.




This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]