Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Port 5357 -- Vista SP1 ???
From: bigbert007 <bigbert007 () gmail com>
Date: Mon, 28 Jul 2008 07:43:37 -0400

According to a netstat -ao processID 4 owns it which on my Vista box is the "System" process. I don't have any idea what it is for though. Interesting question.

Bert



jond wrote:
I have a homemade tripwire type program that alerted me to someone
connecting to port 5357 on my Vista SP1 box.
To my knowledge, I don't think I have this port open.
From a little time on google, it looks like some people are calling
this a potential info leak problem. I'm curious if anyone is going as
far as to manually block the port, and if so, if there are any
negative consequences?

In my opinion, if this is some sort of default vista webserver that
the firewall doesn't touch, it's but a matter of time.....



If I run  'netstat -anb | find "5357"'  it doesn't give the owning
process, it says:
 "x: Windows Sockets initialization failed: 5
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
  TCP    [::]:5357              [::]:0                 LISTENING"


I tried hitting the port on another Vista computer and it looks like
it's some sort of built in webserver????
This is the response:

"C:\>nc 10.10.12.90 5357
?
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 22 Jul 2008 19:37:41 GMT
Connection: close
Content-Length: 326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/str
ict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>

C:\>"


If I try to hit the port with firefox, since it looks like a
webserver, I get this:
"HTTP Error 503. The service is unavailable."

Very different from hitting a port that's blocked.....


I'm curious what everyone else thinks.


Jon






.


.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------




---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 080727-0, 07/27/2008
Tested on: 7/28/2008 7:44:16 AM
avast! - copyright (c) 1988-2008 ALWIL Software.
http://www.avast.com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault