Re: Unusual ports found in nmap scan

From: Aaron Higbee (aaron@beesecure.org)
Date: 03/01/02 

Date: Fri, 1 Mar 2002 11:49:29 -0500 (EST)
From: "Aaron Higbee" <aaron@beesecure.org>
To: <pen-test@securityfocus.com>

Hi Dave,

If you do a few searches you will see that 445 is the new "NetBios"
(kinda.) Microst-DS, or Microsoft Directory Services. It's great for
penetration testers because a lot of firewall admins have blocked the
standard Netbios ports.

Quick Tip: Netbios brute force attacks with brutus work fine if you change
the target port from 139 to 445.

Quick Tip #2: Null session enumeration works over 445 too. Yay!

--Aaron Higbee

> hi Dave,
>
> NtWaK0 released an advisory to bugtraq on 15/02/2002 dealing with port
> 445, here's a quick extract:
>
> TCP/UPD port 445 is open by default on a Fresh installed XP
box.
> : The attack is seriouse since it work remotly and can make the CPU
> 100 % : in less then 20 Second.
>
> you can find the full text at:
> http://online.securityfocus.com/archive/1/256830
>
> it might not help with port enumeration but it could shed some light on
> the machine's os..
>
> good luck,
> nessim
>
>
> On Wednesday 27 Feb 2002 6:12 pm, you wrote:
>> Hello All
>>
>> I'm currently pentesting a client and nmap reports that a particular
>> host has the following ports open: 82/tcp
>> 445/tcp
>> 447/tcp
>
> <snip>
>
>> Does anyone have any further information on these ports and what sort
>> of application might be running using these open ports (assuming they
>> are what they say they are!)
>>
>> Also assuming it's Win2K are there any tools for enumeration on port
>> 445?
>>
>> All help appreciated
>>
>> Dave
>
> -------------------------------------------------------------------------- 

--
> This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA) Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
> see: https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: Identify OS?
    ... The first thing that struck me was port 6112/dtspc. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: Digital UNIX 5.60 recourses
    ... Find out what is running on what port (use of netcat, nmap, ... >> Subject: Digital UNIX 5.60 recourses ... >This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: Serial Connection Password Cracker.
    ... This is a tcp socket server that redirects all I/O to a serial port. ... > Subject: Re: Serial Connection Password Cracker. ... >> This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Config cisco switches against arpspoofing
    ... switch won't let traffic through unless source MAC address is the one it ... At the interface config option issue "port secure" command, ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: How to discover FW-1 management module or GUI?
    ... Indeed port 257 is the port used by the management console to communicate ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... > automatically alerts you to the latest security vulnerabilities please ...
    (Pen-Test)