Re: Identify OS?

From: Martin Wasson (martin_wasson@mastercard.com)
Date: 02/03/03

  • Next message: Discussion Lists: "RE: Proposal?"
    To: "Nick Jacobsen" <nick@ethicsdesign.com>
    From: "Martin Wasson" <martin_wasson@mastercard.com>
    Date: Mon, 3 Feb 2003 12:45:07 -0600
    
    

    Nick,
    Here's my two cents. It looks like a commercial version of Unix. My guess
    is Solaris. The first thing that struck me was port 6112/dtspc. I'm
    pretty sure that is a subprocess of CDE, so I doubt it's a Linux box.
    Kevin is right about it not being a cisco box. There is no way it's cisco.
    Look at port 7937/7938 open. That's Legato Networker 5.5 or later, it only
    runs on AIX, Solaris, IRIX, HP-UX, Linux, & Tru64. It also runs on
    windows, but this isn't a windows box. And it doesn't run on cisco. It
    looks like a honeypot or a dead ringer for a newbie install. When you did
    an nslookup, did it return "two-dollar-hooker.i-am-so-owned.com." ? I
    thought so. As was indicated before. Connect to as many ports as you can,
    and document the versions of the daemons listening from their blathering
    banners. Good luck. I wonder if someone has already compiled a db
    containing what versions of popular daemons are included in various
    releases of *nix. Hope this helps.

    Marty Wasson
    Global Information Security
    MasterCard International
    (636) 722-2372
    martin_wasson@mastercard.com

                                                                                                                                           
                          "Nick Jacobsen"
                          <nick@ethicsdesig To: <pen-test@securityfocus.com>
                          n.com> cc: (bcc: Martin Wasson/STL/MASTERCARD)
                                                   Subject: Identify OS?
                          01/31/03 01:33 AM
                          Please respond to
                          "Nick Jacobsen"
                                                                                                                                           
                                                                                                                                           

    Hey All again,
    Could any of you give me an idea of what type of machine the following
    might
    be, based on the ports open? it is sitting at xxx.xxx.xxx.001 on a
    network,
    so I am thinking it is some sort of gateway, but what OS/hardware? Below
    is
    the results of telnetting to port 23, and the ruslts of an nmap scan (tried
    the identify OS option, didn't do sh*t)

    Nick J.
    Ethics Design
    nick@ethicsdesign.com

    <----------------- Telnet results ---------------------------->
    Authorized uses only. All activity may be monitored and reported.
    login: cisco
    Password:
    Login incorrect
    <----------------- End Telnet Results ----------------------->
    <----------------- Nmap Scan Results ---------------------->
    21/tcp open ftp
    22/tcp open ssh
    23/tcp open telnet
    53/tcp open domain
    111/tcp open sunrpc
    161/tcp filtered snmp
    162/tcp filtered snmptrap
    389/tcp open ldap
    512/tcp open exec
    513/tcp open login
    514/tcp open shell
    1002/tcp open unknown
    1169/tcp open unknown
    1433/tcp filtered ms-sql-s
    1720/tcp open H.323/Q.931
    2410/tcp open unknown
    2785/tcp open unknown
    2786/tcp open unknown
    6000/tcp open X11
    6112/tcp open dtspc
    7937/tcp open unknown
    7938/tcp open unknown
    32774/tcp open sometimes-rpc11
    32775/tcp open sometimes-rpc13
    32778/tcp open sometimes-rpc19
    Too many fingerprints match this host for me to give an accurate OS guess
    TCP/IP fingerprint:
    SInfo(V=3.10ALPHA7%P=i686-pc-windows-windows%D=1/30%Time=3E394B34%O=21%C=1)
    T1(Resp=N)
    T2(Resp=N)
    T3(Resp=N)
    T4(Resp=N)
    T5(Resp=N)
    T6(Resp=N)
    T7(Resp=N)
    PU(Resp=N)
    <--------------------- End Nmap Scan Results ---------->

    ----------------------------------------------------------------------------

    This list is provided by the SecurityFocus Security Intelligence Alert
    (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/



    Relevant Pages

    • RE: How to discover FW-1 management module or GUI?
      ... Indeed port 257 is the port used by the management console to communicate ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... > automatically alerts you to the latest security vulnerabilities please ...
      (Pen-Test)
    • RE: faster scans? (nmap)
      ... > on atleast one well-known port. ... >> infront intercepting these packets, ... >> This list is provided by the SecurityFocus Security Intelligence Alert ...
      (Pen-Test)
    • Re: Raptor Firewall 6.5 Config
      ... Raptor as a firewall also has another side feature that can confuse ... This is the whole keep a port open PNAT idea. ... Once raptor has a standard proxy or GSP enabled, it 'opens' that ... >>This list is provided by the SecurityFocus Security Intelligence Alert ...
      (Pen-Test)
    • RE: Digital UNIX 5.60 recourses
      ... Find out what is running on what port (use of netcat, nmap, ... >> Subject: Digital UNIX 5.60 recourses ... >This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
      (Pen-Test)
    • Re: How to discover FW-1 management module or GUI?
      ... GUI uses Port No. 160 or 161 /TCP. ... | This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
      (Pen-Test)