Service Identification

From: Beaty, Bryan (Bryan.Beaty_at_vector.com)
Date: 12/07/03

Next message: Mike: "Re: john the ripper"

Previous message: IndianZ: "CLOSED: RING Fingerprinting"
Next in thread: Meidinger Chris: "RE: Service Identification"
Maybe reply: Meidinger Chris: "RE: Service Identification"
Reply: Omar Prunera Dols: "Re: Service Identification"
Maybe reply: MARTIN M. Bénoni: "RE: Service Identification"
Reply: Martin Mačok: "Re: Service Identification"
Maybe reply: Beaty, Bryan: "RE: Service Identification"
Maybe reply: J. Oquendo: "RE: Service Identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 7 Dec 2003 11:21:01 -0600
To: <pen-test@securityfocus.com>

I port scanned a box I am working on. I know the box is some form of
Linux. I see that port 23,25 and 53 are open. I can identify 53 as DNS.
Both NMAP and AMAP identify it as DNS.

Port 23 and 25 are open but cannot be identified by AMAP or NMAP. When I
telnet <ip> 23 or 25 I get a blank screen. If I type I just get blank
spaces or underscore symbols on the screen.

Does this mean the telnet and SMTP server have crashed?
Could it be that someone has installed some other service on these
ports?
How do you identify services that respond like this? Seems like I run
into this from time to time but I never have learned how to deal with
it.

Any ideas what to do at this point? I do not have physical access to the
box.

Thanks,
Bryan Beaty

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Mike: "Re: john the ripper"

Previous message: IndianZ: "CLOSED: RING Fingerprinting"
Next in thread: Meidinger Chris: "RE: Service Identification"
Maybe reply: Meidinger Chris: "RE: Service Identification"
Reply: Omar Prunera Dols: "Re: Service Identification"
Maybe reply: MARTIN M. Bénoni: "RE: Service Identification"
Reply: Martin Mačok: "Re: Service Identification"
Maybe reply: Beaty, Bryan: "RE: Service Identification"
Maybe reply: J. Oquendo: "RE: Service Identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
... When Nmap (or many ... > other applications, such as Telnet) does a connectcall, the OS is ... > supposed to choose a good souce port to bind to for the connection. ... I saw a familiar "Connection reset by peer" every time the random port ...
(Incidents)
Re: Yes, trying to hack a remote control
... I attempted a telnet into that port, and it asked for a username/pass, ... and then upload a modified firmware to the remote. ... The latest versions of nmap have a feature whereby you can run scans ...
(Security-Basics)
Re: Telnet port 25
... Subject: Telnet port 25 ... is the sole responsibility of the customer and depends on the customer's ... Configuring sendmail 8.11.0 for Anti-Relay ...
(AIX-L)
RE: Service Identification
... I port scanned a box I am working on. ... Both NMAP and AMAP identify it as DNS. ... telnet 23 or 25 I get a blank screen. ... Does this mean the telnet and SMTP server have crashed? ...
(Pen-Test)
Re: Suggestion for a lexical (login mode via TCPIP)
... Not sure of it is the right one to modify or to add another one, but it would be useful to be able to get information on whether the user us coming in via FTP, TELNET, etc. ... This would also allow a LOGIN.COM to check if someone is coming in through a secure/SSL port for instance. ... For the HP SSH server, it seems to be undefined. ... forget about the possibility of virtual terminals. ...
(comp.os.vms)