RE: Service Identification

From: Meidinger Chris (chris.meidinger_at_badenit.de)
Date: 12/08/03

  • Next message: Michael: "Rootkit Hunter 1.00 RC1 released" 
    To: "'Beaty, Bryan'" <Bryan.Beaty@vector.com>
Date: Mon, 8 Dec 2003 15:28:39 +0100

    Small tip: nmap version 3.40 or newer has an option -sV, which is service
    verification. It will fire a lot of different packets at the port trying to
    get a bead on what is behind it. Did you try that?

    Chris Meidinger

    -----Original Message-----
    From: Beaty, Bryan [mailto:Bryan.Beaty@vector.com]
    Sent: Sunday, December 07, 2003 6:21 PM
    To: pen-test@securityfocus.com
    Subject: Service Identification

    I port scanned a box I am working on. I know the box is some form of
    Linux. I see that port 23,25 and 53 are open. I can identify 53 as DNS.
    Both NMAP and AMAP identify it as DNS.

    Port 23 and 25 are open but cannot be identified by AMAP or NMAP. When I
    telnet <ip> 23 or 25 I get a blank screen. If I type I just get blank
    spaces or underscore symbols on the screen.

    Does this mean the telnet and SMTP server have crashed?
    Could it be that someone has installed some other service on these
    ports?
    How do you identify services that respond like this? Seems like I run
    into this from time to time but I never have learned how to deal with
    it.

    Any ideas what to do at this point? I do not have physical access to the
    box.

    Thanks,
    Bryan Beaty

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Michael: "Rootkit Hunter 1.00 RC1 released"

    Relevant Pages

    • Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
      ... When Nmap (or many ... > other applications, such as Telnet) does a connectcall, the OS is ... > supposed to choose a good souce port to bind to for the connection. ... I saw a familiar "Connection reset by peer" every time the random port ...
      (Incidents)
    • Re: Yes, trying to hack a remote control
      ... I attempted a telnet into that port, and it asked for a username/pass, ... and then upload a modified firmware to the remote. ... The latest versions of nmap have a feature whereby you can run scans ...
      (Security-Basics)
    • RE: Service Identification
      ... I port scanned a box I am working on. ... Both NMAP and AMAP identify it as DNS. ... telnet 23 or 25 I get a blank screen. ... Does this mean the telnet and SMTP server have crashed? ...
      (Pen-Test)
    • Re: Firewall Scan
      ... I was doing a normal TCP Scan on port 5900, when I found a strange result: ... 1st I did a normal TCP scan with Nmap ... PORT STATE SERVICE ... things that get picked up as a port scan that normal telnet or other ...
      (Pen-Test)
    • Re: how nmap can know my firewalled servers ?
      ... UDP or ICMP protocol), it will mark the port as closed. ... descrition, how NMAP determins, if the UDP port is open or closed. ... Try Webroot's Spy Sweeper Enterprisefor 30 days for FREE with no ...
      (Security-Basics)