RE: Service Identification

From: R. DuFresne (dufresne_at_sysinfo.com)
Date: 12/09/03

  • Next message: Thompson, Jimi: "Education End Users about Passwords - Was - RE: john the ripper" 
    Date: Mon, 8 Dec 2003 19:26:19 -0500 (EST)
To: "Beaty, Bryan" <Bryan.Beaty@vector.com>

    Most often tcpwrappers <tcpd> will have a 'twist' associated with a
    service it is protecting, and/or an allow or deny depending upon
    somethinbg like the IP connecting. TCPD tends to reject the connections
    not allowed wiht a 'banner' stating the fact/reason.

    Thanks,

    Ron DuFresne

    On Mon, 8 Dec 2003, Beaty, Bryan wrote:

    > I did try this. It was unable to identify the service. I contacted the
    > client and they stated these were indeed Telnet and SMTP but protected
    > by TCP wrappers.
    >
    > Does this sound like the response I would get by a service protected by
    > TCP wrappers?
    >
    > Thanks,
    > Bryan
    >
    >
    >
    > -----Original Message-----
    > From: Meidinger Chris [mailto:chris.meidinger@badenit.de]
    > Sent: Monday, December 08, 2003 8:29 AM
    > To: Beaty, Bryan
    > Cc: pen-test@securityfocus.com
    > Subject: RE: Service Identification
    >
    > Small tip: nmap version 3.40 or newer has an option -sV, which is
    > service
    > verification. It will fire a lot of different packets at the port trying
    > to
    > get a bead on what is behind it. Did you try that?
    >
    > Chris Meidinger
    >
    > -----Original Message-----
    > From: Beaty, Bryan [mailto:Bryan.Beaty@vector.com]
    > Sent: Sunday, December 07, 2003 6:21 PM
    > To: pen-test@securityfocus.com
    > Subject: Service Identification
    >
    >
    > I port scanned a box I am working on. I know the box is some form of
    > Linux. I see that port 23,25 and 53 are open. I can identify 53 as DNS.
    > Both NMAP and AMAP identify it as DNS.
    >
    > Port 23 and 25 are open but cannot be identified by AMAP or NMAP. When I
    > telnet <ip> 23 or 25 I get a blank screen. If I type I just get blank
    > spaces or underscore symbols on the screen.
    >
    > Does this mean the telnet and SMTP server have crashed?
    > Could it be that someone has installed some other service on these
    > ports?
    > How do you identify services that respond like this? Seems like I run
    > into this from time to time but I never have learned how to deal with
    > it.
    >
    > Any ideas what to do at this point? I do not have physical access to the
    > box.
    >
    > Thanks,
    > Bryan Beaty
    >
    > ------------------------------------------------------------------------
    > ---
    > ------------------------------------------------------------------------
    > ----
    >
    > ------------------------------------------------------------------------
    > ---
    > ------------------------------------------------------------------------
    > ----
    >
    >
    >
    >
    > ---------------------------------------------------------------------------
    > ----------------------------------------------------------------------------
    > 

    -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Thompson, Jimi: "Education End Users about Passwords - Was - RE: john the ripper"