Re: nmap shows open UDP port 113

From: Gregory Spath (gkspath_at_armstrong.com)
Date: 03/29/04

  • Next message: Blake: "A follow-up on Email Pen-testing" 
    Date: Mon, 29 Mar 2004 13:21:55 -0500
To: pen-test@securityfocus.com

    113 is identd/auth.

    One linux-based firewall that I am aware of that runs Ident by default (it
    can be disabled) is smoothwall.

    IRC servers, and some other services are a pain to connect to if they
    cannot connect back to an ident server. I used to run a masquerading
    ident for all the people on my home lan myself because of this.

    On Wed, 24 Mar 2004 22:57:49 -0400
    "BillyBobKnob" <billybobknob@hotmail.com> wrote:

    > My friend asked me to see if I could scan or penetrate his firewall. He
    > = only told me that it was a Linux box setup as a firewall running NAT
    > to = hide internal IPs.
    >
    > - I did a nmap -O and a nmap -O --fuzzy but it said "too many =
    > fingerprints match for accurate OS guess"
    > but it did tell me that TCP port 113 was in the closed state
    > - so I tried a TCP reverse inet scan (nmap -sT -I) and it still gave me
    > = same info as this port was closed
    > - so I tried nmap -sU and no results
    > - then I tried nmap -sU -p 113 and it said that UDP port 113 was open !!
    >
    > I was then able to netcat to it (nc -u ipaddress 113) and I verified =
    > that I was connected with a netstat.
    >
    > While connected via netcat I tried sending it commands like (ls, cd ..,
    > = help, echo) but got nothing.
    >
    >
    > Is there anything that can be done with this connection ??
    > Or is there anyway to find out what internal IPs are behind it ?
    >
    >
    > Thanks,
    > Bill
    >
    >
    > -----------------------------------------------------------------------
    > ---- You're a pen tester, but is google.com still your R&D team?
    > Now you can get trustworthy commercial-grade exploits and the latest
    > techniques from a world-class research group.
    > www.coresecurity.com/promos/sf_ept1
    > -----------------------------------------------------------------------
    > ----- 

    -- 
Gregory Spath
Network Security Analyst
Armstrong World Industries, Inc.
gkspath@armstrong.com
717-396-5938
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
  • Next message: Blake: "A follow-up on Email Pen-testing"