RE: Unknown App

From: Lyal Collins (lyal.collins_at_key2it.com.au)
Date: 07/22/05

  • Next message: Mike Klingler: "Windows NT shellcode needed"
    To: <aleksander.czarnowski@avet.com.pl>, "'Bartholomew, Brian J'" <BartholomewBJ@state.gov>, <thenightweighsheavy@gmail.com>, <pen-test@securityfocus.com>
    Date: Fri, 22 Jul 2005 18:36:58 +1000
    
    

    In my experience, there are very few windows desktops locked down to the
    extent that you can't embed a 'package' in an office document, when the
    package refers to "cmd.exe", with any necessary paths etc.
    Asusming you've got Office installed, give it a try.
    Lyal

    -----Original Message-----
    From: Aleksander P. Czarnowski [mailto:alekc@avet.com.pl]
    Sent: Friday, 22 July 2005 6:56 AM
    To: Bartholomew, Brian J; thenightweighsheavy@gmail.com;
    pen-test@securityfocus.com
    Subject: RE: Unknown App

    This will work only if command prompt access is granted - guess clicking on
    Control Panel/Add-Remove Application icon would be easier in case of
    legitimate application ;-)

    In case of remote test the most simple solution would be nmap's -A switch or
    some other application fingerprinting tool. You can try also do some fuzzing
    and see if you'll get any response. Secondly - because this is Windows
    system - you might try to enumerate remotely running services or access
    system/application logs remotely (considering you have credential or there
    are no restriction on NULL session and ports 135-139 are not filtered.)

    Best Regards,
    Aleksander Czarnowski
    AVET INS

    > -----Original Message-----
    > From: Bartholomew, Brian J [mailto:BartholomewBJ@state.gov]
    > Sent: Thursday, July 21, 2005 6:47 PM
    > To: thenightweighsheavy@gmail.com; pen-test@securityfocus.com
    > Subject: RE: Unknown App
    >
    >
    > A simple Fport should tell you what it is...
    >
    > http://www.foundstone.com/index.htm?subnav=resources/navigation.ht
    > m&subcontent=/resources/proddesc/fport.htm
    >
    > Brian J. Bartholomew (CISSP)
    > Red Cell
    > US Department of State
    > Bureau of Diplomatic Security
    > Office of Computer Security
    > Ph: 571-345-2670
    > Cell: 202-369-6349
    >
    >
    > -----Original Message-----
    > From: thenightweighsheavy@gmail.com
    > [mailto:thenightweighsheavy@gmail.com]
    > Sent: Thursday, July 21, 2005 2:56 AM
    > To: pen-test@securityfocus.com
    > Subject: Unknown App
    >
    >
    > Hello,
    >
    > During a recent pen-test, I discovered that port 80 is opened by
    > an unknown application on multiple client workstations (WinXP).
    > No web server appears to be running or installed - I've tested a
    > few things, but I'm curious what the list thinks is the best
    > next-step to take.
    > Thanks,
    > Golden Earring


  • Next message: Mike Klingler: "Windows NT shellcode needed"