RE: Unknown App

From: Lyal Collins (
Date: 07/22/05

  • Next message: Mike Klingler: "Windows NT shellcode needed"
    To: <>, "'Bartholomew, Brian J'" <>, <>, <>
    Date: Fri, 22 Jul 2005 18:36:58 +1000

    In my experience, there are very few windows desktops locked down to the
    extent that you can't embed a 'package' in an office document, when the
    package refers to "cmd.exe", with any necessary paths etc.
    Asusming you've got Office installed, give it a try.

    -----Original Message-----
    From: Aleksander P. Czarnowski []
    Sent: Friday, 22 July 2005 6:56 AM
    To: Bartholomew, Brian J;;
    Subject: RE: Unknown App

    This will work only if command prompt access is granted - guess clicking on
    Control Panel/Add-Remove Application icon would be easier in case of
    legitimate application ;-)

    In case of remote test the most simple solution would be nmap's -A switch or
    some other application fingerprinting tool. You can try also do some fuzzing
    and see if you'll get any response. Secondly - because this is Windows
    system - you might try to enumerate remotely running services or access
    system/application logs remotely (considering you have credential or there
    are no restriction on NULL session and ports 135-139 are not filtered.)

    Best Regards,
    Aleksander Czarnowski

    > -----Original Message-----
    > From: Bartholomew, Brian J []
    > Sent: Thursday, July 21, 2005 6:47 PM
    > To:;
    > Subject: RE: Unknown App
    > A simple Fport should tell you what it is...
    > m&subcontent=/resources/proddesc/fport.htm
    > Brian J. Bartholomew (CISSP)
    > Red Cell
    > US Department of State
    > Bureau of Diplomatic Security
    > Office of Computer Security
    > Ph: 571-345-2670
    > Cell: 202-369-6349
    > -----Original Message-----
    > From:
    > []
    > Sent: Thursday, July 21, 2005 2:56 AM
    > To:
    > Subject: Unknown App
    > Hello,
    > During a recent pen-test, I discovered that port 80 is opened by
    > an unknown application on multiple client workstations (WinXP).
    > No web server appears to be running or installed - I've tested a
    > few things, but I'm curious what the list thinks is the best
    > next-step to take.
    > Thanks,
    > Golden Earring

  • Next message: Mike Klingler: "Windows NT shellcode needed"