Re: Nmap/netwag problem.

From: Irene Abezgauz (irene.abezgauz_at_gmail.com)
Date: 08/11/05

  • Next message: Beauford, Jason: "RE: RE: AD password Auditing"
    Date: Thu, 11 Aug 2005 16:22:08 +0200
    To: Pete Herzog <lists@isecom.org>
    
    

    On 8/11/05, Pete Herzog <lists@isecom.org> wrote:
    ...
    > Sorry if my post was confusing. I'm saying that a complete handshake is
    > not the most reliable way to test for a service. The matter in question
    > was what the most reliable way to test further is. I'm not saying it
    > should always be done for efficiency sakes, but in matters of
    > discrepency as per the original post, going further to just look for the
    > handshake and not send proper data is unreliable.

    I think this discussion got mixed between two entirely different
    things. The first is identifying whether there is SOMETHING out there
    that is listening on port X, and the second is identifying what that
    something is.

    a complete TCP handshake means a connection has been succesfully
    established. that cannot be done with anything but an OPEN port
    because closed and filtered ones are not that good at returning
    syn-acks.

    Now, once we have established there is a service running on our port
    X, we want to determine what that service is.

    What I do for that is the following:

    First and most trivial - check out IANA. there's a chance they are
    actually using the port number for what's intended. Then try and
    determine whether that's really what's running there (meaning, if I
    found port 80 and I suspect it's http, I'll try a GET / HTTP/1.0. If
    it's a 25 I'll go for HELO, if it's an oracle listener I'll use an
    oracle client, and so on).

    Second (if the first fails) - telnet/netcat to it, try talking to it
    abit, see whether it responds, and if it does - how it responds. it
    might turn out very talkative and informative. (Hello User, I am
    Utility X version 1.2.3)

    Third - there is a bunch of tool that are good at service
    fingerprinting. get one of those.

    ------------------------------------------------------------------------------
    FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

    Learn the hacker's secrets that compromise wireless LANs. Secure your
    WLAN by understanding these threats, available hacking tools and proven
    countermeasures. Defend your WLAN against man-in-the-Middle attacks and
    session hijacking, denial-of-service, rogue access points, identity
    thefts and MAC spoofing. Request your complimentary white paper at:

    http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
    -------------------------------------------------------------------------------


  • Next message: Beauford, Jason: "RE: RE: AD password Auditing"

    Relevant Pages

    • Re: Cant test SSL enabled website
      ... If you will run your website (SSL website) on port 8080 you will have to ... > Here is the latest SSL Handshake simulation result ...
      (microsoft.public.inetserver.iis.security)
    • Re: secure UNIX log server
      ... Syslogs generally get sent to port ... UDP doesn't complete a 3-way handshake. ... > cable that can still receive syslog messages on port 514/udp. ... which would need the TCP handshake). ...
      (comp.security.unix)
    • Re: secure UNIX log server
      ... Syslogs generally get sent to port ... UDP doesn't complete a 3-way handshake. ... > cable that can still receive syslog messages on port 514/udp. ... which would need the TCP handshake). ...
      (comp.security.unix)
    • Re: Nearside and offside. Why?
      ... wrong with just saying left and right? ... using port and starboard - it just makes them sound more "in the ... Port is left, starboard is right. ... Mr Pounder ...
      (uk.rec.driving)
    • Re: New-bus unit wiring via hints..
      ... Are you saying that "we" should accept reality's change ... between the serial port number and the port marked '1' on most ... this to the OS via the _UID method, but the _UID is only guaranteed ... PNPBIOS) is I/O resources or the name of the device in the ACPI ...
      (freebsd-current)