RE: Port 5357 -- Vista SP1 ???



A more detailed page on the feature:
http://msdn.microsoft.com/en-us/library/bb756908.aspx


Cordialement,
Mathieu CHATEAU
french blog: http://www.lotp.fr
english blog: http://lordoftheping.blogspot.com


-----Message d'origine-----
De : listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] De
la part de jond
Envoyé : mardi 22 juillet 2008 22:02
À : pen-test@xxxxxxxxxxxxxxxxx
Objet : Port 5357 -- Vista SP1 ???

I have a homemade tripwire type program that alerted me to someone
connecting to port 5357 on my Vista SP1 box.
To my knowledge, I don't think I have this port open.
From a little time on google, it looks like some people are calling
this a potential info leak problem. I'm curious if anyone is going as
far as to manually block the port, and if so, if there are any
negative consequences?

In my opinion, if this is some sort of default vista webserver that
the firewall doesn't touch, it's but a matter of time.....



If I run 'netstat -anb | find "5357"' it doesn't give the owning
process, it says:
"x: Windows Sockets initialization failed: 5
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP [::]:5357 [::]:0 LISTENING"


I tried hitting the port on another Vista computer and it looks like
it's some sort of built in webserver????
This is the response:

"C:\>nc 10.10.12.90 5357
?
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 22 Jul 2008 19:37:41 GMT
Connection: close
Content-Length: 326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML
4.01//EN""http://www.w3.org/TR/html4/str
ict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html;
charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>

C:\>"


If I try to hit the port with firefox, since it looks like a
webserver, I get this:
"HTTP Error 503. The service is unavailable."

Very different from hitting a port that's blocked.....


I'm curious what everyone else thinks.


Jon


..


..

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



Relevant Pages

  • Re: Port 5357 -- Vista SP1 ???
    ... According to a netstat -ao processID 4 owns it which on my Vista box is the "System" process. ... I don't think I have this port open. ... Get 45 Min Video and PPT Slides ...
    (Pen-Test)
  • RE: Port 5357 -- Vista SP1 ???
    ... This is a web service for Devices: ... french blog: http://www.lotp.fr ... I don't think I have this port open. ... Securing Web Applications ...
    (Pen-Test)
  • Re: XP to Vista Remote Assistance.
    ... I'd be interested to understand how it compares to TeamViewer. ... provide assistance from XP to Vista using crossloop.com, ... Have the Vista end turn off the NLA requirement for Remote Desktop. ... RA on XP listened on the regular RDP port so that all the ...
    (microsoft.public.windowsxp.general)
  • Re: XP to Vista Remote Assistance.
    ... provide assistance from XP to Vista using crossloop.com, ... Have the Vista end turn off the NLA requirement for Remote Desktop. ... RA on XP listened on the regular RDP port so that all the ...
    (microsoft.public.windowsxp.general)
  • Re: XP to Vista Remote Assistance.
    ... provide assistance from XP to Vista using crossloop.com, ... Have the Vista end turn off the NLA requirement for Remote Desktop. ... RA on XP listened on the regular RDP port so that all the ...
    (microsoft.public.windowsxp.general)