Re: Port 4662 exploitation



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There was a discussion about such kinds of question days ago, I'll omit
that and try to put you on the way. But I personally suggest you to
study the topic first, then ask.

Besides that, I hope you get my point, I'll provide you some help, I'm
not ubber-anarchist alike kind of person.

This is what I get from your logs and posts:

1. Running BackTrack live CD:
This is a security-oriented linux distribution, that stands as a tool
recopilation. If you don't understand the tools, you shouldn't use until
you do.

2. Running Nmap:
Your nmap scan don't do service fingerprinting, so you're confusing the
list by saying you got a shell from an e-donkey daemon. What you got
there is the IANA standard port and service name; actually you're
getting 'etc/services' from your bt distro.
You get too many open ports, two explanations: First, a
happy-installer's workstation (so I don't get the point of your security
audit). Second, you're getting false positives, in the case an IDS
configured this way, you're scan is wrong at all, or you're up to a
broken TCP/IP stack, which is weird because you're only using half-open
scan, not XMAS, FIN, and the like.

3. Shell:
Please define shell, you get a prompt where you could issue commands
that are interpreted by the operating system, you could see the results
of that commands, and in that case, what privilege this shell has?

My time is rushing, so I'll finish here.



lgpmsec wrote:
Hi again all,

Please find below the nmap results for the specific server, and let me know
if it adds value:

bt ~ # nmap -sT -vv x.x.x.120

Starting Nmap 4.60 ( http://nmap.org ) at 2008-12-15 15:04 GMT
Initiating Ping Scan at 15:04
Scanning x.x.x.120 [2 ports]
Completed Ping Scan at 15:04, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:04
Completed Parallel DNS resolution of 1 host. at 15:04, 0.00s elapsed
Initiating SYN Stealth Scan at 15:04
Scanning x.y.com (x.x.x.120) [1715 ports]
Discovered open port 53/tcp on x.x.x.120
Discovered open port 443/tcp on x.x.x.120
Discovered open port 80/tcp on x.x.x.120
Discovered open port 113/tcp on x.x.x.120
Discovered open port 554/tcp on x.x.x.120
Discovered open port 22/tcp on x.x.x.120
Discovered open port 636/tcp on x.x.x.120
Discovered open port 25/tcp on x.x.x.120
Discovered open port 389/tcp on x.x.x.120
Discovered open port 21/tcp on x.x.x.120
Discovered open port 3389/tcp on x.x.x.120
Discovered open port 23/tcp on x.x.x.120
Discovered open port 1755/tcp on x.x.x.120
Discovered open port 749/tcp on x.x.x.120
Discovered open port 19/tcp on x.x.x.120
adjust_timeouts2: packet supposedly had rtt of 8544204 microseconds.
Ignoring time.
SYN Stealth Scan Timing: About 50.94% done; ETC: 15:06 (0:00:35 remaining)
Discovered open port 139/tcp on x.x.x.120
Discovered open port 3128/tcp on x.x.x.120
Discovered open port 70/tcp on x.x.x.120
SYN Stealth Scan Timing: About 42.74% done; ETC: 15:07 (0:01:36 remaining)
Discovered open port 465/tcp on x.x.x.120
Discovered open port 1494/tcp on x.x.x.120
Discovered open port 37/tcp on x.x.x.120
Discovered open port 110/tcp on x.x.x.120
Discovered open port 3268/tcp on x.x.x.120
Discovered open port 109/tcp on x.x.x.120
Increasing send delay for x.x.x.120 from 5 to 10 due to 25 out of 82 dropped
probes since last increase.
Discovered open port 7000/tcp on x.x.x.120
Increasing send delay for x.x.x.120 from 10 to 20 due to 11 out of 12
dropped probes since last increase.
Discovered open port 6699/tcp on x.x.x.120
Discovered open port 88/tcp on x.x.x.120
SYN Stealth Scan Timing: About 51.05% done; ETC: 15:16 (0:05:23 remaining)
Increasing send delay for x.x.x.120 from 20 to 40 due to 11 out of 13
dropped probes since last increase.
Discovered open port 43/tcp on x.x.x.120
Discovered open port 79/tcp on x.x.x.120
Increasing send delay for x.x.x.120 from 40 to 80 due to 11 out of 13
dropped probes since last increase.
Discovered open port 993/tcp on x.x.x.120
Increasing send delay for x.x.x.120 from 80 to 160 due to 11 out of 12
dropped probes since last increase.
Discovered open port 7070/tcp on x.x.x.120
Discovered open port 6666/tcp on x.x.x.120
Discovered open port 569/tcp on x.x.x.120
Discovered open port 4662/tcp on x.x.x.120
Discovered open port 17/tcp on x.x.x.120
Discovered open port 5060/tcp on x.x.x.120
Discovered open port 143/tcp on x.x.x.120
Discovered open port 3269/tcp on x.x.x.120
Discovered open port 513/tcp on x.x.x.120
Discovered open port 1720/tcp on x.x.x.120
Discovered open port 995/tcp on x.x.x.120
Discovered open port 13/tcp on x.x.x.120
Discovered open port 563/tcp on x.x.x.120
Discovered open port 1433/tcp on x.x.x.120
Discovered open port 9/tcp on x.x.x.120
Discovered open port 7/tcp on x.x.x.120
Discovered open port 119/tcp on x.x.x.120
Discovered open port 6667/tcp on x.x.x.120
Completed SYN Stealth Scan at 16:05, 3639.22s elapsed (1715 total ports)
Host x.y.com (x.x.x.120) appears to be up ... good.
Interesting ports on x.y.com (x.x.x.120):
Not shown: 1611 filtered ports, 55 closed ports
PORT STATE SERVICE
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
20/tcp open ftp-data
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
43/tcp open whois
53/tcp open domain
70/tcp open gopher
79/tcp open finger
80/tcp open http
88/tcp open kerberos-sec
109/tcp open pop2
110/tcp open pop3
113/tcp open auth
119/tcp open nntp
139/tcp open netbios-ssn
143/tcp open imap
389/tcp open ldap
443/tcp open https
465/tcp open smtps
513/tcp open login
554/tcp open rtsp
563/tcp open snews
569/tcp open ms-rome
636/tcp open ldapssl
749/tcp open kerberos-adm
993/tcp open imaps
995/tcp open pop3s
1433/tcp open ms-sql-s
1494/tcp open citrix-ica
1720/tcp open H.323/Q.931
1755/tcp open wms
3128/tcp open squid-http
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-term-serv
4662/tcp open edonkey
6666/tcp open irc
6667/tcp open irc
6699/tcp open napster
7000/tcp open afs3-fileserver
7070/tcp open realserver

Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3639.314 seconds
Raw packets sent: 7086 (311.764KB) | Rcvd: 6864 (315.744KB)

I also telneted to the 4662 port, getting:

bt ~ # telnet x.x.x.120 4662
Trying x.x.x.120...
Connected to x.x.x.120.
Escape character is '^]'.
whoami




^QConnection closed by foreign host.

Please advise on how to proceed

Thank you,

-Mohamad.
________________________________________
From: RaptorX [mailto:graptorx@xxxxxxxxx]
Sent: Monday, December 15, 2008 5:08 PM
To: Jeremi Gosney
Cc: James Bensley; Jorge L. Vazquez; Mohamad M; ArcSighter Elite
Subject: Re: Port 4662 exploitation

I agree with Jeremi.
On Sun, Dec 14, 2008 at 8:33 PM, Jeremi Gosney <Jeremi.Gosney@xxxxxxxxxxxxx>
wrote:
"when you telnet into an unknown port you are not doing it to get a
shell, but to get a tcp header and know what services might be running
on that port.."
That statement is most definitely false. While banner collection is
certainly one facet of penetration testing, you most definitely ARE
checking for things like rootkits. Discovering a shell listening on an
arbitrary port is clearly a most valuable find. Mr Bensley's follow-up
questions are most relevant here; surely you would have known what to do
if you discovered a shell listening on a port, so my assumption is you
are mis-using the word.

Looking forward to your answers.


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of James Bensley
Sent: Saturday, December 13, 2008 12:20 PM
To: pen-test@xxxxxxxxxxxxxxxxx; Jorge L. Vazquez
Cc: Mohamad M; ArcSighter Elite
Subject: Re: Port 4662 exploitation

Wel you telnet to that port do you get a heading in return?

or when you say a shell do you actually get a prompt to start entering
commands, whats the prompt you get if so? Also if ti is a full shell can
you run any commands, what is the output when you run "whoami" ??

Use the netstat command to list any connections (irrelivent of their
state i.e. established or listening) and display the program responsible
for the connection so you can see where it is comming from?

Send us your results ;)

2008/12/13 Jorge L. Vazquez <jlvazquez825@xxxxxxxxx>:
when you telnet into an unknown port you are not doing it to get a
shell, but to get a tcp header and know what services might be running

on that port..

-j0rg3
blog: www.pctechtips.org


Mohamad M wrote:
Hi again,

I agree it looks very weird; I simply started a Syn scan with nmap,
and got that tcp 4662 is open; when I telneted to 4662, I got shell,
but then did not know how to proceed, hence my email.

Thanks,

-----Original Message-----
From: ArcSighter Elite [mailto:arcsighter@xxxxxxxxx]
Sent: Friday, December 12, 2008 11:43 PM
To: Mohamad M
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Port 4662 exploitation

Mohamad M wrote:
Hello All,
I'm doing a vulnerability assessment for my company, and saw that
port
4662
(edonkey) is open on 1 device facing the internet. I telneted to
4662, and
I
got connected; since I'm new to this domain, what are the steps
needed in
order to exploit this vulnerability?
Thanks,
./Lgpmsec

-------------------------------------------------------------------
-----
This list is sponsored by: Cenzic
Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now
www.cenzic.com/landing/trends-report
-------------------------------------------------------------------
-----


An open port is never a vulnerability, only if the running service
that binds to that port is actually vulnerable. What makes me ask,
have you actually done a service fingerprint to determine is
e-donkey?, cause that looks pretty weird to me.

Sincerely.
----------------------------------------------------------------------
--
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
----------------------------------------------------------------------
--





----------------------------------------------------------------------
--
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
----------------------------------------------------------------------
--





--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT/MU/U dpu s: a--> C++>$ U+> L++> B-> P+> E?> W+++>$ N K W++ O M++>$
V-
PS+++ PE++ Y+ PGP t 5 X+ R- tv+ b+> DI D+++ G+ e(+++++) h--(++) r++ z++
------END GEEK CODE BLOCK------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJRpf5H+KgkfcIQ8cRAinRAKCeUqifhEyLDkIZqRbpQ2pQ8o9U4gCfZ97X
AYIN4FIEJQCqZN90x1Ljnfo=
=qa5v
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages

  • Re: Port 4662 exploitation
    ... I don't think you have a shell on port 4662 it wasn't ment to take ... Discovered open port 443/tcp on x.x.x.120 ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: FW: Port 4662 exploitation
    ... Discovered open port 443/tcp on x.x.x.120 ... shell, but to get a tcp header and know what services might be running ... Security Trends Report from Cenzic ... Stay Ahead of the Hacker Curve! ...
    (Pen-Test)
  • RE: Port 4662 exploitation
    ... Discovered open port 443/tcp on x.x.x.120 ... shell, but to get a tcp header and know what services might be running ... Stay Ahead of the Hacker Curve! ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • FW: Port 4662 exploitation
    ... Discovered open port 443/tcp on x.x.x.120 ... shell, but to get a tcp header and know what services might be running ... Stay Ahead of the Hacker Curve! ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: Port 4662 exploitation
    ... "connected" prompt and that's hardly a shell. ... Initiating Parallel DNS resolution of 1 host. ... Discovered open port 443/tcp on x.x.x.120 ... 23/tcp open telnet ...
    (Pen-Test)