RE: Host identification

Hi Cedric,

Try using AMAP and see what you are getting sometimes there are other services sitting on a known port.

http://freeworld.thc.org/thc-amap/

"Amap is a next-generation tool for assistingnetwork penetration testing.
It performs fast and reliable application protocol detection, independant
on the TCP/UDP port they are being bound to."

Roni Bachar
Avnet Penetration Team Manager
www.avnet.co.il




-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Cedric Staub
Sent: Friday, August 01, 2008 10:23 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Host identification

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello everybody

I recently started scanning the /24 subnets I get assigned
to everytime I connect to my ISP, because I was curious
whether my 'virtual neighbours' were running any services.
Now, everytime I do a scan, I see at least a couple of
machines with an open port 10000, running WebLogic,
which seems to be a product from Oracle. I don't think
'home users' would use such a product (but maybe I'm
wrong), and was thinking that those were perhaps
part of my ISP's infrastructure. Now I'm curious, what
do you think those machines could be good for, what
is their purpose? And why do I always see at least
three or four of them? I attached a full nmap scan below.

Thank you for any pointers!

Sincerely,
Cedric
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIk2J8v0D9btKF36sRAtR0AKC4pk1A6yeaJ7ilE43UHdnOG1kYuQCgiQ6d
NoH3J5WLd8a1eU/8QghM57k=
=BVSo
-----END PGP SIGNATURE-----


-------------------------------------------------------------------------------

# nmap -T Aggressive -A -v TARGET
Starting Nmap 4.53 ( http://insecure.org ) at 2008-08-01 20:48 CEST
Initiating Ping Scan at 20:48
Scanning TARGET [2 ports]
Completed Ping Scan at 20:48, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:48
Completed Parallel DNS resolution of 1 host. at 20:48, 0.02s elapsed
Initiating SYN Stealth Scan at 20:48
Scanning HOSTNAME (TARGET) [1714 ports]
Discovered open port 10000/tcp on TARGET
Completed SYN Stealth Scan at 20:48, 6.00s elapsed (1714 total ports)
Initiating Service scan at 20:48
Scanning 1 service on HOSTNAME (TARGET)
Completed Service scan at 20:48, 6.08s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against HOSTNAME (TARGET)
Retrying OS detection (try #2) against HOSTNAME (TARGET)
Retrying OS detection (try #3) against HOSTNAME (TARGET)
Retrying OS detection (try #4) against HOSTNAME (TARGET)
Retrying OS detection (try #5) against HOSTNAME (TARGET)
TARGET: guessing hop distance at 2
Initiating Traceroute at 20:48
Completed Traceroute at 20:48, 0.05s elapsed
Initiating Parallel DNS resolution of 4 hosts. at 20:48
Completed Parallel DNS resolution of 4 hosts. at 20:48, 0.02s elapsed
SCRIPT ENGINE: Initiating script scanning.
Host HOSTNAME (TARGET) appears to be up ... good.
Interesting ports on HOSTNAME (TARGET):
Not shown: 1710 closed ports
PORT STATE SERVICE VERSION
23/tcp filtered telnet
1720/tcp filtered H.323/Q.931
8080/tcp filtered http-proxy
10000/tcp open http WebLogic httpd
No exact OS matches for host (If you know what OS is running on it,
see http://insecure.org/nmap/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=4.53%D=8/1%OT=10000%CT=1%CU=38732%PV=N%DS=2%G=Y%TM=48935A96%P=i68
OS:6-pc-linux-gnu)SEQ(SP=22%GCD=1%ISR=50%TI=I%TS=U)SEQ(SP=16%GCD=1%ISR=50%T
OS:I=I%TS=U)SEQ(SP=24%GCD=1%ISR=50%TI=I%TS=U)SEQ(SP=0%GCD=64%ISR=50%TI=I%TS
OS:=U)SEQ(SP=17%GCD=1%ISR=50%TI=I%TS=U)OPS(O1=M578%O2=M578%O3=M280%O4=M578%
OS:O5=M218%O6=M109)WIN(W1=1770%W2=1770%W3=1770%W4=1770%W5=1770%W6=1770)ECN(
OS:R=Y%DF=Y%T=40%W=1770%O=M578%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=1770%S=O%A=S+%F=AS%O=M109%RD=0%Q=)T4(R=Y%DF
OS:=N%T=40%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=N%T=40%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%TOS=0%IPL=38%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=6245%RUL=G%RUD=G)IE(R=N)


Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=23 (Good luck!)
IP ID Sequence Generation: Incremental

TRACEROUTE (using port 10000/tcp)
HOP RTT ADDRESS
1 1.33 ...
2 14.85 ... (...)
3 20.71 HOSTNAME (TARGET)

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect
results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.857 seconds
Raw packets sent: 1878 (87.982KB) | Rcvd: 1791 (72.646KB)

Relevant Pages

  • RE: Host identification
    ... machines with an open port 10000, running WebLogic, ... Initiating Parallel DNS resolution of 1 host. ... Scanning HOSTNAME (TARGET) ...
    (Security-Basics)
  • Re: Host identification
    ... Initiating Parallel DNS resolution of 1 host. ... Scanning HOSTNAME (TARGET) [1714 ports] ...
    (Security-Basics)
  • Re: Remote debugging
    ... DCOM RPC is sitting on port 135. ... I can ping the system and telnet can open port 135 on the remote machine from the host machine. ... 'password' to fill-in although I don't have any password login in the target. ...
    (microsoft.public.windowsxp.embedded)
  • Re: ssh to machines behind firewall?
    ... >> I think you can turn off that host checking, or at least tone down the ... >> consistently use that for the one on the alternate port. ... So it does the lookup using the hostname you pass it ... Even if the public IP is dynamic, some dynamic DNS services (like ...
    (comp.os.linux.networking)
  • Re: How to uninstall 1394 debugger device
    ... >> Is there any reason why target should always hold on to its port. ... >> not target lock the port only when host is listening. ...
    (microsoft.public.development.device.drivers)