Device fingerprinting

From: TB (acr872k@hotmail.com)
Date: Sun Aug 18 2002 - 19:52:03 EDT


Hi list,

Recently I came against a weird network infrastructure. Can you help me
identify the types of devices used?

I have this:

[Internet]
----------------------
[An unknown device]
----------------------------------------
[Box 1-Webserver] [Box 2-Mailserver]

I was able to compromise the mailserver using web exploits.
Portscans of each devices from either the internet or the mailserver yields
different results as shown above.

------------------
>From the internet:
------------------
Unknown device:
     Open ports: 21,23,25,53,80,109,110,442
     Closed ports: 49400,54320,61439,61440,61441,65301
     Filtered: Everything else
     Replies to echo requests: No
     Nmap tcp fingerprint: FreeBSD 2.2.1 - 4.1, FreeBSD 4.1.1 - 4.3 (X86)

Webserver:
     Open ports: 21,80,3306
     Closed ports: 49400,54320,61439,61440,61441,65401
     Filtered: Everything else
     Replies to echo requests: No
     Nmap tcp fingerprint: FreeBSD 2.2.1 - 4.1, FreeBSD 4.1.1 - 4.3 (X86)

Mailserver:
     Open ports: 80,110
     Closed ports: None
     Filtered: Everything else
     Replies to echo requests: No
     Nmap tcp fingerprint: spcheck reports SP6 b1381

---------------------
>From the mailserver:
---------------------
Unknown device:
     Open ports:
21,23,25,43,53,80,81,86,109,110,113,119,137,138,139,210,443,808,2000,3306,66
68,8080
     Closed ports: None
     Filtered: Everything else
     Replies to echo requests: No
     Nmap tcp fingerprint: N/A *
Webserver:
     Open ports:
21,23,25,43,80,81,86,109,110,113,119,137,138,139,210,443,808,2000,3306,6668,
8080
     Closed ports: None
     Filtered: Everything else
     Replies to echo requests: No
     Nmap tcp fingerprint: N/A *
Mailserver:
     Open ports: N/A
     Closed ports: N/A
     Filtered: N/A
     Replies to echo requests: N/A
     Nmap tcp fingerprint: N/A

* I couldn't install properly winpcap to have it identify tcp fingerprints
since it would require a reboot and I have no physical access to the system.

So here some things we can identify are:

1) The presence of the cvc_hostd (442) port on the two interfaces of the
unknown device... anyone could comment?

2) Everything being ICMP traffic that goes through the unknown devices is
blocked.

3) Some ACLs are used to restrict traffic to both some ports of the unknown
device and the two boxes.

4) The majority of the ports open on the unknown device are forwards to open
ports on the Webserver EXCEPT port 53. I tried to
nslookup -class=chaos -type=txt version.bind [the device] and it returns
unknown domain so I evaluate that the chances for it to be bind are fairly
low.

5) The telnet port on the internal interface of the device seems to be
broken, no daemon listens to it even it the port is open.

Anyone sees any telltale signs of a particular OS/device here? In my opinion
it could be a cisco or maybe a freebsd box but I'm really unsure. Some
help/comments would be appreciated.

--TB

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:24 EDT