Re: Port 1443

From: Lee Lawson (leejlawson@gmail.com)
Date: Fri Dec 22 2006 - 03:40:02 EST

• Next message: Clemens, Dan: "RE: Pen-test Freesshd 1.10"
• Previous message: Dan Catalin Vasile: "Re: Banner Grabbing"
• In reply to: Jamie Riden: "Re: Port 1443"
• Next in thread: Jamie Riden: "Re: Port 1443"
• Reply: Jamie Riden: "Re: Port 1443"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Right, let's get this clear now. The question was "what service runs
on 1443". This is not the 1433 and 1434 that MS SQL server runs on.

A quick search on the neohapsis port listing reveals:
1443 tcp ies-lm Integrated Engineering Software
1443 udp ies-lm Integrated Engineering Software

I expected better than the answers given from this mailing list.

I would recommend something similar to Mark Fosters solution
(obviously insert your target IP address!):

nmap -sV -P0 -p 1443 -vv 192.168.1.1
(that's two v's not one w!)

telnet 192.168.1.1 1443

But I would also suggest that you run a sniffer like tcpdump or
wireshark on your attacking system to analyse any response packets.

On 12/22/06, Jamie Riden <jamie.riden@gmail.com> wrote:
> On 22/12/06, Richards, Jim <jim.richards@dot.state.wi.us> wrote:
> > Isn't that the admin port for sql-server
> >
> [resend, bounced due to nonsubcribed address]
>
> Nearly. Slammer exploited a flaw in SQL server on 1434/udp. SQL server
> also uses 1433/tcp IIRC.
>
> "The worm targeting SQL Server computers is self-propagating malicious
> code that exploits the vulnerability described in VU#484891
> (CAN-2002-0649). This vulnerability allows for the execution of
> arbitrary code on the SQL Server computer due to a stack buffer
> overflow.
>
> Once the worm compromises a machine, it will try to propagate itself.
> The worm will craft packets of 376-bytes and send them to randomly
> chosen IP addresses on port 1434/udp. If the packet is sent to a
> vulnerable machine, this victim machine will become infected and will
> also begin to propagate. Beyond the scanning activity for new hosts,
> the current variant of this worm has no other payload." --
> http://www.cert.org/advisories/CA-2003-04.html
>
> cheers,
> Jamie
> --
> Jamie Riden, CISSP / jamesr@europe.com / jamie.riden@gmail.com
> NZ Honeynet project - http://www.nz-honeynet.org/
>

-- 
Lee J Lawson
leejlawson@gmail.com
leejlawson@hushmail.com
"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."
"Quidquid latine dictum sit, altum sonatur."

• Next message: Clemens, Dan: "RE: Pen-test Freesshd 1.10"
• Previous message: Dan Catalin Vasile: "Re: Banner Grabbing"
• In reply to: Jamie Riden: "Re: Port 1443"
• Next in thread: Jamie Riden: "Re: Port 1443"
• Reply: Jamie Riden: "Re: Port 1443"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:29 EDT