From: John Lampe (jwlampe@tenablesecurity.com)
Date: Thu Aug 23 2007 - 15:40:10 EDT
Paul Melson wrote:
> On 8/21/07, Tom Griffin <t.griffin@sheffield.ac.uk> wrote:
>
>>If I suspect that a particular port on a given host is listening for
>>incoming Bittorrent data requests, is there a way I can prove it by
>>means of a probe? I have attempted to find some protocol definition
>>documentation so I can build a very basic script which will pretend to
>>be another Bittorrent client to see how the application handles it, but
>>I cannot find such detailed information.
>>
>>If anybody can help with this, it would be much appreciated.
>
>
> How sure do you have to be? Personally, if I saw a host with port
> 6881 listening, I would treat it as if it had BitTorrent running until
> it was proven otherwise. You can try 'nmap -sV' to see if NMap can
> identify the service listening, but if it is BitTorrent, NMap won't
> identify it. It will fall back to a port number guess instead.
>
> Unfortunately, connecting to a BitTorrent peer port and getting
> anything useful back requires knowing the hash of a torrent being
> shared on that client, which is near impossible to guess. However, if
> you can sniff traffic on this port, you should be able to positively
> identify it as BitTorrent because it will contain the string
> 'BitTorrent protocol' fairly early on in the packet data.
>
I know for a *fact* that it can be passively detected :-) We wrote a
bunch of passive detection plugins for our PVS product.
Actively, I was working on this same thing about a year or so ago. I
was actually generating test cases for a bittorrent fuzzer and noted
that if you sent up to (and including) 95 bytes of data to the peer port
you got no response but if you sent 96 (and up) bytes, you got a
response of varying byte length. I never had the time to track down
why, what, etc....but, here is what I had to at least detect the
service. Oh, and I only tested on a few bittorrent clients, so it might
be product specific :-<
port = 6881; # bittorrent
#port = 63180; # mutorrent
for (i=0; i<95; i++) {init = string(init, raw_string(rand() % 256));}
for (i=0; i<96; i++) {req = string(req, raw_string(rand() % 256));}
soc = open_sock_tcp(port);
if (soc)
{
send(socket:soc, data:init);
r1 = recv(socket:soc, length:65535, timeout:5);
close (soc);
}
soc = open_sock_tcp(port);
if (soc)
{
send(socket:soc, data:req);
r2 = recv(socket:soc, length:65535, timeout:5);
close (soc);
}
if ( (strlen(r1) == 0) && (strlen(r2) > 50) )
security_hole(port);
--
John Lampe
Senior Security Researcher
TENABLE Network Security, Inc.
jwlampe@{nessus.org,tenablesecurity.com}
Tele: (410) 872-0555
www.tenablesecurity.com
Is your network TENABLE?
---------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:03 EDT