RE: Service Identification

From: MARTIN M. Bénoni (benoni_martin@hotmail.com)
Date: Mon Dec 08 2003 - 04:19:50 EST

• Next message: Martin Mačok: "Re: Service Identification"
• Previous message: Omar Prunera Dols: "Re: Service Identification"
• Maybe in reply to: Beaty, Bryan: "Service Identification"
• Next in thread: Martin Mačok: "Re: Service Identification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi!

I had the same behavior with one my boxes (nmap sees an open port but not
reply when attempting to connect to it). In my case, it was normal because I
was running a honeypot on my target: I tried one of them (well a very basic
one, NFR BOF under Window$ and IPtrap under Linux, but any "better" honeypot
should do this, even a netcat I guess) asking these tools to monitor TCP/23,
Nmap running against them found TCP/23 open (even if there were NO REAL
service listenig on these ports)...but when telneting the target, no reply.

So one possible reason of this in your case could be a simple honeypot or
any tool like this running on your target.

If you do not have physical access to the machine but a possible ssh for
instance, it should be easy to check what's really going on it...

>From: "Beaty, Bryan" <Bryan.Beaty@vector.com>
>To: <pen-test@securityfocus.com>
>Subject: Service Identification
>Date: Sun, 7 Dec 2003 11:21:01 -0600
>
>I port scanned a box I am working on. I know the box is some form of
>Linux. I see that port 23,25 and 53 are open. I can identify 53 as DNS.
>Both NMAP and AMAP identify it as DNS.
>
>Port 23 and 25 are open but cannot be identified by AMAP or NMAP. When I
>telnet <ip> 23 or 25 I get a blank screen. If I type I just get blank
>spaces or underscore symbols on the screen.
>
>Does this mean the telnet and SMTP server have crashed?
>Could it be that someone has installed some other service on these
>ports?
>How do you identify services that respond like this? Seems like I run
>into this from time to time but I never have learned how to deal with
>it.
>
>Any ideas what to do at this point? I do not have physical access to the
>box.
>
>Thanks,
>Bryan Beaty
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Martin Mačok: "Re: Service Identification"
• Previous message: Omar Prunera Dols: "Re: Service Identification"
• Maybe in reply to: Beaty, Bryan: "Service Identification"
• Next in thread: Martin Mačok: "Re: Service Identification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT