RE: Service Identification

From: Beaty, Bryan (Bryan.Beaty@vector.com)
Date: Mon Dec 08 2003 - 13:58:34 EST

• Next message: Benjamin Tomhave: "RE: john the ripper"
• Previous message: Martin Maèok: "Re: Service Identification"
• Maybe in reply to: Beaty, Bryan: "Service Identification"
• Next in thread: R. DuFresne: "RE: Service Identification"
• Reply: R. DuFresne: "RE: Service Identification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I did try this. It was unable to identify the service. I contacted the
client and they stated these were indeed Telnet and SMTP but protected
by TCP wrappers.

Does this sound like the response I would get by a service protected by
TCP wrappers?

Thanks,
Bryan

-----Original Message-----
From: Meidinger Chris [mailto:chris.meidinger@badenit.de]
Sent: Monday, December 08, 2003 8:29 AM
To: Beaty, Bryan
Cc: pen-test@securityfocus.com
Subject: RE: Service Identification

Small tip: nmap version 3.40 or newer has an option -sV, which is
service
verification. It will fire a lot of different packets at the port trying
to
get a bead on what is behind it. Did you try that?

Chris Meidinger

-----Original Message-----
From: Beaty, Bryan [mailto:Bryan.Beaty@vector.com]
Sent: Sunday, December 07, 2003 6:21 PM
To: pen-test@securityfocus.com
Subject: Service Identification

I port scanned a box I am working on. I know the box is some form of
Linux. I see that port 23,25 and 53 are open. I can identify 53 as DNS.
Both NMAP and AMAP identify it as DNS.

Port 23 and 25 are open but cannot be identified by AMAP or NMAP. When I
telnet <ip> 23 or 25 I get a blank screen. If I type I just get blank
spaces or underscore symbols on the screen.

Does this mean the telnet and SMTP server have crashed?
Could it be that someone has installed some other service on these
ports?
How do you identify services that respond like this? Seems like I run
into this from time to time but I never have learned how to deal with
it.

Any ideas what to do at this point? I do not have physical access to the
box.

Thanks,
Bryan Beaty

------------------------------------------------------------------------

---
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Benjamin Tomhave: "RE: john the ripper"
• Previous message: Martin Maèok: "Re: Service Identification"
• Maybe in reply to: Beaty, Bryan: "Service Identification"
• Next in thread: R. DuFresne: "RE: Service Identification"
• Reply: R. DuFresne: "RE: Service Identification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT