RE: Service Identification

From: J. Oquendo (sil@politrix.org)
Date: Mon Dec 08 2003 - 14:47:23 EST

• Next message: Anish M: "RE: john the ripper"
• Previous message: OBrien, Brennan: "RE: john the ripper"
• Maybe in reply to: Beaty, Bryan: "Service Identification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Simplest answer would be to run an analyzer on the segment the machine is
on to see what information (if any) is going through the port. Remember
any program can be assigned to listen on any port, so just because you may
see something such as telnet mapped to port 23, it doesn't mean telnet is
indeed running on that port.

One thing to note also is, if indeed telnet is running on the port, it may
have been configured not to leak out information. In essence, anything can
be running on those ports... e.g.:

finger sil@kungfunix.net

Don't be fooled by what you would see doing that finger. Everything is
false, usernames, etal...

$ grep finger /etc/inetd.conf
#finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerd
finger stream tcp6 nowait nobody /export/c0t0d0s9/home/sil/./honey

It's a perl listener that catches e-tards doing stupid things. Sometimes I
configure my firewall to block out class ranges if I see multiple asinine
port connections, but it's mainly there for my amusement.

sil

> I did try this. It was unable to identify the service. I contacted the
> client and they stated these were indeed Telnet and SMTP but protected
> by TCP wrappers.

> Does this sound like the response I would get by a service protected by
> TCP wrappers?

> Thanks,
> Bryan

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"I watch gangster flicks and root for the bad guy
and turn it off before it ends because the bad guy dies"
50 Cents - 'Assassins'

This is a farce confidential disclaimer intended to make you
aware that even though this may be priveledged information,
being it will become Google cache in the future, my original
intentions of keeping this message restricted and/or private
are thrown out the door. If you have received this e-mail in
error, please enjoy this signature and destroy this message
by dousing it in gasoline.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Anish M: "RE: john the ripper"
• Previous message: OBrien, Brennan: "RE: john the ripper"
• Maybe in reply to: Beaty, Bryan: "Service Identification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT