RE: Some unusual network features

From: Deckard, Jason (Jason.Deckard@webmd.net)
Date: Wed Jan 14 2004 - 06:38:07 EST

• Next message: Steve Shah: "Re: Auditing / Logging"
• Previous message: Shashank Rai: "Re: Some unusual network features"
• Maybe in reply to: Paul Johnston: "Some unusual network features"
• Next in thread: Alla Bezroutchko: "Re: Some unusual network features"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Paul,

Ports that hang open sound like proprietary connections. If that is the
case, the applications on these ports are waiting for some sort of message
to process. Something found in nearly all application layer protocols is a
means to determine message length. Try sending messages with STX (hex 02)
up front and ETX (hex 03) at the back. You might also want to try some sort
of length header, such as 2 byte binary before the message (try both big and
little endian). An ASCII length header is also a possibility (something
that is fixed length but also plays well with atoi(), such as "00402").

The HTTP application sounds like a home grown application that doesn't
properly handle bad request methods. If the ports that hang open turn out
to be proprietary apps built in-house, the possibility of a home grown HTTP
server seems high.

Best of luck.

-Jason

-----Original Message-----
From: Paul Johnston [mailto:paul@westpoint.ltd.uk]
Sent: Tuesday, January 13, 2004 3:46 AM
To: pen-test@securityfocus.com
Subject: Some unusual network features

Hi,

I've come accross the following anomoloies while auditing a network, can
anyone help explain what they are:

1) Ports that "hang open" i.e. you can connect, send data ok, but the
other end never sends any data and never closes the connection.
2) HTTP ports that function normally when you issue some methods, but on
other methods (including the imaginary method "SILLY") cause the
connection to "hang open" like in (1).
3) Ports where the TTL is different on the SYN reply to the rest of the
connection. ipid's also imply that different hosts are handling the SYN
and the rest of the connection.

I've got some theories, but I'm not sure how much I'm jumping to
conclusions.

Paul

-- 
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Steve Shah: "Re: Auditing / Logging"
• Previous message: Shashank Rai: "Re: Some unusual network features"
• Maybe in reply to: Paul Johnston: "Some unusual network features"
• Next in thread: Alla Bezroutchko: "Re: Some unusual network features"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT