From: Gary Rollie (garyr@pria.net)
Date: Thu Mar 25 2004 - 12:16:02 EST
Try Setting up a sniffers on your network and issue a ping or trace
route command from the target system to your agent host. Also another
suggestion is to send a ftp transfer or some other outgoing connection
that you can see/watch from a sniffers or remote site. I would also try
and extend the time nmap waits for a response from the target host ..
Some assumptions I am making;
ICMP isn't dropped at the router or any routers in the path you are
taking otherwise you'll get nothing.
You are actually connected to the host and not just a syn ack ..
Just some thoughts
NiteRaven
-----Original Message-----
From: BillyBobKnob [mailto:billybobknob@hotmail.com]
Sent: Wednesday, March 24, 2004 9:58 PM
To: pen-test@lists.securityfocus.com
Subject: nmap shows open UDP port 113
My friend asked me to see if I could scan or penetrate his firewall. He
= only told me that it was a Linux box setup as a firewall running NAT
to = hide internal IPs.
- I did a nmap -O and a nmap -O --fuzzy but it said "too many =
fingerprints match for accurate OS guess"
but it did tell me that TCP port 113 was in the closed state
- so I tried a TCP reverse inet scan (nmap -sT -I) and it still gave me
= same info as this port was closed
- so I tried nmap -sU and no results
- then I tried nmap -sU -p 113 and it said that UDP port 113 was open !!
I was then able to netcat to it (nc -u ipaddress 113) and I verified =
that I was connected with a netstat.
While connected via netcat I tried sending it commands like (ls, cd ..,
= help, echo) but got nothing.
Is there anything that can be done with this connection ??
Or is there anyway to find out what internal IPs are behind it ?
Thanks,
Bill
------------------------------------------------------------------------
--- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT