From: M. D. (nekromancer@lycos.com)
Date: Tue Aug 31 2004 - 03:01:41 EDT
Dear colleagues,
I've been following this thread without paying too much attention, but I would like to make a few statements based on some loose points I've read.
First: a box with all ports *seemingly* open can be almost anything, EXCEPT a box with all the ports open ;-)
Second: someone mentioned the possibility of it being a honeypot.
Take this into account: a honeypot is designed to look like an interesting machine to hack into, but to look as a "normal" machine, not a weird one. From the cracker perspective it must NOT look like a honeypot at all!
So IMHO the fact that all S requests are responded with SA makes me discard the honeypot idea.
Third: showing all ports as "open" is a good diversion tactic, making life slightly more difficult for the cracker when trying to asses the real open ports.
Fourth: banner grabbing helps, but only for these services that provide a banner if you only look at the ASCII response. Take into account that some services provide a clear binary "signature" when they're present, but lack an ASCII banner. Fire your sniffers...
Fifth: we can guess (experimentation will tell) that all SA answers from ports that are not really open will look more or less the same (i.e. no banner and no specific binary "signature", same packet size, etc.).
Sixth and last: it looks and smells like some kind of protection (like a firewall). People with experience with any of those having this behaviour is telling that in the thread.
Kind regards,
Nekromancer
-- _______________________________________________ Find what you are looking for with the Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:02 EDT