Re: Strange response from network

From: Martin Mačok (martin.macok@underground.cz)
Date: Thu Sep 16 2004 - 05:51:32 EDT

• Next message: chuan.delahosseraye@accenture.com: "RE: Web Application Tester"
• Previous message: GUsh-T: "Re: Web Application Tester"
• In reply to: Shashank Rai: "Strange response from network"
• Next in thread: shashrai@emirates.net.ae: "Re: Strange response from network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wed, Sep 15, 2004 at 02:36:14PM +0400, Shashank Rai wrote:

> 2) Nmap fails to identify the OS but identifies the service as
> "Microsoft Distributed Transaction Server".

You mean "Microsoft Distributed Transaction Coordinator" ?

What kind of response do you get, when you connect to the port with
netcat and type "GET / HTTP/1.0<enter><enter>" ?

It is probably matching one of ^...\0..$ or ^ERROR\n$ patterns...

> hping2 -S -V -n -c 1 -p 2443 -t 7 TARGET_IP
> using eth0, addr: MY_IP, MTU: 1500
> S set, 40 headers + 0 data bytes
>
> len=46 ip=TARGET_IP ttl=249 id=40109 tos=0 iplen=40
> sport=2443 flags=RA seq=0 win=0 rtt=6.3 ms
> seq=80210401 ack=1098187429 sum=ec0b urp=0

This packet seems to be generated on Linux 2.0/2.2 (win=0, ttl=255,
ack!=0). Try p0f for TCP OS fingerprinting.

> hping2 -S -V -n -c 1 -p 2443 -t 8 TARGET_IP
> using eth0, addr: MY_IP, MTU: 1500
> S set, 40 headers + 0 data bytes
>
> len=46 ip=TARGET_IP ttl=122 id=16401 tos=0 iplen=44
> sport=2443 flags=SA seq=0 win=16384 rtt=6.1 ms
> seq=416937317 ack=1244107777 sum=61fe urp=0

This packet looks like a packet from MS Windows 2000.

> b) is it possible to determine the IP of the 7th HOP.

You could try fingerprinting IP blocks around it, good luck :-)
Try elicit ICMP error messages from the device too.

You could also try getting that info from the node (router? cisco?) in
front of it (SNMP? NTP?).

Martin Mačok
IT Security Consultant

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: chuan.delahosseraye@accenture.com: "RE: Web Application Tester"
• Previous message: GUsh-T: "Re: Web Application Tester"
• In reply to: Shashank Rai: "Strange response from network"
• Next in thread: shashrai@emirates.net.ae: "Re: Strange response from network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT