Re: Nmap/netwag problem.

From: Irene Abezgauz (irene.abezgauz@gmail.com)
Date: Thu Aug 11 2005 - 10:22:08 EDT

• Next message: Beauford, Jason: "RE: RE: AD password Auditing"
• Previous message: Paul J Docherty: "RE: Nmap/netwag problem."
• In reply to: Pete Herzog: "Re: Nmap/netwag problem."
• Next in thread: Daniel Miessler: "Re: Nmap/netwag problem."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 8/11/05, Pete Herzog <lists@isecom.org> wrote:
...
> Sorry if my post was confusing. I'm saying that a complete handshake is
> not the most reliable way to test for a service. The matter in question
> was what the most reliable way to test further is. I'm not saying it
> should always be done for efficiency sakes, but in matters of
> discrepency as per the original post, going further to just look for the
> handshake and not send proper data is unreliable.

I think this discussion got mixed between two entirely different
things. The first is identifying whether there is SOMETHING out there
that is listening on port X, and the second is identifying what that
something is.

a complete TCP handshake means a connection has been succesfully
established. that cannot be done with anything but an OPEN port
because closed and filtered ones are not that good at returning
syn-acks.

Now, once we have established there is a service running on our port
X, we want to determine what that service is.

What I do for that is the following:

First and most trivial - check out IANA. there's a chance they are
actually using the port number for what's intended. Then try and
determine whether that's really what's running there (meaning, if I
found port 80 and I suspect it's http, I'll try a GET / HTTP/1.0. If
it's a 25 I'll go for HELO, if it's an oracle listener I'll use an
oracle client, and so on).

Second (if the first fails) - telnet/netcat to it, try talking to it
abit, see whether it responds, and if it does - how it responds. it
might turn out very talkative and informative. (Hello User, I am
Utility X version 1.2.3)

Third - there is a bunch of tool that are good at service
fingerprinting. get one of those.

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

• Next message: Beauford, Jason: "RE: RE: AD password Auditing"
• Previous message: Paul J Docherty: "RE: Nmap/netwag problem."
• In reply to: Pete Herzog: "Re: Nmap/netwag problem."
• Next in thread: Daniel Miessler: "Re: Nmap/netwag problem."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:44 EDT