Re: rewire the server room?

From: Volker Tanger (vtlists@wyae.de)
Date: Tue Apr 04 2006 - 05:15:43 EDT

• Next message: Michael Cecil: "Re: rewire the server room?"
• Previous message: Ryan: "DISCREET OVERNIGHT PHARMACY"
• In reply to: Ade: "Re: rewire the server room?"
• Next in thread: Francisco Pecorella: "Question about AP MAC Address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Good morning!

On Mon, 3 Apr 2006 17:31:04 +0100
Ade <adrian.bradshaw@gmail.com> wrote:
>
> During a recent scan of a subnet, using NMap,

which version, with which command line switches?

One idea up front: if you used the new 4.x version of nmap scanning for
service and version (-sV) you get the first connect response / server
header on that port printed out (filtered according to protocol).

On a mailserver you might get "220 mail.example.test ESMTP Postfix" when
connecting with telnet - and nmap will thus print something like

        PORT STATE SERVICE VERSION
        25/tcp open smtp Postfix

...unless the postfix admin changed the greeting message in
/etc/postfix/main.cf from
        smtpd_banner = $myhostname ESMTP Postfix
to
        smtpd_banner = $myhostname ESMTP Rewire your server room!

in which case you get with NMap

        PORT STATE SERVICE VERSION
        25/tcp open smtp Rewire your server room!

Some services allow to set the server header by configuration (as with
e.g. Postfix, lighttpd, etc.), some need the change at compile time
or in the binary with a hex editor.

Another option might be a custom inetd/xinetd running at a port
configured (on port tcp/81) like

        #-------------------------
        # xinetd.conf:
        #-------------------------
        service hello
        {
            port = 81
            socket_type = stream
            wait = no
            user = nobody
            server = /bin/echo
            server_args = "Rewire your server room"
            disable = no
        }

Or the PC is using a simple auth service echoing a static string, a
static ("fake") fingerd, etc.

Maybe it is easiest to investigate on the machine you found that reply
from - and tell us what it was? ;-)

Thanks

Volker

-- 
Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@wyae.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

• Next message: Michael Cecil: "Re: rewire the server room?"
• Previous message: Ryan: "DISCREET OVERNIGHT PHARMACY"
• In reply to: Ade: "Re: rewire the server room?"
• Next in thread: Francisco Pecorella: "Question about AP MAC Address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:48 EDT