From: Volker Tanger (vtlists@wyae.de)
Date: Tue Apr 04 2006 - 05:15:43 EDT
Good morning!
On Mon, 3 Apr 2006 17:31:04 +0100
Ade <adrian.bradshaw@gmail.com> wrote:
>
> During a recent scan of a subnet, using NMap,
which version, with which command line switches?
One idea up front: if you used the new 4.x version of nmap scanning for
service and version (-sV) you get the first connect response / server
header on that port printed out (filtered according to protocol).
On a mailserver you might get "220 mail.example.test ESMTP Postfix" when
connecting with telnet - and nmap will thus print something like
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix
...unless the postfix admin changed the greeting message in
/etc/postfix/main.cf from
smtpd_banner = $myhostname ESMTP Postfix
to
smtpd_banner = $myhostname ESMTP Rewire your server room!
in which case you get with NMap
PORT STATE SERVICE VERSION
25/tcp open smtp Rewire your server room!
Some services allow to set the server header by configuration (as with
e.g. Postfix, lighttpd, etc.), some need the change at compile time
or in the binary with a hex editor.
Another option might be a custom inetd/xinetd running at a port
configured (on port tcp/81) like
#-------------------------
# xinetd.conf:
#-------------------------
service hello
{
port = 81
socket_type = stream
wait = no
user = nobody
server = /bin/echo
server_args = "Rewire your server room"
disable = no
}
Or the PC is using a simple auth service echoing a static string, a
static ("fake") fingerd, etc.
Maybe it is easiest to investigate on the machine you found that reply
from - and tell us what it was? ;-)
Thanks
Volker
-- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists@wyae.de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com for details. ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:48 EDT