RE: TS Problems?

["Hagen, Eric" <ehagen () DenverNewspaperAgency com>]

First, try to run TS into each of those ports.  You can do it by typing
address:port.   Eg.  10.10.1.1:2286

Also, right click "my Computer" choose properties and select the "remote"
tab.  If both of those check boxes are not checked, then TS should be
unusable or off (I haven't verified the behavior of the service when both
are disabled).

Personally, I always change the TS port on machine that have it enabled.
It's much harder to track down.  In addition, it uses encryption, so running
telnet into that port would be very unlikely to reveal much of anything.

Eric

-----Original Message-----
From: Matthew Crape [mailto:mcrape () hotmail com] 
Sent: Thursday, April 22, 2004 9:04 AM
To: security-basics () securityfocus com
Subject: TS Problems?

Hi Group, I am writing this in hopes of getting some advice in trying to
solve a little mystery. As it is right now I am in charge of a small network
(about 50 computers total, including servers). There are only 2 Windows XP
machines on the network that end users use. 
 
I decided to scan one them to see if Terminal Services was running by using
ProbeTS v1.0. It returned a response saying that it is in fact running (and
to quote Thor: "If it gets one, it knows it is a TServer."). Now if I try to
connect to it using Remote Desktop client, it times out and says that it is
not running. I am aware that it can be configured to run on other ports so I
did an nmap scan go the following:
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
4899/tcp open  radmin
5000/tcp open  UPnP
5225/tcp open  unknown
5226/tcp open  unknown
8008/tcp open  unknown
 
Port 5525 is running some HP software (with Apache) and I am not sure about
port 5226. I have assumed that it is also the HP software (although nothing
comes up when I telnet to it). 
 
As for 8008, when I telnet to it it returns the following:
☺
HΩF═
 
Am I being paranoid? Any idea what it could be? Is there any way that I can
fully verify that TS is or is not running on the machine? Thanks for all the
help.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------