Security Incidents mailing list archives
Re: Port 9088
From: Peter Foreman <p.foreman () PLANETMEDIAGROUP NL>
Date: Fri, 6 Oct 2000 15:39:03 +0200
Smart of you hiding the hostname with 'xx' and all, but ever wondered where the '3ff83002' was for? (hint: 3f f8 30 02 = xx.248.xx.02) So if you really want to hide hostnames and stuff, get rid of the complete hostname. A lot of providers tend to put the IP in the hostname in whatever form. -Peter [TRi]@Undernet / Diemen.NL.EU.Undernet.org -----Original Message----- From: Erik Tayler [mailto:erik () DIGITALOFFENSE NET] Sent: Friday, October 06, 2000 3:07 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Port 9088 Out of curiousity, I tried something similar... If you don't care to read through the stats, basically, each IP scanned has thousands of filtered ports, making up what appears to be a quickly configured firewall of sorts. Don't expect much from the OS fingerprinting I did { Warning: No TCP ports found open on this machine, OS detection will be MUCH less reliable } nmap -sS -p 9908 -o out1 -m out2 -v -v -D<hide>decoys</hide> xx.248.xx.1-100 OS scan results are listed below each host. Host: xx.248.xx.2 (3ff83002.dsl.xxxxx.net) Ports: 9908/filtered/tcp///// Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint: T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Host: xx.248.xx.24 (3ff83018.dsl.xxxxx.net) Ports: 9908/filtered/tcp///// Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint: T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=N) Host: xx.248.xx.37 (3ff83025.dsl.xxxxx.net) Ports: 9908/filtered/tcp///// Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint: T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Host: xx.248.xx.59 (3ff8303b.dsl.xxxxx.net) Ports: 9908/filtered/tcp///// Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint: T5(Resp=N) T6(Resp=N) T7(Resp=N) PU(Resp=N)
I did "nmap -sT -p 9908 <ip>/<sub>" -- pretty vanilla. I didn't want to
be
sneaky at all. Funny thing is, I haven't seen any response from network administrators.
Current thread:
- Port 9088 Todd Meister (Oct 04)
- Re: Port 9088 George Bakos (Oct 04)
- Re: Port 9088 Todd Meister (Oct 05)
- Re: Port 9088 Erik Tayler (Oct 06)
- Re: Port 9088 Todd Meister (Oct 05)
- Re: Port 9088 Christopher Tresco (Oct 04)
- Re: Port 9088 Todd Meister (Oct 04)
- <Possible follow-ups>
- Re: Port 9088 Peter Foreman (Oct 06)
- Re: Port 9088 George Bakos (Oct 04)