Penetration Testing mailing list archives
Re: All tcp ports open?
From: "Erik Birkholz" <erik () foundstone com>
Date: Mon, 30 Aug 2004 00:28:33 -0700
Just a clarification for the list based on Andres' post. "I think it should be safe to say that any *real* program will respond with a banner" This is not a safe assumption, many services do not respond with a banner. Some common examples are Terminal Server and MS SQL Server. Btw, I have seen this behavior when scanning through a sidewinder firewall. The sidewinder has the capability to send a tcp syn/ack packet response after droping the inbound packet. Kinda neat, like a deny response but so much better. :) --------------------------------------- (Msg from BlackBerry Wireless Handheld) --------------------------------------- Erik Pace Birkholz - CISSP, MCSE Foundstone, Inc. Strategic Security Read Special Ops and mount an assault to eradicate network negligence today. www.SpecialOpsSeries.com [Tel] 949.297.5591 [Cel] 323.252.5916 [Fax] 949.297.5575 [pgp] https://www.foundstone.com/pgpkeys/erik-birkholz.asc -----Original Message----- From: Andres Riancho <andresit () fibertel com ar> To: Massimo Cetra <mcetra () navynet it>; 'Ben Timby' <asp () webexc com>; pen-test () securityfocus com <pen-test () securityfocus com> Sent: Mon Aug 30 00:50:21 2004 Subject: Re: All tcp ports open? Ben , What about "nmap -sV" ? this will still give you a complete list of open ports , but also will retrieve the banners. I think it should be safe to say that any *real* program will respond with a banner , so ,only the ports with banners will be the ones you should pen-test. Andres Riancho SOC Impsat ----- Original Message ----- From: "Massimo Cetra" <mcetra () navynet it> To: "'Ben Timby'" <asp () webexc com>; <pen-test () securityfocus com> Sent: Sunday, August 29, 2004 11:10 AM Subject: RE: All tcp ports open?
I am not sure what is doing this, but I assume it is a software (or some kind of) firewall/hids, can anybody point me in the right direction? I am pen-testing a Windows webserver, and a port scan reveals ALL tcp ports open. hping also confirms that a SA is returned for any S packets sent to any port I try. I can connect via netcat any of the ports, and send data, but nothing is returned. In order to verify services, I am required to connect and check for a banner or send appropriate protocol commands to elicit a response. Has anyone seen this, or have any idea of what this is?http://www.iptables.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT This is for Linux but may help you finding more informations. Max --------------------------------------------------------------------------
----
Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a
course
taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html --------------------------------------------------------------------------
-----
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------------- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: All tcp ports open?, (continued)
- RE: All tcp ports open? Mike Sues (Aug 30)
- Re: All tcp ports open? Jack Burton (Aug 30)
- Re: All tcp ports open? GUsh-T (Aug 30)
- Re: All tcp ports open? Chris Brenton (Aug 30)
- Re: All tcp ports open? Nathan R. Valentine (Aug 30)
- Re: All tcp ports open? sol seclists (Aug 30)
- RE: All tcp ports open? Don Parker (Aug 29)
- RE: All tcp ports open? Meidinger Chris (Aug 30)
- RE: All tcp ports open? Todd Towles (Aug 30)
- Re: All tcp ports open? David M. Zendzian (Aug 30)
- Re: All tcp ports open? Erik Birkholz (Aug 30)
- Re: All tcp ports open? Bill Burge (Aug 31)
- RE: All tcp ports open? Beaty, Bryan (Aug 30)
- RE: All tcp ports open? BĂ©noni MARTIN (Aug 31)
- RE: All tcp ports open? Altheide, Cory B. (IARC) (Aug 31)
- Re: All tcp ports open? M. D. (Aug 31)