RE: Bittorrent Data Port Probe

["Paul Melson" <pmelson () gmail com>]

On 8/23/07, John Lampe <jwlampe () tenablesecurity com> wrote:
> I know for a *fact* that it can be passively detected :-)  We wrote a 
> bunch of passive detection plugins for our PVS product.

Yup.  Snort's had signatures for it for a couple years. ;-)


> port = 6881;    # bittorrent
> #port = 63180;  # mutorrent
>
> for (i=0; i<95; i++) {init = string(init, raw_string(rand() % 256));}
>
> for (i=0; i<96; i++) {req = string(req, raw_string(rand() % 256));}

I can't seem to recreate this:

$ perl -e 'for (my $i=0; $i <= 90; $i++) {print chr(int(rand 255));}' | nc
-v localhost 6881
Connection to localhost 6881 port [tcp/*] succeeded!
$ perl -e 'for (my $i=0; $i <= 95; $i++) {print chr(int(rand 255));}' | nc
-v localhost 6881
Connection to localhost 6881 port [tcp/*] succeeded!
$ perl -e 'for (my $i=0; $i <= 96; $i++) {print chr(int(rand 255));}' | nc
-v localhost 6881
Connection to localhost 6881 port [tcp/*] succeeded!
$ perl -e 'for (my $i=0; $i <= 100; $i++) {print chr(int(rand 255));}' | nc
-v localhost 6881
Connection to localhost 6881 port [tcp/*] succeeded!
$ perl -e 'for (my $i=0; $i <= 1000; $i++) {print chr(int(rand 255));}' | nc
-v localhost 6881
Connection to localhost 6881 port [tcp/*] succeeded!

If you care, the client is bittorrent-curses 4.4.0 on OpenBSD (it's what I
had quick access to).  I haven't tried your nasl code in Nessus, so maybe
I'm missing something. But if I understand your previous post, this should
elicit some response from a seeding client, and in my case it doesn't.

PaulM



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------