Penetration Testing mailing list archives
Re: Bittorrent Data Port Probe
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 24 Aug 2007 17:56:06 -0400
That's correct. The connect message was caused by the -v flag from netcat and was basically there to prove that netcat connected each time. But regardless of the length of the random string, bittorrent didn't respond. On 8/24/07, Antonio Augusto (Mancha) <mkhaos7 () gmail com> wrote:
I think this is a bit wrong. For what i can say, the response you got "Connection to localhost 6881 port [tcp/*] succeeded!", means taht there was a server listning to that port and he answered your SYN request. This doesn't mean he answered any of the packets you sent to it. Cheers, KM On 8/24/07, Paul Melson <pmelson () gmail com> wrote:On 8/23/07, John Lampe <jwlampe () tenablesecurity com> wrote:I know for a *fact* that it can be passively detected :-) We wrote a bunch of passive detection plugins for our PVS product.Yup. Snort's had signatures for it for a couple years. ;-)port = 6881; # bittorrent #port = 63180; # mutorrent for (i=0; i<95; i++) {init = string(init, raw_string(rand() % 256));} for (i=0; i<96; i++) {req = string(req, raw_string(rand() % 256));}I can't seem to recreate this: $ perl -e 'for (my $i=0; $i <= 90; $i++) {print chr(int(rand 255));}' |nc-v localhost 6881 Connection to localhost 6881 port [tcp/*] succeeded! $ perl -e 'for (my $i=0; $i <= 95; $i++) {print chr(int(rand 255));}' |nc-v localhost 6881 Connection to localhost 6881 port [tcp/*] succeeded! $ perl -e 'for (my $i=0; $i <= 96; $i++) {print chr(int(rand 255));}' |nc-v localhost 6881 Connection to localhost 6881 port [tcp/*] succeeded! $ perl -e 'for (my $i=0; $i <= 100; $i++) {print chr(int(rand 255));}' |nc-v localhost 6881 Connection to localhost 6881 port [tcp/*] succeeded! $ perl -e 'for (my $i=0; $i <= 1000; $i++) {print chr(int(rand 255));}' |nc-v localhost 6881 Connection to localhost 6881 port [tcp/*] succeeded! If you care, the client is bittorrent-curses 4.4.0 on OpenBSD (it's whatIhad quick access to). I haven't tried your nasl code in Nessus, so maybe I'm missing something. But if I understand your previous post, thisshouldelicit some response from a seeding client, and in my case it doesn't. PaulM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads -------------------------------------------------------------------------- Informação & Segurança - Informações para sua segurança na rede. http://info-seg.blogspot.com
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Bittorrent Data Port Probe Tom Griffin (Aug 21)
- Re: Bittorrent Data Port Probe Paul Melson (Aug 22)
- Re: Bittorrent Data Port Probe Jonathan Yu (Aug 22)
- Re: Bittorrent Data Port Probe John Lampe (Aug 23)
- Re: Bittorrent Data Port Probe p1g (Aug 23)
- RE: Bittorrent Data Port Probe Paul Melson (Aug 24)
- Re: Bittorrent Data Port Probe John Lampe (Aug 24)
- Message not available
- Re: Bittorrent Data Port Probe Paul Melson (Aug 24)
- Re: Bittorrent Data Port Probe Paul Melson (Aug 22)