Penetration Testing mailing list archives
FW: Port 4662 exploitation
From: "lgpmsec" <lgpmsec () gmail com>
Date: Mon, 15 Dec 2008 19:24:28 +0200
Hi again all, Please find below the nmap results for the specific server, and let me know if it adds value: bt ~ # nmap -sT -vv x.x.x.120 Starting Nmap 4.60 ( http://nmap.org ) at 2008-12-15 15:04 GMT Initiating Ping Scan at 15:04 Scanning x.x.x.120 [2 ports] Completed Ping Scan at 15:04, 0.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:04 Completed Parallel DNS resolution of 1 host. at 15:04, 0.00s elapsed Initiating SYN Stealth Scan at 15:04 Scanning x.y.com (x.x.x.120) [1715 ports] Discovered open port 53/tcp on x.x.x.120 Discovered open port 443/tcp on x.x.x.120 Discovered open port 80/tcp on x.x.x.120 Discovered open port 113/tcp on x.x.x.120 Discovered open port 554/tcp on x.x.x.120 Discovered open port 22/tcp on x.x.x.120 Discovered open port 636/tcp on x.x.x.120 Discovered open port 25/tcp on x.x.x.120 Discovered open port 389/tcp on x.x.x.120 Discovered open port 21/tcp on x.x.x.120 Discovered open port 3389/tcp on x.x.x.120 Discovered open port 23/tcp on x.x.x.120 Discovered open port 1755/tcp on x.x.x.120 Discovered open port 749/tcp on x.x.x.120 Discovered open port 19/tcp on x.x.x.120 adjust_timeouts2: packet supposedly had rtt of 8544204 microseconds. Ignoring time. SYN Stealth Scan Timing: About 50.94% done; ETC: 15:06 (0:00:35 remaining) Discovered open port 139/tcp on x.x.x.120 Discovered open port 3128/tcp on x.x.x.120 Discovered open port 70/tcp on x.x.x.120 SYN Stealth Scan Timing: About 42.74% done; ETC: 15:07 (0:01:36 remaining) Discovered open port 465/tcp on x.x.x.120 Discovered open port 1494/tcp on x.x.x.120 Discovered open port 37/tcp on x.x.x.120 Discovered open port 110/tcp on x.x.x.120 Discovered open port 3268/tcp on x.x.x.120 Discovered open port 109/tcp on x.x.x.120 Increasing send delay for x.x.x.120 from 5 to 10 due to 25 out of 82 dropped probes since last increase. Discovered open port 7000/tcp on x.x.x.120 Increasing send delay for x.x.x.120 from 10 to 20 due to 11 out of 12 dropped probes since last increase. Discovered open port 6699/tcp on x.x.x.120 Discovered open port 88/tcp on x.x.x.120 SYN Stealth Scan Timing: About 51.05% done; ETC: 15:16 (0:05:23 remaining) Increasing send delay for x.x.x.120 from 20 to 40 due to 11 out of 13 dropped probes since last increase. Discovered open port 43/tcp on x.x.x.120 Discovered open port 79/tcp on x.x.x.120 Increasing send delay for x.x.x.120 from 40 to 80 due to 11 out of 13 dropped probes since last increase. Discovered open port 993/tcp on x.x.x.120 Increasing send delay for x.x.x.120 from 80 to 160 due to 11 out of 12 dropped probes since last increase. Discovered open port 7070/tcp on x.x.x.120 Discovered open port 6666/tcp on x.x.x.120 Discovered open port 569/tcp on x.x.x.120 Discovered open port 4662/tcp on x.x.x.120 Discovered open port 17/tcp on x.x.x.120 Discovered open port 5060/tcp on x.x.x.120 Discovered open port 143/tcp on x.x.x.120 Discovered open port 3269/tcp on x.x.x.120 Discovered open port 513/tcp on x.x.x.120 Discovered open port 1720/tcp on x.x.x.120 Discovered open port 995/tcp on x.x.x.120 Discovered open port 13/tcp on x.x.x.120 Discovered open port 563/tcp on x.x.x.120 Discovered open port 1433/tcp on x.x.x.120 Discovered open port 9/tcp on x.x.x.120 Discovered open port 7/tcp on x.x.x.120 Discovered open port 119/tcp on x.x.x.120 Discovered open port 6667/tcp on x.x.x.120 Completed SYN Stealth Scan at 16:05, 3639.22s elapsed (1715 total ports) Host x.y.com (x.x.x.120) appears to be up ... good. Interesting ports on x.y.com (x.x.x.120): Not shown: 1611 filtered ports, 55 closed ports PORT STATE SERVICE 7/tcp open echo 9/tcp open discard 13/tcp open daytime 17/tcp open qotd 19/tcp open chargen 20/tcp open ftp-data 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 43/tcp open whois 53/tcp open domain 70/tcp open gopher 79/tcp open finger 80/tcp open http 88/tcp open kerberos-sec 109/tcp open pop2 110/tcp open pop3 113/tcp open auth 119/tcp open nntp 139/tcp open netbios-ssn 143/tcp open imap 389/tcp open ldap 443/tcp open https 465/tcp open smtps 513/tcp open login 554/tcp open rtsp 563/tcp open snews 569/tcp open ms-rome 636/tcp open ldapssl 749/tcp open kerberos-adm 993/tcp open imaps 995/tcp open pop3s 1433/tcp open ms-sql-s 1494/tcp open citrix-ica 1720/tcp open H.323/Q.931 1755/tcp open wms 3128/tcp open squid-http 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-term-serv 4662/tcp open edonkey 6666/tcp open irc 6667/tcp open irc 6699/tcp open napster 7000/tcp open afs3-fileserver 7070/tcp open realserver Read data files from: /usr/local/share/nmap Nmap done: 1 IP address (1 host up) scanned in 3639.314 seconds Raw packets sent: 7086 (311.764KB) | Rcvd: 6864 (315.744KB) I also telneted to the 4662 port, getting: bt ~ # telnet x.x.x.120 4662 Trying x.x.x.120... Connected to x.x.x.120. Escape character is '^]'. whoami ^QConnection closed by foreign host. Please advise on how to proceed Thank you, -Mohamad. ________________________________________ From: RaptorX [mailto:graptorx () gmail com] Sent: Monday, December 15, 2008 5:08 PM To: Jeremi Gosney Cc: James Bensley; Jorge L. Vazquez; Mohamad M; ArcSighter Elite Subject: Re: Port 4662 exploitation I agree with Jeremi. On Sun, Dec 14, 2008 at 8:33 PM, Jeremi Gosney <Jeremi.Gosney () motricity com> wrote: "when you telnet into an unknown port you are not doing it to get a shell, but to get a tcp header and know what services might be running on that port.." That statement is most definitely false. While banner collection is certainly one facet of penetration testing, you most definitely ARE checking for things like rootkits. Discovering a shell listening on an arbitrary port is clearly a most valuable find. Mr Bensley's follow-up questions are most relevant here; surely you would have known what to do if you discovered a shell listening on a port, so my assumption is you are mis-using the word. Looking forward to your answers. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of James Bensley Sent: Saturday, December 13, 2008 12:20 PM To: pen-test () securityfocus com; Jorge L. Vazquez Cc: Mohamad M; ArcSighter Elite Subject: Re: Port 4662 exploitation Wel you telnet to that port do you get a heading in return? or when you say a shell do you actually get a prompt to start entering commands, whats the prompt you get if so? Also if ti is a full shell can you run any commands, what is the output when you run "whoami" ?? Use the netstat command to list any connections (irrelivent of their state i.e. established or listening) and display the program responsible for the connection so you can see where it is comming from? Send us your results ;) 2008/12/13 Jorge L. Vazquez <jlvazquez825 () gmail com>:
when you telnet into an unknown port you are not doing it to get a shell, but to get a tcp header and know what services might be running
on that port.. -j0rg3 blog: www.pctechtips.org Mohamad M wrote:Hi again, I agree it looks very weird; I simply started a Syn scan with nmap, and got that tcp 4662 is open; when I telneted to 4662, I got shell, but then did not know how to proceed, hence my email. Thanks, -----Original Message----- From: ArcSighter Elite [mailto:arcsighter () gmail com] Sent: Friday, December 12, 2008 11:43 PM To: Mohamad M Cc: pen-test () securityfocus com Subject: Re: Port 4662 exploitation Mohamad M wrote:Hello All,I'm doing a vulnerability assessment for my company, and saw that port4662(edonkey) is open on 1 device facing the internet. I telneted to4662, and Igot connected; since I'm new to this domain, what are the stepsneeded inorder to exploit this vulnerability?Thanks,./Lgpmsec------------------------------------------------------------------- ----- This list is sponsored by: CenzicSecurity Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report nowwww.cenzic.com/landing/trends-report ------------------------------------------------------------------- -----An open port is never a vulnerability, only if the running service that binds to that port is actually vulnerable. What makes me ask, have you actually done a service fingerprint to determine is e-donkey?, cause that looks pretty weird to me. Sincerely.---------------------------------------------------------------------- -- This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ---------------------------------------------------------------------- -- ---------------------------------------------------------------------- -- This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ---------------------------------------------------------------------- --
-- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT/MU/U dpu s: a--> C++>$ U+> L++> B-> P+> E?> W+++>$ N K W++ O M++>$ V- PS+++ PE++ Y+ PGP t 5 X+ R- tv+ b+> DI D+++ G+ e(+++++) h--(++) r++ z++ ------END GEEK CODE BLOCK------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------ -- ====================================================================== "The shortest way to do many things is to do only one thing at a time." ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Port 4662 exploitation Mohamad M (Dec 12)
- Re: Port 4662 exploitation ArcSighter Elite (Dec 12)
- RE: Port 4662 exploitation Mohamad M (Dec 12)
- Re: Port 4662 exploitation Jorge L. Vazquez (Dec 13)
- Re: Port 4662 exploitation James Bensley (Dec 13)
- RE: Port 4662 exploitation Jeremi Gosney (Dec 14)
- Re: Port 4662 exploitation ArcSighter Elite (Dec 15)
- Message not available
- Message not available
- Re: Port 4662 exploitation ArcSighter Elite (Dec 15)
- Re: Port 4662 exploitation James Bensley (Dec 15)
- RE: Port 4662 exploitation Mohamad M (Dec 12)
- Re: Port 4662 exploitation ArcSighter Elite (Dec 12)
- <Possible follow-ups>
- FW: Port 4662 exploitation lgpmsec (Dec 15)
- RE: Port 4662 exploitation Shenk, Jerry A (Dec 15)
- Re: FW: Port 4662 exploitation ArcSighter Elite (Dec 15)
- Re: FW: Port 4662 exploitation Todd Haverkos (Dec 15)
- Re: FW: Port 4662 exploitation Dante Lanznaster (Dec 15)
- Re: Port 4662 exploitation Christopher (Dec 16)
- Re: Port 4662 exploitation ArcSighter Elite (Dec 18)