Re: Port 4662 exploitation

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

sr. wrote:
> try to browse to that port with a browser.
>
> throw the telnet prompt a GET HTTP/1.0 and see what you get back. if
> you get html, then it's most likely a web server.
>
> i've seen many instances where a server (firewall) will throw back a
> bunch of open ports. ports that aren't even open on the system in
> question. That host is usually sitting behind a firewall or an IPS. Of
> course, the possibility that those ports are actually open because of
> a careless admin also exists. let's not rule out a honeypot either.
>
> also, verify that port 22 is actually open by telnet(ing) there as
> well. sshd will usually send back a nice little version banner. use
> that information and check that version for known exploits. then learn
> how to run a script from a real shell because you'll have to.
>
> sr.
> <saving bandwidth>
>
> On Mon, Dec 15, 2008 at 4:42 PM, Dante Lanznaster <dantecl () gmail com> wrote:
> > I believe this scan was internal. I really hope so.
> >
> > 1) too many ports open / listening. You need to do service fingerprinting.
> > 2) connecting via telnet to a listening port will always yield a
> > "connected" prompt and that's hardly a shell.
> >
> >
> > On Mon, Dec 15, 2008 at 9:24 AM, lgpmsec <lgpmsec () gmail com> wrote:
> > > Hi again all,
> > >
> > > Please find below the nmap results for the specific server, and let me know
> > > if it adds value:
> > >
> > > bt ~ # nmap -sT -vv x.x.x.120
> > >
> > > Starting Nmap 4.60 ( http://nmap.org ) at 2008-12-15 15:04 GMT
> > > Initiating Ping Scan at 15:04
> > > Scanning x.x.x.120 [2 ports]
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
Excuses to everyone not alluded, but don't you people know this:

        nmap -sS -P0 -T0 -sV -O host 445

It just basic nmap, and will give us the clues we need to help the author.

It's just that, one targeted port on 445 or 22 with service
fingerprinting, and the like. We only need this to get a clue about the
host's purpose.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJSCAvH+KgkfcIQ8cRAtIhAJ44BCmNUhBhsz5xJcigCeNTwgB0ywCfS9fV
L6iJZAg0EN1P+SgROBumtlk=
=dgdQ
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------