Penetration Testing mailing list archives
Re: Interesting GUID
From: James Wright <jamfwright () gmail com>
Date: Tue, 29 Dec 2009 09:58:46 -0500
It may be MS RIS, as it uses client GUIDS as part of the authentication to install MS operating systems. Not sure if it sends out it's own though. A licensing server is a good guess, MS WDS may be another possibility. Thanks, James On Wed, Dec 23, 2009 at 4:47 PM, Jonathan Cran <jcran () 0x0e org> wrote:
Judging by the lack of replies, you're sort of on your own here. It could be a licensing server, it could be some custom-build messaging system, it could just be injecting a little randomness into the universe *shrug* amap probably isn't going to help in this case. i assume you've done fingerprinting on the box using nmap/nessus/nexpose? Maybe try sequencing the GUIDs to identify any interesting patterns? jcran On Sat, Dec 19, 2009 at 5:09 PM, Daniel Clemens <daniel.clemens () packetninjas net> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While doing a pentest I ran across a service which responds with what looks to be a GUID. Example 1 Connection to x.x.x.x 35000 port [tcp/*] succeeded! {8F418F3C-4530-4198-9988-8B6E8E646991}Q?,?,?w>f???)?? ?nX?W?EOL{8F418F3C-4530-4198-9988-8B6E8E646991}EOL Example 2 0000: 7b46 4641 3131 4334 442d 4437 4237 2d34 [ {FFA11C4D-D7B7-4 ] 0010: 4139 312d 4146 4643 2d32 4133 3534 4143 [ A91-AFFC-2A354AC ] 0020: 3331 4539 457d 1551 ab2c ae2c b077 3e66 [ 31E9E}.Q.,.,.w>f ] 0030: fbb8 cb29 02ab f30c fc6e 5816 1dd1 0400 [ ...).....nX..... ] 0040: 0000 1800 0000 0400 0000 5786 0000 454f [ ..........W...EO ] 0050: 4c7b 4646 4131 3143 3444 2d44 3742 372d [ L{FFA11C4D-D7B7- ] 0060: 3441 3931 2d41 4646 432d 3241 3335 3441 [ 4A91-AFFC-2A354A ] 0070: 4333 3145 3945 7d45 4f4c [ C31E9E}EOL ] Has anyone run across a service which act like the information provided above or could help in why or what a service responding with GUID information would be used for. (especially as an external service). Any ideas would be appreciated. | Daniel Uriah Clemens | Packetninjas L.L.C | | http://www.packetninjas.net | c. 205.567.6850 | | o. 866.267.8851 "Moments of sorrow are moments of sobriety" -----BEGIN PGP SIGNATURE----- iD8DBQFLLU8BlZy1vkUrR4MRAiQUAJ9hnh8Wrjrdb2PFl0/2tlsORxsUUACdFtzD Zklf5QALah+nbM52KaGFf4U= =e1IN -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org -------------------------------------------------------------------------- Jonathan Cran jcran () 0x0e org 515.890.0070 ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Interesting GUID Daniel Clemens (Dec 21)
- Re: Interesting GUID Jonathan Cran (Dec 29)
- Re: Interesting GUID James Wright (Dec 29)
- Re: Interesting GUID Jonathan Cran (Dec 29)