Educause Security Discussion mailing list archives

Re: IRC, IM Proxy Implementations

From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 8 Sep 2004 13:41:43 -0400

Mark Wilson wrote:

I assume you mean lower case v (-v).  Anyway, here it is:
[root@willma root]# nmap -v -p 1-65535 131.204.x.x


Nope. Upper case V. In nmap 3.5 and later, the -V option
performs a variety of things to attempt to identify the
service listening on open ports that are found. If it
doesn't recognize the service, it prints a fingerprint
that can be submitted to the developer along with
information about the service so it will be included
in the next version (at least it did in 3.5, I just tried
to produce it in 3.55 and it didn't print the unknown
fingerprint).

It would seem to be a very useful tool for malware detection
and identification if we could update the signature database
rapidly. That is why I was wondering if you'd tried it on
the malware services listening on the auth port.

Output looks like this:

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     NcFTPd
22/tcp    open  ssh     OpenSSH 3.6.1p2 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.0.49 ((Unix))
111/tcp   open  rpcbind 2 (rpc #100000)
199/tcp   open  smux    Linux SNMP multiplexer
7937/tcp  open  nsrexec 1 (rpc #390113)
32768/tcp open  status  1 (rpc #100024)


PORT     STATE SERVICE         VERSION
80/tcp   open  http            Microsoft IIS webserver 6.0
135/tcp  open  msrpc           Microsoft Windows msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https?
445/tcp  open  microsoft-ds    Microsoft Windows 2003 microsoft-ds
1025/tcp open  msrpc           Microsoft Windows msrpc
1026/tcp open  msrpc           Microsoft Windows msrpc
1037/tcp open  msrpc           Microsoft Windows msrpc
1055/tcp open  unknown
1311/tcp open  securetransport Tumbleweed SecureTransport Transaction
Manager Secure Port
3389/tcp open  microsoft-rdp   Microsoft Terminal Service (Windows 2000
Server)
5881/tcp open  vnc-http        WinVNC (Server: XXXX; Resolution
1024x800; VNC TCP port: 5981; May be standard or TightVNC)
5981/tcp open  vnc             VNC (protocol 3.3)
6288/tcp open  http            Microsoft IIS webserver 6.0
8000/tcp open  http-alt?
8009/tcp open  ajp13?
8080/tcp open  http            Apache Tomcat/Coyote JSP engine 1.0
8443/tcp open  msdtc           Microsoft Distributed Transaction Coordinator

And on the auth port: (I'd better check these now)

113/open/tcp//ident//Internet Rex identd/
113/open/tcp//ident//Internet Rex identd/
113/open/tcp//auth?///
113/open/tcp//auth?///
113/open/tcp//auth?///
113/open/tcp//ident//Internet Rex identd/
113/open/tcp//auth?///
113/open/tcp//auth?///
113/open/tcp//auth?///
113/open/tcp//ident//Liedentd (Claimed user: XXXX)/
113/open/tcp//ident//Internet Rex identd/
113/open/tcp//ident//Internet Rex identd/
113/open/tcp//ident//OpenBSD identd/

Again, it didn't print the signature when the service
was unknown as I expected it to and as it did in 3.5.
Maybe its an option on 3.55.


--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Herrera Reyna Omar (Sep 08)
- Re: IRC, IM Proxy Implementations Eric Pancer (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)