PaulDotCom mailing list archives

P2P Pentesting

From: abcampa at gmail.com (Albert R. Campa)
Date: Thu, 8 Oct 2009 10:11:24 -0500

Sourcefire RNA has default compliance checks for p2p traffic, so you can
easily be alerted for any such traffic.

;)

__________________________________
Albert R. Campa


On Thu, Oct 8, 2009 at 9:17 AM, Michael Douglas <mick at pauldotcom.com> wrote:

I am wondering what P2P clients are capable of displaying the source IP

address of the client sharing files

Most of the Gnutella P2P clients will allow you to see what IP a file
is being shared from.  However, I've found that this gets tedious
really fast.  What OS(s) do you have at your disposal?  I can suggest
some clients based on that.

more importantly, how I can do a P2P search for any files coming from a

particular source IP address/range?

At present, I've been doing port sweeps with nmap (6346 & 6347 and
sometimes 80) to see if a host is running a gnutella client within a
specific IP range.  From there, simply connect to the IP to see what
files they are sharing.  With some scripts, I've been able to make
this process OKish.


Larry and I had a brainstorming session on what our next steps are to
smooth out the rough parts of p2p discovery work.  We're in
requirements gathering/refinement on a proof-of-concept white hat tool
which should help ease some P2P concerns.  So if you have any
suggestions, do let us know.


Danke! Merci! Asanti!
- Mick



On Thu, Oct 8, 2009 at 8:42 AM, Brian Judd <bjudd at synercomm.com> wrote:

Back in show 154, there was a great presentation on using P2P to discover
information.  One of the guys made a comment about using P2P during
penetration testing and audits to discover information leakage.  I am
wondering what P2P clients are capable of displaying the source IP

address

of the client sharing files or more importantly, how I can do a P2P

search

for any files coming from a particular source IP address/range?



I have three class C blocks of public IP addresses that I would like to
determine whether any are being used to share files.



Thanks.



Brian

This message (including any attachments) may contain confidential
information and is intended only for the individual to which it is
addressed. If you are not the intended recipient, please delete this

message

and contact the sender. You are also hereby notified that any review,
disclosure, copying, or distribution of this message, or the taking of

any

action based on it, is prohibited.
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091008/b82dc951/attachment.htm

Current thread:

P2P Pentesting Brian Judd (Oct 08)
- P2P Pentesting Larry Pesce (Oct 08)
- P2P Pentesting Michael Douglas (Oct 08)
  - P2P Pentesting Albert R. Campa (Oct 08)
- P2P Pentesting Ron Gula (Oct 08)
- <Possible follow-ups>
- P2P Pentesting Butturini, Russell (Oct 08)