Penetration Testing mailing list archives

Re: [PEN-TEST] question

From: Mike Forrester <mikef () POCKETLINT COM>
Date: Sun, 17 Dec 2000 12:40:50 -0700

I'd disable NetBIOS over TCP/IP.  When you first boot your box, do a
netstat -a or -an and see what's open.  I have my Win 98 box configured so
that it has NO open ports until I run something (IE, Outlook, etc.).  If you
need help binding NetBIOS from your NIC, let me know.

BTW - This question is probably better suited for the FOCUS-MS list than
PEN-TEST.  You'd probably get more feedback.

Mike

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Skullaria () Earthlink net
Sent: Saturday, December 16, 2000 6:08 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: question

I hope someone can answer this for me.
I was running win98 with zone alarm.  I ran a netstat -a and it showed
123banners.com was listening on port 137, 138 and hour other
higher grabbed
ports.  I thought perhaps I had spyware, but the 137 and port 138 port
bugged me.
I locked down zone and checked for running processes until I just had bare
minimum running.  Zone was locked except for netstat itself.
Still, I was showing these ports were listening.  I ran netcat
from another
machine and the ports were wide open, as if zone alarm wasn't
there.  I did
notice however, that the 123banners.com was resolving to 0.0.0.0, so I
looked at my host file.

I have only a very slow dial up, so a few months back when I first started
playing with tcp/ip and dns, I had altered it so that all banner ads
resolved to 0.0.0.0.  ( I had originally set to loopback but someone in a
mail list mentioned it was even faster set to 0.0.0.0. so I did that.)

Well, 123banners.com was at the top of that list.  I set that entry to
loopback, then watched as the next item down set to 0.0.0.0 took
ports 137,
138 and grabbed some higher ports.  I changed those hostfile
entries I never
want successfully resolved to loopback, and everything is ok now.

My question is, why did that happen?  What makes something set to
resolve at
0.0.0.0 make ports wake up and open their digital ears?

I don't know much about this stuff, I just seriously enjoy it.  Can anyone
explain this?

Thanks,

-Kristi

Current thread:

[PEN-TEST] question Skullaria () Earthlink net (Dec 17)
- Re: [PEN-TEST] question Mike Forrester (Dec 18)
- <Possible follow-ups>
- Re: [PEN-TEST] question Plague, Grandmaster (Dec 17)