Re: [PEN-TEST] PC Anywhere protocol

[Eddie Gradek <eddie.gradek () IGNYTE COM>]

Hi All.

Symantec's web site has a pretty good tech note on the ports that the
varieties of pcAny versions use and what ports they connect on.  There is a
ridiculous URL for this, the easiest thing to do is go to:
http://www.symantec.com/techsupp/index.html
<http://www.symantec.com/techsupp/index.html>
<http://www.symantec.com/techsupp/cgi-bin/nsf_search.cgi>
navigate to pcAnywhere 9.0 and Windows NT/98/95, and search on "TCP Ports"
or on "Document ID: 1996123152253".  The first link lists the information
listed above as well as contains URL links to executable downloads that will
help you change ports.  (Remember, if you change the host system to use a
different port, you need to change the host system to use that same port.
duh?)

Something to think about is to change the ports (for example on 7.5 and
higher) from 5631 and 5632 to ports that are registered with IANA.  For
example, your NT file server is not running a web server or a POP3 server.
So you set pcAny to answer for ports 80 and 110.  You then create a .reg
file, something named SERVERNAME.reg, that will import the appropriate ports
into your registry.  Before you launch pcAny from your admin desktop where
you are going to remotely control the file server, you double click on the
.reg file which imports the port information.  Now your admin station is
ready to connect on ports 80 and 110.  If a malicious user / script kiddie /
"insert label here" does a port scan on your internal net, he'll/she'll see
that your server is looking for port 80 and 110 connections.  this is really
not very obvious that they are pcAny ports.  Who cares if they launch a
barrage of attacks against IIS when that system isn't running IIS.  ??   You
can create reg files for all of the servers you are going to remotely
control (or of course if you're checking 100 NT boxes you might want to set
like 1/3 of them to use the same ports, so you only need to make 3 .reg
files.  but then again.... if you've got 100 NT servers to worry about
remotely, you've got other issues.)

my $0.02

Ed
Ignyte Technology, Inc.
www.ignyte.com/ <http://www.ignyte.com/>

-----Original Message-----
From: Heather Field [mailto:Heather.Field () CTP COM]
Sent: Wednesday, September 06, 2000 2:52 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] PC Anywhere protocol



Actually you can limit it to tcp with a registry key, for version 9.
Heather Field
Cambridge Technology Partners, CNS
O: 310.563.4862
C: 310.489.5679

-----Original Message-----
From: Constable, Bryan [mailto:constablebk () MSX UPMC EDU]
Sent: Wednesday, September 06, 2000 10:57 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] PC Anywhere protocol



It looks like the ports are udp-5630, tcp-5631,udp-5632, and udp ssh-22.  I
don't know if this helps

-----Original Message-----
From: Oliver Friedrichs [ mailto:ofriedrichs () SECURITYFOCUS COM
<mailto:ofriedrichs () SECURITYFOCUS COM> ]
Sent: Wednesday, September 06, 2000 12:44 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] PC Anywhere protocol


Does anyone know of any specifications that document the PC Anywhere
protocol.  I'm primarily interested in the initial authentication portions
of it.

- Oliver