Penetration Testing mailing list archives
Re: [PEN-TEST] Port 2001 question
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () DELOITTE CO ZA>
Date: Tue, 6 Mar 2001 21:53:40 +0200
This looks to me like a Cisco router, with some filtering on (or in front of) it. A couple of reasons: * Even though it is showing Windows Netbios ports as being filtered, this is not an uncommon thing to be implemented on a border router (unfortunately, not common enough :-) so a scan of any internal devices will show these ports as filtered. Older network security suggestions included explicitly packet filtering certain things like NetBIOS, NFS, X11, RPC, etc right at the border router, and to my mind, this is not a bad thing, even if one does have a firewall immediately after it. * The TCP sequence prediction is a bit better than one expects of a Windows client * Port 2001 is commonly open on Cisco routers, connected to the AUX port. If the router has a modem on AUX, for whatever reason, you could get a terminal session on it by telnetting to port 2001. (I think - I've never done this. Well, never found any routers with modems on the AUX port, anyway) Check if 4001, 6001 and 9001 are also open. If so, this is almost conclusively a Cisco, unless someone is screwing with you :-) See http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm and search for "2001" Rogan -----Original Message----- From: Oliver Petruzel [mailto:oliverpetruzel () EMAIL COM] Sent: 06 March 2001 08:46 To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Port 2001 question Alright friends, I have discovered this during my current project and I have the following nmap data for your review: *** Starting nmapNT V. 2.53 by ryan () eEye com eEye Digital Security ( http://www.eEye.com ) based on nmap by fyodor () insecure org ( www.insecure.org/nmap/ ) Host (x.x.x.x) appears to be up ... good. Initiating SYN half-open stealth scan against (x.x.x.x) Adding TCP port 23 (state open). Adding TCP port 2001 (state open). The SYN scan took 48 seconds to scan 2002 ports. For OSScan assuming that port 23 is open and port 1 is closed and neither are firewalled For OSScan assuming that port 23 is open and port 1 is closed and neither are firewalled For OSScan assuming that port 23 is open and port 1 is closed and neither are firewalled Interesting ports on (x.x.x.x): (The 1997 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 137/tcp filtered unknown 138/tcp filtered unknown 139/tcp filtered unknown 2001/tcp open unknown TCP Sequence Prediction: Class=random positive increments Difficulty=93083 (Worthy challenge) Sequence numbers: 4F8A9A07 4F95D37A 4FA1A007 4FAB4025 4FB77AF2 4FBFEB1C No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: TSeq(Class=RI%gcd=1%SI=20FF0) TSeq(Class=RI%gcd=1%SI=10490) TSeq(Class=RI%gcd=1%SI=16B9B) T1(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=ME) T2(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=) T3(Resp=Y%DF=N%W=10C0%ACK=S++%Flags=AS%Ops=M) T4(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=) T7(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=) PU(Resp=N) Nmap run completed -- 1 IP address (1 host up) scanned in 70 seconds *** I have identified port 2001 to be a common Trojan port so this has me concerned and interested. Is there a way to take advantage of TrojanCow installed by someone else? I have no experience with this particular trojan, so any input would be much appreciated. Also, are there any other known uses for this port? Because TrojanCow is a stupid little Windows manipulator so perhaps this is something else. Oliver Petruzel Systems Security Engineer Entercept Security Technologies *Protecting Servers Everywhere!* ----------------------------------------------- FREE! The World's Best Email Address @email.com Reserve your name now at http://www.email.com
Current thread:
- [PEN-TEST] Port 2001 question Oliver Petruzel (Mar 06)
- Re: [PEN-TEST] Port 2001 question Fab Siciliano (Mar 06)
- <Possible follow-ups>
- Re: [PEN-TEST] Port 2001 question Brown, Matt (Mar 06)
- Re: [PEN-TEST] Port 2001 question Dawes, Rogan (ZA - Johannesburg) (Mar 06)
- Re: [PEN-TEST] Port 2001 question c0ncept (Mar 06)
- Re: [PEN-TEST] Port 2001 question -Reply Oliver Petruzel (Mar 06)
- Re: [PEN-TEST] Port 2001 question Porter, Bryce (Mar 06)
- Re: [PEN-TEST] Port 2001 question Block, Edward (Mar 07)