Penetration Testing mailing list archives

Re: Unusual ports found in nmap scan

From: "Aaron Higbee" <aaron () beesecure org>
Date: Fri, 1 Mar 2002 11:49:29 -0500 (EST)

Hi Dave,

If you do a few searches you will see that 445 is the new "NetBios"
(kinda.)  Microst-DS, or Microsoft Directory Services. It's great for
penetration testers because a lot of firewall admins have blocked the
standard Netbios ports.

Quick Tip:  Netbios brute force attacks with brutus work fine if you change
the target port from 139 to 445.

Quick Tip #2:  Null session enumeration works over 445 too. Yay!

--Aaron Higbee

hi Dave,

NtWaK0 released an advisory to bugtraq on 15/02/2002 dealing with port
445,  here's a quick extract:

      TCP/UPD port 445 is open by default on a Fresh installed XP

box.

       : The attack is seriouse since it work remotly and can make the CPU
      100 % : in less then 20 Second.

you can find the full text at:
http://online.securityfocus.com/archive/1/256830

it might not help with port enumeration but it could shed some light on
the  machine's os..

good luck,
nessim


On Wednesday 27 Feb 2002 6:12 pm, you wrote:

Hello All

I'm currently pentesting a client and nmap reports that a particular
host has the following ports open: 82/tcp
445/tcp
447/tcp


<snip>

Does anyone have any further information on these ports and what sort
of application might be running using these open ports (assuming they
are what they say they are!)

Also assuming it's Win2K are there any tools for enumeration on port
445?

All help appreciated

Dave


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see: https://alerts.securityfocus.com/





----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Re: Unusual ports found in nmap scan Mehmet Murat Gunsay (Mar 01)
- <Possible follow-ups>
- Re: Unusual ports found in nmap scan Nessim Kisserli (Mar 01)
  - Re: Unusual ports found in nmap scan Aaron Higbee (Mar 01)