Penetration Testing mailing list archives

RE: Service Identification

From: "MARTIN M. Bénoni" <benoni_martin () hotmail com>
Date: Mon, 08 Dec 2003 09:19:50 +0000

Hi!

I had the same behavior with one my boxes (nmap sees an open port but notreply when attempting to connect to it). In my case, it was normal because Iwas running a honeypot on my target: I tried one of them (well a very basicone, NFR BOF under Window$ and IPtrap under Linux, but any "better" honeypotshould do this, even a netcat I guess) asking these tools to monitor TCP/23,Nmap running against them found TCP/23 open (even if there were NO REALservice listenig on these ports)...but when telneting the target, no reply.

So one possible reason of this in your case could be a simple honeypot orany tool like this running on your target.

If you do not have physical access to the machine but a possible ssh forinstance, it should be easy to check what's really going on it...

From: "Beaty, Bryan" <Bryan.Beaty () vector com>
To: <pen-test () securityfocus com>
Subject: Service Identification
Date: Sun, 7 Dec 2003 11:21:01 -0600

I port scanned a box I am working on. I know the box is some form of
Linux. I see that port 23,25 and 53 are open. I can identify 53 as DNS.
Both NMAP and AMAP identify it as DNS.

Port 23 and 25 are open but cannot be identified by AMAP or NMAP. When I
telnet <ip> 23 or 25 I get a blank screen. If I type I just get blank
spaces or underscore symbols on the screen.

Does this mean the telnet and SMTP server have crashed?
Could it be that someone has installed some other service on these
ports?
How do you identify services that respond like this? Seems like I run
into this from time to time but I never have learned how to deal with
it.

Any ideas what to do at this point? I do not have physical access to the
box.

Thanks,
Bryan Beaty

---------------------------------------------------------------------------
----------------------------------------------------------------------------


_________________________________________________________________

STOP MORE SPAM with the new MSN 8 and get 2 months FREE*http://join.msn.com/?page=features/junkmail



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Service Identification Beaty, Bryan (Dec 07)
- Re: Service Identification Omar Prunera Dols (Dec 08)
- Re: Service Identification Martin MaÄok (Dec 08)
- <Possible follow-ups>
- RE: Service Identification Meidinger Chris (Dec 08)
- RE: Service Identification MARTIN M. Bénoni (Dec 08)
- RE: Service Identification Beaty, Bryan (Dec 08)
  - RE: Service Identification R. DuFresne (Dec 09)
- RE: Service Identification J. Oquendo (Dec 08)