Penetration Testing mailing list archives

Re: Is it possible for Nessus and Netstat under win2k to get confused about what is really a "listener"?

From: Jean-Baptiste Marchand <Jean-Baptiste.Marchand () hsc fr>
Date: Tue, 21 Oct 2003 23:27:48 +0200

* James Bowman <jim () drexel edu> [21/10/03 - 20:26]:

Question is - "is it possible that Nessus and Netstat were reading an
established connection or were these real listeners?"


Nessus can not be confused because Nessus scans the machine for opened
ports and only reports ports really opened (i.e, for TCP, ports which
will accept a TCP connection).

What you've just realized is that netstat incorrectly reports TCP
sockets in the LISTENING state.

I've described the problem in my Windows network services minimization
paper:

http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html


which contains the following section:

-----------------------------------------------------------------------

The netstat command does not exactly report TCP and UDP ports states.
Instead, it reports state of TDI transport addresses and connection
endpoints, whereas only TDI connection endpoints represent TCP or UDP
sockets. 

In particular, when a Windows system establishes an outgoing TCP
connection (active open), the local port used as source is reported as
in the LISTENING state. 

In the following example, the local system has established a TCP
connection from source port 1367 to destination port 22 of a remote
system.

The netstat command output, filtered to show only lines containing port
number 1367 is:

C:\WINDOWS>netstat -anp tcp | find ":1367"
  TCP    0.0.0.0:1367           0.0.0.0:0              LISTENING
  TCP    192.70.106.142:1367    192.70.106.76:22       ESTABLISHED

The second line shows the established connection, from local port 1367
to remote port 22. However, the first line is incorrect because it
reports local port 1367 in the LISTENING state, whereas no TCP server is
available on this port.

Thus, for each outgoing TCP connection, an additional line will appear
in netstat output, showing a TCP port in LISTENING state. It is
important to make the difference between an opened TCP port and one
incorrectly reported by netstat in the LISTENING state.

Note: this bug has been fixed in Windows Server 2003.

-----------------------------------------------------------------------

Note that the bug is in the API used by netstat and not netstat itself.
Thus, any program that use the same API (GetTcpTable()) is also affected
by the same bug.


Jean-Baptiste Marchand
-- 
Jean-Baptiste.Marchand () hsc fr
HSC - http://www.hsc.fr/

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_pen-test_031015
----------------------------------------------------------------------------

Current thread:

Is it possible for Nessus and Netstat under win2k to get confused about what is really a "listener"? James Bowman (Oct 21)
- Re: Is it possible for Nessus and Netstat under win2k to get confused about what is really a "listener"? Jean-Baptiste Marchand (Oct 22)