Penetration Testing mailing list archives
Re: All tcp ports open?
From: "David M. Zendzian" <dmz () dmzs com>
Date: Mon, 30 Aug 2004 12:00:58 -0400
Ben, Do you get any header responses or anything when you connect that could be used to help identify what is allowing all port connects? Do you get iis on 80, and exchange on 25? It could be a honeypot redirect on all ports other than specific, ie 80/443, by the firewall or load balancer in front of machine. Do all ports return tcp counters and other such info that makes it look like all responses are coming back from same end destination host? Do you have access to environment? Can you trace traffic internally? Good luck David -----Original Message----- From: "Massimo Cetra" <mcetra () navynet it> Date: Sun, 29 Aug 2004 16:10:08 To:"'Ben Timby'" <asp () webexc com>, <pen-test () securityfocus com> Subject: RE: All tcp ports open?
I am not sure what is doing this, but I assume it is a software (or some kind of) firewall/hids, can anybody point me in the right direction? I am pen-testing a Windows webserver, and a port scan reveals ALL tcp ports open. hping also confirms that a SA is returned for any S packets sent to any port I try. I can connect via netcat any of the ports, and send data, but nothing is returned. In order to verify services, I am required to connect and check for a banner or send appropriate protocol commands to elicit a response. Has anyone seen this, or have any idea of what this is?
http://www.iptables.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT This is for Linux but may help you finding more informations. Max ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------------- /--------------------------------------\ David M. Zendzian * dmz () dmzs com (415) 867-7812 - phone ------------- Imagination is greater than knowledge * Albert Einstein Every day is a good day, whether you like it or not! * ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Re: All tcp ports open?, (continued)
- Re: All tcp ports open? Varun Pitale (Aug 29)
- RE: All tcp ports open? Mike Sues (Aug 30)
- Re: All tcp ports open? Jack Burton (Aug 30)
- Re: All tcp ports open? GUsh-T (Aug 30)
- Re: All tcp ports open? Chris Brenton (Aug 30)
- Re: All tcp ports open? Nathan R. Valentine (Aug 30)
- Re: All tcp ports open? sol seclists (Aug 30)
- RE: All tcp ports open? Don Parker (Aug 29)
- RE: All tcp ports open? Meidinger Chris (Aug 30)
- RE: All tcp ports open? Todd Towles (Aug 30)
- Re: All tcp ports open? David M. Zendzian (Aug 30)
- Re: All tcp ports open? Erik Birkholz (Aug 30)
- Re: All tcp ports open? Bill Burge (Aug 31)
- RE: All tcp ports open? Beaty, Bryan (Aug 30)
- RE: All tcp ports open? BĂ©noni MARTIN (Aug 31)
- RE: All tcp ports open? Altheide, Cory B. (IARC) (Aug 31)
- Re: All tcp ports open? M. D. (Aug 31)
- Re: All tcp ports open? Varun Pitale (Aug 29)