Penetration Testing mailing list archives

Re: All tcp ports open?

From: "M. D." <nekromancer () lycos com>
Date: Tue, 31 Aug 2004 07:01:41 +0000

Dear colleagues,

I've been following this thread without paying too much attention, but I would like to make a few statements based on
some loose points I've read.

First: a box with all ports *seemingly* open can be almost anything, EXCEPT a box with all the ports open ;-)

Second: someone mentioned the possibility of it being a honeypot.
Take this into account: a honeypot is designed to look like an interesting machine to hack into, but to look as a
"normal" machine, not a weird one. From the cracker perspective it must NOT look like a honeypot at all!
So IMHO the fact that all S requests are responded with SA makes me discard the honeypot idea.

Third: showing all ports as "open" is a good diversion tactic, making life slightly more difficult for the cracker when
trying to asses the real open ports.

Fourth: banner grabbing helps, but only for these services that provide a banner if you only look at the ASCII
response. Take into account that some services provide a clear binary "signature" when they're present, but lack an
ASCII banner. Fire your sniffers...

Fifth: we can guess (experimentation will tell) that all SA answers from ports that are not really open will look more
or less the same (i.e. no banner and no specific binary "signature", same packet size, etc.).

Sixth and last: it looks and smells like some kind of protection (like a firewall). People with experience with any of
those having this behaviour is telling that in the thread.

Kind regards,

Nekromancer

--
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

Current thread:

Re: All tcp ports open?, (continued)
- Re: All tcp ports open? sol seclists (Aug 30)
- RE: All tcp ports open? Don Parker (Aug 29)
- RE: All tcp ports open? Meidinger Chris (Aug 30)
- RE: All tcp ports open? Todd Towles (Aug 30)
- Re: All tcp ports open? David M. Zendzian (Aug 30)
- Re: All tcp ports open? Erik Birkholz (Aug 30)
  - Re: All tcp ports open? Bill Burge (Aug 31)
- RE: All tcp ports open? Beaty, Bryan (Aug 30)
- RE: All tcp ports open? Bénoni MARTIN (Aug 31)
- RE: All tcp ports open? Altheide, Cory B. (IARC) (Aug 31)
- Re: All tcp ports open? M. D. (Aug 31)