Penetration Testing mailing list archives
RE: Some unusual network features
From: "Deckard, Jason" <Jason.Deckard () webmd net>
Date: Wed, 14 Jan 2004 05:38:07 -0600
Paul, Ports that hang open sound like proprietary connections. If that is the case, the applications on these ports are waiting for some sort of message to process. Something found in nearly all application layer protocols is a means to determine message length. Try sending messages with STX (hex 02) up front and ETX (hex 03) at the back. You might also want to try some sort of length header, such as 2 byte binary before the message (try both big and little endian). An ASCII length header is also a possibility (something that is fixed length but also plays well with atoi(), such as "00402"). The HTTP application sounds like a home grown application that doesn't properly handle bad request methods. If the ports that hang open turn out to be proprietary apps built in-house, the possibility of a home grown HTTP server seems high. Best of luck. -Jason -----Original Message----- From: Paul Johnston [mailto:paul () westpoint ltd uk] Sent: Tuesday, January 13, 2004 3:46 AM To: pen-test () securityfocus com Subject: Some unusual network features Hi, I've come accross the following anomoloies while auditing a network, can anyone help explain what they are: 1) Ports that "hang open" i.e. you can connect, send data ok, but the other end never sends any data and never closes the connection. 2) HTTP ports that function normally when you issue some methods, but on other methods (including the imaginary method "SILLY") cause the connection to "hang open" like in (1). 3) Ports where the TTL is different on the SYN reply to the rest of the connection. ipid's also imply that different hosts are handling the SYN and the rest of the connection. I've got some theories, but I'm not sure how much I'm jumping to conclusions. Paul -- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Some unusual network features Paul Johnston (Jan 13)
- Re: Some unusual network features Nathan R. Valentine (Jan 13)
- Re: Some unusual network features Andrew Simmons (Jan 13)
- Re: Some unusual network features Mike Hoskins (Jan 13)
- Re: Some unusual network features Shashank Rai (Jan 14)
- Re: Some unusual network features Alla Bezroutchko (Jan 14)
- Re: Some unusual network features die tuere (Jan 15)
- Re: Some unusual network features Daniel Lucq (Jan 15)
- <Possible follow-ups>
- RE: Some unusual network features Deckard, Jason (Jan 14)