Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nmap shows open UDP port 113

From: "Don Parker" <dparker () rigelksecurity com>
Date: Thu, 25 Mar 2004 16:52:57 -0500 (EST)
I have gotten often confusing feedback from nmap before. It always came down to checking 
the actual packets themselves. I always log the packets themselves in a binary format in 
case of discrepancy or conflicting results. I would advise you to log your 
scanning/testing all in binary mode so you can verify unequivocally what has transpired. 
Quick and easy to do with a bpf filter and bitmask.


-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Mar 25, "R. DuFresne" <dufresne () sysinfo com> wrote:


auth is tcp port 113 associated, at least in most setups I've seen, and
can be disabled by editing /etc/inetd.conf and commenting it out, it's a
tad different for say a redhat system and others using xinetd, but, not
all that touch to close;

properly edit the /etc/xinetd.d file corresponding to the service in
question, particulrly the disable = line.

What is interesting is that your system responds to udp port 113....

Thanks,

Ron DuFresne

On Wed, 24 Mar 2004, BillyBobKnob wrote:


My friend asked me to see if I could scan or penetrate his firewall.  He =
only told me that it was a Linux box setup as a firewall running NAT to =
hide internal IPs.

- I did a nmap -O and a nmap -O --fuzzy but it said "too many =
fingerprints match for accurate OS guess"
        but it did tell me that TCP port 113 was in the closed state
- so I tried a TCP reverse inet scan (nmap -sT -I) and it still gave me =
same info as this port was closed
- so I tried nmap -sU and no results
- then I tried nmap -sU -p 113 and it said that UDP port 113 was open !!

I was then able to netcat to it (nc -u ipaddress 113) and I verified =
that I was connected with a netstat.

While connected via netcat I tried sending it commands like (ls, cd .., =
help, echo) but got nothing.


Is there anything that can be done with this connection ??
Or is there anyway to find out what internal IPs are behind it ?


Thanks,
Bill


---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        <a href='http://sysinfo.com&apos;>http://sysinfo.com</a>

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------



---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: