Penetration Testing mailing list archives
Re: Nmap/netwag problem.
From: Irene Abezgauz <irene.abezgauz () gmail com>
Date: Thu, 11 Aug 2005 16:22:08 +0200
On 8/11/05, Pete Herzog <lists () isecom org> wrote: ...
Sorry if my post was confusing. I'm saying that a complete handshake is not the most reliable way to test for a service. The matter in question was what the most reliable way to test further is. I'm not saying it should always be done for efficiency sakes, but in matters of discrepency as per the original post, going further to just look for the handshake and not send proper data is unreliable.
I think this discussion got mixed between two entirely different things. The first is identifying whether there is SOMETHING out there that is listening on port X, and the second is identifying what that something is. a complete TCP handshake means a connection has been succesfully established. that cannot be done with anything but an OPEN port because closed and filtered ones are not that good at returning syn-acks. Now, once we have established there is a service running on our port X, we want to determine what that service is. What I do for that is the following: First and most trivial - check out IANA. there's a chance they are actually using the port number for what's intended. Then try and determine whether that's really what's running there (meaning, if I found port 80 and I suspect it's http, I'll try a GET / HTTP/1.0. If it's a 25 I'll go for HELO, if it's an oracle listener I'll use an oracle client, and so on). Second (if the first fails) - telnet/netcat to it, try talking to it abit, see whether it responds, and if it does - how it responds. it might turn out very talkative and informative. (Hello User, I am Utility X version 1.2.3) Third - there is a bunch of tool that are good at service fingerprinting. get one of those. ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Nmap/netwag problem. Aleph One (Aug 09)
- Re: Nmap/netwag problem. James Riden (Aug 10)
- RE: Nmap/netwag problem. Irene Abezgauz (Aug 10)
- Re: Nmap/netwag problem. Kaj Huisman (Aug 10)
- Re: Nmap/netwag problem. Pete Herzog (Aug 10)
- Re: Nmap/netwag problem. Bill Weiss (Aug 11)
- Re: Nmap/netwag problem. Kaj Huisman (Aug 11)
- Re: Nmap/netwag problem. Rogan Dawes (Aug 11)
- Re: Nmap/netwag problem. Pete Herzog (Aug 11)
- Re: Nmap/netwag problem. Irene Abezgauz (Aug 11)
- Re: Nmap/netwag problem. Daniel Miessler (Aug 12)
- Re: Nmap/netwag problem. Pete Herzog (Aug 12)
- Re: Nmap/netwag problem. Pete Herzog (Aug 10)
- RE: Nmap/netwag problem. Omar Herrera (Aug 11)
- <Possible follow-ups>
- RE: Nmap/netwag problem. Drage, Nick (Aug 10)
- Re: Nmap/netwag problem. eliudgarcia (Aug 10)
- RE: Nmap/netwag problem. Irene Abezgauz (Aug 11)
- RE: Nmap/netwag problem. laurent . constantin (Aug 11)
- RE: Nmap/netwag problem. Paul J Docherty (Aug 11)