Penetration Testing mailing list archives
RE: Unknown App
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Fri, 22 Jul 2005 18:36:58 +1000
In my experience, there are very few windows desktops locked down to the extent that you can't embed a 'package' in an office document, when the package refers to "cmd.exe", with any necessary paths etc. Asusming you've got Office installed, give it a try. Lyal -----Original Message----- From: Aleksander P. Czarnowski [mailto:alekc () avet com pl] Sent: Friday, 22 July 2005 6:56 AM To: Bartholomew, Brian J; thenightweighsheavy () gmail com; pen-test () securityfocus com Subject: RE: Unknown App This will work only if command prompt access is granted - guess clicking on Control Panel/Add-Remove Application icon would be easier in case of legitimate application ;-) In case of remote test the most simple solution would be nmap's -A switch or some other application fingerprinting tool. You can try also do some fuzzing and see if you'll get any response. Secondly - because this is Windows system - you might try to enumerate remotely running services or access system/application logs remotely (considering you have credential or there are no restriction on NULL session and ports 135-139 are not filtered.) Best Regards, Aleksander Czarnowski AVET INS
-----Original Message----- From: Bartholomew, Brian J [mailto:BartholomewBJ () state gov] Sent: Thursday, July 21, 2005 6:47 PM To: thenightweighsheavy () gmail com; pen-test () securityfocus com Subject: RE: Unknown App A simple Fport should tell you what it is... http://www.foundstone.com/index.htm?subnav=resources/navigation.ht m&subcontent=/resources/proddesc/fport.htm Brian J. Bartholomew (CISSP) Red Cell US Department of State Bureau of Diplomatic Security Office of Computer Security Ph: 571-345-2670 Cell: 202-369-6349 -----Original Message----- From: thenightweighsheavy () gmail com [mailto:thenightweighsheavy () gmail com] Sent: Thursday, July 21, 2005 2:56 AM To: pen-test () securityfocus com Subject: Unknown App Hello, During a recent pen-test, I discovered that port 80 is opened by an unknown application on multiple client workstations (WinXP). No web server appears to be running or installed - I've tested a few things, but I'm curious what the list thinks is the best next-step to take. Thanks, Golden Earring
Current thread:
- Unknown App thenightweighsheavy (Jul 21)
- Unknown App Scott Fuhriman (Jul 21)
- Re: Unknown App Sharad Birmiwal (Jul 22)
- Unknown App Scott Fuhriman (Jul 22)
- Re: Unknown App Sharad Birmiwal (Jul 22)
- <Possible follow-ups>
- RE: Unknown App Bartholomew, Brian J (Jul 21)
- Re: Unknown App ilaiy (Jul 21)
- Re: Unknown App Fabián Gabriel Chiera (Jul 22)
- RE: Unknown App okrehel (Jul 21)
- RE: Unknown App Aleksander P. Czarnowski (Jul 21)
- RE: Unknown App Lyal Collins (Jul 22)
- Re: Unknown App ilaiy (Jul 21)
- RE: Unknown App Jarmon, Don R (Jul 21)
- RE: Unknown App Andre Protas (Jul 21)
- RE:Unknown App Jordan Del-Grande (Jul 21)
- RE: Unknown App Womack, Quintin T - Raleigh, NC - Contractor (Jul 21)
- RE: Unknown App Hagen, Eric (Jul 22)
- Re: Unknown App thenightweighsheavy (Jul 25)
- RE: Unknown App Scott Fuhriman (Jul 25)
- Unknown App Scott Fuhriman (Jul 21)