Penetration Testing mailing list archives

RE: Unknown App

From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Fri, 22 Jul 2005 18:36:58 +1000

In my experience, there are very few windows desktops locked down to the
extent that you can't embed a 'package' in an office document, when the
package refers to "cmd.exe", with any necessary paths etc. 
Asusming you've got Office installed, give it a try.
Lyal

-----Original Message-----
From: Aleksander P. Czarnowski [mailto:alekc () avet com pl] 
Sent: Friday, 22 July 2005 6:56 AM
To: Bartholomew, Brian J; thenightweighsheavy () gmail com;
pen-test () securityfocus com
Subject: RE: Unknown App

This will work only if command prompt access is granted - guess clicking on
Control Panel/Add-Remove Application icon would be easier in case of
legitimate application ;-)

In case of remote test the most simple solution would be nmap's -A switch or
some other application fingerprinting tool. You can try also do some fuzzing
and see if you'll get any response. Secondly - because this is Windows
system - you might try to enumerate remotely running services or access
system/application logs remotely (considering you have credential or there
are no restriction on NULL session and ports 135-139 are not filtered.) 

Best Regards,
Aleksander Czarnowski
AVET INS

-----Original Message-----
From: Bartholomew, Brian J [mailto:BartholomewBJ () state gov]
Sent: Thursday, July 21, 2005 6:47 PM
To: thenightweighsheavy () gmail com; pen-test () securityfocus com
Subject: RE: Unknown App

A simple Fport should tell you what it is...

http://www.foundstone.com/index.htm?subnav=resources/navigation.ht
m&subcontent=/resources/proddesc/fport.htm

Brian J. Bartholomew (CISSP)
Red Cell
US Department of State
Bureau of Diplomatic Security
Office of Computer Security
Ph: 571-345-2670
Cell: 202-369-6349

-----Original Message-----
From: thenightweighsheavy () gmail com 
[mailto:thenightweighsheavy () gmail com]
Sent: Thursday, July 21, 2005 2:56 AM
To: pen-test () securityfocus com
Subject: Unknown App

Hello,

During a recent pen-test, I discovered that port 80 is opened by
an unknown application on multiple client workstations (WinXP).  
No web server appears to be running or installed - I've tested a 
few things, but I'm curious what the list thinks is the best 
next-step to take.
Thanks,
Golden Earring

Current thread:

Unknown App thenightweighsheavy (Jul 21)
- Unknown App Scott Fuhriman (Jul 21)
  - Re: Unknown App Sharad Birmiwal (Jul 22)
    - Unknown App Scott Fuhriman (Jul 22)
- <Possible follow-ups>
- RE: Unknown App Bartholomew, Brian J (Jul 21)
  - Re: Unknown App ilaiy (Jul 21)
    - Re: Unknown App Fabián Gabriel Chiera (Jul 22)
  - RE: Unknown App okrehel (Jul 21)
  - RE: Unknown App Aleksander P. Czarnowski (Jul 21)
    - RE: Unknown App Lyal Collins (Jul 22)
- RE: Unknown App Jarmon, Don R (Jul 21)
- RE: Unknown App Andre Protas (Jul 21)
- RE:Unknown App Jordan Del-Grande (Jul 21)
- RE: Unknown App Womack, Quintin T - Raleigh, NC - Contractor (Jul 21)
- RE: Unknown App Hagen, Eric (Jul 22)
- Re: Unknown App thenightweighsheavy (Jul 25)
  - RE: Unknown App Scott Fuhriman (Jul 25)