Penetration Testing mailing list archives
Re: Bittorrent Data Port Probe
From: "Jonathan Yu" <jonathan.i.yu () gmail com>
Date: Wed, 22 Aug 2007 22:28:17 -0400
Hi there, While you should be able to tell if it is BitTorrent based on traffic sniffing under normal circumstances, there is also an implementation of encryption compatible with clients such as uTorrent and Azureus, so it becomes infeasible to tell whether or not it is BitTorrent traffic. However, if you have traffic sniffing, then you can watch which hosts the client connects to -- most trackers run on unencrypted HTTP connections; you can look for common things such as "announce.php" scripts or perhaps basing it on the DNS names used. I am not a BitTorrent client developer so I don't know about the internals of the protocol, but I have been using it as a client for about a year now and have just gathered little bits here and there about the implementation. I know that with uTorrent, there is an option to completely disable Legacy (non-encrypted) connections. Users could then use a popular tracker over HTTPS (I am not sure if any currently exist) -- that would mean that they have plausible deniability in terms of what they were using the tracker for. I am not sure if you are trying to block use of BitTorrent altogether or just illicit use, so the solution you choose could be either moderately simple or very tricky... I apologize if any information I have given here is incorrect because, again, I am not an expert. Hope this helps. Regards, Jonathan Yu On 8/22/07, Paul Melson <pmelson () gmail com> wrote:
On 8/21/07, Tom Griffin <t.griffin () sheffield ac uk> wrote:If I suspect that a particular port on a given host is listening for incoming Bittorrent data requests, is there a way I can prove it by means of a probe? I have attempted to find some protocol definition documentation so I can build a very basic script which will pretend to be another Bittorrent client to see how the application handles it, but I cannot find such detailed information. If anybody can help with this, it would be much appreciated.How sure do you have to be? Personally, if I saw a host with port 6881 listening, I would treat it as if it had BitTorrent running until it was proven otherwise. You can try 'nmap -sV' to see if NMap can identify the service listening, but if it is BitTorrent, NMap won't identify it. It will fall back to a port number guess instead. Unfortunately, connecting to a BitTorrent peer port and getting anything useful back requires knowing the hash of a torrent being shared on that client, which is near impossible to guess. However, if you can sniff traffic on this port, you should be able to positively identify it as BitTorrent because it will contain the string 'BitTorrent protocol' fairly early on in the packet data. If you do discover a good working probe for BitTorrent, please share it with Fyodor so that he can add it to NMap. Good luck! PaulM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Bittorrent Data Port Probe Tom Griffin (Aug 21)
- Re: Bittorrent Data Port Probe Paul Melson (Aug 22)
- Re: Bittorrent Data Port Probe Jonathan Yu (Aug 22)
- Re: Bittorrent Data Port Probe John Lampe (Aug 23)
- Re: Bittorrent Data Port Probe p1g (Aug 23)
- RE: Bittorrent Data Port Probe Paul Melson (Aug 24)
- Re: Bittorrent Data Port Probe John Lampe (Aug 24)
- Message not available
- Re: Bittorrent Data Port Probe Paul Melson (Aug 24)
- Re: Bittorrent Data Port Probe Paul Melson (Aug 22)