Re: Bittorrent Data Port Probe

[p1g <killfactory () gmail com>]

What John said.

Nessus can be used to determine this. You could write your own plugin to check.

PVS is nice.

On 8/23/07, John Lampe <jwlampe () tenablesecurity com> wrote:
> Paul Melson wrote:
>
> > On 8/21/07, Tom Griffin <t.griffin () sheffield ac uk> wrote:
> >
> > > If I suspect that a particular port on a given host is listening for
> > > incoming Bittorrent data requests, is there a way I can prove it by
> > > means of a probe? I have attempted to find some protocol definition
> > > documentation so I can build a very basic script which will pretend to
> > > be another Bittorrent client to see how the application handles it, but
> > > I cannot find such detailed information.
> > >
> > > If anybody can help with this, it would be much appreciated.
> >
> >
> > How sure do you have to be?  Personally, if I saw a host with port
> > 6881 listening, I would treat it as if it had BitTorrent running until
> > it was proven otherwise.  You can try 'nmap -sV' to see if NMap can
> > identify the service listening, but if it is BitTorrent, NMap won't
> > identify it.  It will fall back to a port number guess instead.
> >
> > Unfortunately, connecting to a BitTorrent peer port and getting
> > anything useful back requires knowing the hash of a torrent being
> > shared on that client, which is near impossible to guess.  However, if
> > you can sniff traffic on this port, you should be able to positively
> > identify it as BitTorrent because it will contain the string
> > 'BitTorrent protocol' fairly early on in the packet data.
>
> I know for a *fact* that it can be passively detected :-)  We wrote a
> bunch of passive detection plugins for our PVS product.
>
> Actively, I was working on this same thing about a year or so ago.  I
> was actually generating test cases for a bittorrent fuzzer and noted
> that if you sent up to (and including) 95 bytes of data to the peer port
> you got no response but if you sent 96 (and up) bytes, you got a
> response of varying byte length.  I never had the time to track down
> why, what, etc....but, here is what I had to at least detect the
> service.  Oh, and I only tested on a few bittorrent clients, so it might
> be product specific :-<
>
> port = 6881;    # bittorrent
> #port = 63180;  # mutorrent
>
>
> for (i=0; i<95; i++) {init = string(init, raw_string(rand() % 256));}
>
> for (i=0; i<96; i++) {req = string(req, raw_string(rand() % 256));}
>
>
> soc = open_sock_tcp(port);
>
> if (soc)
> {
>        send(socket:soc, data:init);
>        r1 = recv(socket:soc, length:65535, timeout:5);
>        close (soc);
> }
>
> soc = open_sock_tcp(port);
>
> if (soc)
> {
>        send(socket:soc, data:req);
>        r2 = recv(socket:soc, length:65535, timeout:5);
>        close (soc);
> }
>
> if ( (strlen(r1) == 0) && (strlen(r2) > 50) )
>        security_hole(port);
>
>
>
>
>
> --
> John Lampe
> Senior Security Researcher
> TENABLE Network Security, Inc.
> jwlampe@{nessus.org,tenablesecurity.com}
> Tele: (410) 872-0555
> www.tenablesecurity.com
>
> Is your network TENABLE?
> ---------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------


-- 
-p1g
SnortCP
  ,,__
o"     )~  oink oink
   ' ' ' '

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------