Re: Bittorrent Data Port Probe

["Paul Melson" <pmelson () gmail com>]

That's correct.  The connect message was caused by the -v flag from
netcat and was basically there to prove that netcat connected each
time.  But regardless of the length of the random string, bittorrent
didn't respond.


On 8/24/07, Antonio Augusto (Mancha) <mkhaos7 () gmail com> wrote:
> I think this is a bit wrong.
> For what i can say, the response you got "Connection to localhost 6881
> port [tcp/*] succeeded!", means taht there was a server listning to
> that port and he answered your SYN request.
>
> This doesn't mean he answered any of the packets you sent to it.
>
> Cheers,
> KM
>
>
> On 8/24/07, Paul Melson <pmelson () gmail com> wrote:
> > On 8/23/07, John Lampe <jwlampe () tenablesecurity com> wrote:
> > > I know for a *fact* that it can be passively detected :-)  We wrote a
> > > bunch of passive detection plugins for our PVS product.
> >
> > Yup.  Snort's had signatures for it for a couple years. ;-)
> >
> >
> > > port = 6881;    # bittorrent
> > > #port = 63180;  # mutorrent
> > >
> > > for (i=0; i<95; i++) {init = string(init, raw_string(rand() % 256));}
> > >
> > > for (i=0; i<96; i++) {req = string(req, raw_string(rand() % 256));}
> >
> > I can't seem to recreate this:
> >
> > $ perl -e 'for (my $i=0; $i <= 90; $i++) {print chr(int(rand 255));}' |
> nc
> > -v localhost 6881
> > Connection to localhost 6881 port [tcp/*] succeeded!
> > $ perl -e 'for (my $i=0; $i <= 95; $i++) {print chr(int(rand 255));}' |
> nc
> > -v localhost 6881
> > Connection to localhost 6881 port [tcp/*] succeeded!
> > $ perl -e 'for (my $i=0; $i <= 96; $i++) {print chr(int(rand 255));}' |
> nc
> > -v localhost 6881
> > Connection to localhost 6881 port [tcp/*] succeeded!
> > $ perl -e 'for (my $i=0; $i <= 100; $i++) {print chr(int(rand 255));}' |
> nc
> > -v localhost 6881
> > Connection to localhost 6881 port [tcp/*] succeeded!
> > $ perl -e 'for (my $i=0; $i <= 1000; $i++) {print chr(int(rand 255));}' |
> nc
> > -v localhost 6881
> > Connection to localhost 6881 port [tcp/*] succeeded!
> >
> > If you care, the client is bittorrent-curses 4.4.0 on OpenBSD (it's what
> I
> > had quick access to).  I haven't tried your nasl code in Nessus, so maybe
> > I'm missing something. But if I understand your previous post, this
> should
> > elicit some response from a seeding client, and in my case it doesn't.
> >
> > PaulM
> >
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ------------------------------------------------------------------------
>
>
> --
> Informação & Segurança - Informações para sua segurança na rede.
> http://info-seg.blogspot.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------