Penetration Testing mailing list archives
Re: Port 4662 exploitation
From: ArcSighter Elite <arcsighter () gmail com>
Date: Mon, 15 Dec 2008 09:22:09 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeremi Gosney wrote:
"when you telnet into an unknown port you are not doing it to get a shell, but to get a tcp header and know what services might be running on that port.." That statement is most definitely false. While banner collection is certainly one facet of penetration testing, you most definitely ARE checking for things like rootkits. Discovering a shell listening on an arbitrary port is clearly a most valuable find. Mr Bensley's follow-up questions are most relevant here; surely you would have known what to do if you discovered a shell listening on a port, so my assumption is you are mis-using the word. Looking forward to your answers. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of James Bensley Sent: Saturday, December 13, 2008 12:20 PM To: pen-test () securityfocus com; Jorge L. Vazquez Cc: Mohamad M; ArcSighter Elite Subject: Re: Port 4662 exploitation Wel you telnet to that port do you get a heading in return? or when you say a shell do you actually get a prompt to start entering commands, whats the prompt you get if so? Also if ti is a full shell can you run any commands, what is the output when you run "whoami" ?? Use the netstat command to list any connections (irrelivent of their state i.e. established or listening) and display the program responsible for the connection so you can see where it is comming from? Send us your results ;) 2008/12/13 Jorge L. Vazquez <jlvazquez825 () gmail com>:when you telnet into an unknown port you are not doing it to get a shell, but to get a tcp header and know what services might be runningon that port.. -j0rg3 blog: www.pctechtips.org Mohamad M wrote:Hi again, I agree it looks very weird; I simply started a Syn scan with nmap, and got that tcp 4662 is open; when I telneted to 4662, I got shell, but then did not know how to proceed, hence my email. Thanks, -----Original Message----- From: ArcSighter Elite [mailto:arcsighter () gmail com] Sent: Friday, December 12, 2008 11:43 PM To: Mohamad M Cc: pen-test () securityfocus com Subject: Re: Port 4662 exploitation Mohamad M wrote:Hello All, I'm doing a vulnerability assessment for my company, and saw that port4662(edonkey) is open on 1 device facing the internet. I telneted to4662, and Igot connected; since I'm new to this domain, what are the stepsneeded inorder to exploit this vulnerability? Thanks, ./Lgpmsec------------------------------------------------------------------- ----- This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------- -----An open port is never a vulnerability, only if the running service that binds to that port is actually vulnerable. What makes me ask, have you actually done a service fingerprint to determine is e-donkey?, cause that looks pretty weird to me. Sincerely.---------------------------------------------------------------------- -- This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ---------------------------------------------------------------------- -- ---------------------------------------------------------------------- -- This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ---------------------------------------------------------------------- ---- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT/MU/U dpu s: a--> C++>$ U+> L++> B-> P+> E?> W+++>$ N K W++ O M++>$ V- PS+++ PE++ Y+ PGP t 5 X+ R- tv+ b+> DI D+++ G+ e(+++++) h--(++) r++ z++ ------END GEEK CODE BLOCK------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
It has been said. Fingerprint the service and identify the protocol in use. If is indeed a backdoor then of course is a security vulnerability, and spawning a shell even without authentication is a HIGH security vulnerability what you are up to. But, it's actually a shell? In that case, from which OS, chrooted/restricted, administrative? Those are questions you need to answer yourself before stepping futher. Honestly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJRmgQH+KgkfcIQ8cRAmBXAKDb3RgD1XEHAmWs+qy7XcSf9JDNlwCdHhaM M0gfPpeFSCxBIylvmsjqqdc= =z5Us -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Port 4662 exploitation Mohamad M (Dec 12)
- Re: Port 4662 exploitation ArcSighter Elite (Dec 12)
- RE: Port 4662 exploitation Mohamad M (Dec 12)
- Re: Port 4662 exploitation Jorge L. Vazquez (Dec 13)
- Re: Port 4662 exploitation James Bensley (Dec 13)
- RE: Port 4662 exploitation Jeremi Gosney (Dec 14)
- Re: Port 4662 exploitation ArcSighter Elite (Dec 15)
- Message not available
- Message not available
- Re: Port 4662 exploitation ArcSighter Elite (Dec 15)
- Re: Port 4662 exploitation James Bensley (Dec 15)
- RE: Port 4662 exploitation Mohamad M (Dec 12)
- Re: Port 4662 exploitation ArcSighter Elite (Dec 12)
- <Possible follow-ups>
- FW: Port 4662 exploitation lgpmsec (Dec 15)
- RE: Port 4662 exploitation Shenk, Jerry A (Dec 15)
- Re: FW: Port 4662 exploitation ArcSighter Elite (Dec 15)
- Re: FW: Port 4662 exploitation Todd Haverkos (Dec 15)
- Re: FW: Port 4662 exploitation Dante Lanznaster (Dec 15)
- Re: Port 4662 exploitation Christopher (Dec 16)
- Re: Port 4662 exploitation ArcSighter Elite (Dec 18)