Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port 4662 exploitation

From: ArcSighter Elite <arcsighter () gmail com>
Date: Mon, 15 Dec 2008 12:50:21 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There was a discussion about such kinds of question days ago, I'll omit
that and try to put you on the way. But I personally suggest you to
study the topic first, then ask.

Besides that, I hope you get my point, I'll provide you some help, I'm
not ubber-anarchist alike kind of person.

This is what I get from your logs and posts:

1. Running BackTrack live CD:
This is a security-oriented linux distribution, that stands as a tool
recopilation. If you don't understand the tools, you shouldn't use until
you do.

2. Running Nmap:
Your nmap scan don't do service fingerprinting, so you're confusing the
list by saying you got a shell from an e-donkey daemon. What you got
there is the IANA standard port and service name; actually you're
getting 'etc/services' from your bt distro.
You get too many open ports, two explanations: First, a
happy-installer's workstation (so I don't get the point of your security
audit). Second, you're getting false positives, in the case an IDS
configured this way, you're scan is wrong at all, or you're up to a
broken TCP/IP stack, which is weird because you're only using half-open
scan, not XMAS, FIN, and the like.

3. Shell:
Please define shell, you get a prompt where you could issue commands
that are interpreted by the operating system, you could see the results
of that commands, and in that case, what privilege this shell has?

My time is rushing, so I'll finish here.



lgpmsec wrote:

Hi again all,

Please find below the nmap results for the specific server, and let me know
if it adds value:

bt ~ # nmap -sT -vv x.x.x.120

Starting Nmap 4.60 ( http://nmap.org ) at 2008-12-15 15:04 GMT
Initiating Ping Scan at 15:04
Scanning x.x.x.120 [2 ports]
Completed Ping Scan at 15:04, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:04
Completed Parallel DNS resolution of 1 host. at 15:04, 0.00s elapsed
Initiating SYN Stealth Scan at 15:04
Scanning x.y.com (x.x.x.120) [1715 ports]
Discovered open port 53/tcp on x.x.x.120
Discovered open port 443/tcp on x.x.x.120
Discovered open port 80/tcp on x.x.x.120
Discovered open port 113/tcp on x.x.x.120
Discovered open port 554/tcp on x.x.x.120
Discovered open port 22/tcp on x.x.x.120
Discovered open port 636/tcp on x.x.x.120
Discovered open port 25/tcp on x.x.x.120
Discovered open port 389/tcp on x.x.x.120
Discovered open port 21/tcp on x.x.x.120
Discovered open port 3389/tcp on x.x.x.120
Discovered open port 23/tcp on x.x.x.120
Discovered open port 1755/tcp on x.x.x.120
Discovered open port 749/tcp on x.x.x.120
Discovered open port 19/tcp on x.x.x.120
adjust_timeouts2: packet supposedly had rtt of 8544204 microseconds.
Ignoring time.
SYN Stealth Scan Timing: About 50.94% done; ETC: 15:06 (0:00:35 remaining)
Discovered open port 139/tcp on x.x.x.120
Discovered open port 3128/tcp on x.x.x.120
Discovered open port 70/tcp on x.x.x.120
SYN Stealth Scan Timing: About 42.74% done; ETC: 15:07 (0:01:36 remaining)
Discovered open port 465/tcp on x.x.x.120
Discovered open port 1494/tcp on x.x.x.120
Discovered open port 37/tcp on x.x.x.120
Discovered open port 110/tcp on x.x.x.120
Discovered open port 3268/tcp on x.x.x.120
Discovered open port 109/tcp on x.x.x.120
Increasing send delay for x.x.x.120 from 5 to 10 due to 25 out of 82 dropped
probes since last increase.
Discovered open port 7000/tcp on x.x.x.120
Increasing send delay for x.x.x.120 from 10 to 20 due to 11 out of 12
dropped probes since last increase.
Discovered open port 6699/tcp on x.x.x.120
Discovered open port 88/tcp on x.x.x.120
SYN Stealth Scan Timing: About 51.05% done; ETC: 15:16 (0:05:23 remaining)
Increasing send delay for x.x.x.120 from 20 to 40 due to 11 out of 13
dropped probes since last increase.
Discovered open port 43/tcp on x.x.x.120
Discovered open port 79/tcp on x.x.x.120
Increasing send delay for x.x.x.120 from 40 to 80 due to 11 out of 13
dropped probes since last increase.
Discovered open port 993/tcp on x.x.x.120
Increasing send delay for x.x.x.120 from 80 to 160 due to 11 out of 12
dropped probes since last increase.
Discovered open port 7070/tcp on x.x.x.120
Discovered open port 6666/tcp on x.x.x.120
Discovered open port 569/tcp on x.x.x.120
Discovered open port 4662/tcp on x.x.x.120
Discovered open port 17/tcp on x.x.x.120
Discovered open port 5060/tcp on x.x.x.120
Discovered open port 143/tcp on x.x.x.120
Discovered open port 3269/tcp on x.x.x.120
Discovered open port 513/tcp on x.x.x.120
Discovered open port 1720/tcp on x.x.x.120
Discovered open port 995/tcp on x.x.x.120
Discovered open port 13/tcp on x.x.x.120
Discovered open port 563/tcp on x.x.x.120
Discovered open port 1433/tcp on x.x.x.120
Discovered open port 9/tcp on x.x.x.120
Discovered open port 7/tcp on x.x.x.120
Discovered open port 119/tcp on x.x.x.120
Discovered open port 6667/tcp on x.x.x.120
Completed SYN Stealth Scan at 16:05, 3639.22s elapsed (1715 total ports)
Host x.y.com (x.x.x.120) appears to be up ... good.
Interesting ports on x.y.com (x.x.x.120):
Not shown: 1611 filtered ports, 55 closed ports
PORT     STATE SERVICE
7/tcp    open  echo
9/tcp    open  discard
13/tcp   open  daytime
17/tcp   open  qotd
19/tcp   open  chargen
20/tcp   open  ftp-data
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
37/tcp   open  time
43/tcp   open  whois
53/tcp   open  domain
70/tcp   open  gopher
79/tcp   open  finger
80/tcp   open  http
88/tcp   open  kerberos-sec
109/tcp  open  pop2
110/tcp  open  pop3
113/tcp  open  auth
119/tcp  open  nntp
139/tcp  open  netbios-ssn
143/tcp  open  imap
389/tcp  open  ldap
443/tcp  open  https
465/tcp  open  smtps
513/tcp  open  login
554/tcp  open  rtsp
563/tcp  open  snews
569/tcp  open  ms-rome
636/tcp  open  ldapssl
749/tcp  open  kerberos-adm
993/tcp  open  imaps
995/tcp  open  pop3s
1433/tcp open  ms-sql-s
1494/tcp open  citrix-ica
1720/tcp open  H.323/Q.931
1755/tcp open  wms
3128/tcp open  squid-http
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-term-serv
4662/tcp open  edonkey
6666/tcp open  irc
6667/tcp open  irc
6699/tcp open  napster
7000/tcp open  afs3-fileserver
7070/tcp open  realserver

Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3639.314 seconds
           Raw packets sent: 7086 (311.764KB) | Rcvd: 6864 (315.744KB)

I also telneted to the 4662 port, getting:

bt ~ # telnet x.x.x.120 4662
Trying x.x.x.120...
Connected to x.x.x.120.
Escape character is '^]'.
whoami




^QConnection closed by foreign host.

Please advise on how to proceed

Thank you,

-Mohamad.
________________________________________
From: RaptorX [mailto:graptorx () gmail com] 
Sent: Monday, December 15, 2008 5:08 PM
To: Jeremi Gosney
Cc: James Bensley; Jorge L. Vazquez; Mohamad M; ArcSighter Elite
Subject: Re: Port 4662 exploitation

I agree with Jeremi.
On Sun, Dec 14, 2008 at 8:33 PM, Jeremi Gosney <Jeremi.Gosney () motricity com>
wrote:
"when you telnet into an unknown port you are not doing it to get a
shell, but to get a tcp header and know what services might be running
on that port.."
That statement is most definitely false. While banner collection is
certainly one facet of penetration testing, you most definitely ARE
checking for things like rootkits. Discovering a shell listening on an
arbitrary port is clearly a most valuable find. Mr Bensley's follow-up
questions are most relevant here; surely you would have known what to do
if you discovered a shell listening on a port, so my assumption is you
are mis-using the word.

Looking forward to your answers.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of James Bensley
Sent: Saturday, December 13, 2008 12:20 PM
To: pen-test () securityfocus com; Jorge L. Vazquez
Cc: Mohamad M; ArcSighter Elite
Subject: Re: Port 4662 exploitation

Wel you telnet to that port do you get a heading in return?

or when you say a shell do you actually get a prompt to start entering
commands, whats the prompt you get if so? Also if ti is a full shell can
you run any commands, what is the output when you run "whoami" ??

Use the netstat command to list any connections (irrelivent of their
state i.e. established or listening) and display the program responsible
for the connection so you can see where it is comming from?

Send us your results ;)

2008/12/13 Jorge L. Vazquez <jlvazquez825 () gmail com>:

when you telnet into an unknown port you are not doing it to get a
shell, but to get a tcp header and know what services might be running



on that port..

-j0rg3
blog: www.pctechtips.org


Mohamad M wrote:

Hi again,

I agree it looks very weird; I simply started a Syn scan with nmap,
and got that tcp 4662 is open; when I telneted to 4662, I got shell,
but then did not know how to proceed, hence my email.

Thanks,

-----Original Message-----
From: ArcSighter Elite [mailto:arcsighter () gmail com]
Sent: Friday, December 12, 2008 11:43 PM
To: Mohamad M
Cc: pen-test () securityfocus com
Subject: Re: Port 4662 exploitation

Mohamad M wrote:

Hello All,
I'm doing a vulnerability assessment for my company, and saw that
port

4662

(edonkey) is open on 1 device facing the internet. I telneted to

4662, and
I

got connected; since I'm new to this domain, what are the steps

needed in

order to exploit this vulnerability?
Thanks,
./Lgpmsec



-------------------------------------------------------------------
-----
This list is sponsored by: Cenzic
Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now
www.cenzic.com/landing/trends-report
-------------------------------------------------------------------
-----



An open port is never a vulnerability, only if the running service
that binds to that port is actually vulnerable. What makes me ask,
have you actually done a service fingerprint to determine is
e-donkey?, cause that looks pretty weird to me.

Sincerely.

----------------------------------------------------------------------
--
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
----------------------------------------------------------------------
--





----------------------------------------------------------------------
--
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
----------------------------------------------------------------------
--






--
-----BEGIN GEEK CODE BLOCK-----
 Version: 3.1
GIT/MU/U dpu s: a--> C++>$ U+> L++> B-> P+> E?> W+++>$ N K W++ O M++>$
V-
PS+++ PE++ Y+ PGP t 5 X+ R- tv+ b+> DI D+++ G+ e(+++++) h--(++) r++ z++
------END GEEK CODE BLOCK------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJRpf5H+KgkfcIQ8cRAinRAKCeUqifhEyLDkIZqRbpQ2pQ8o9U4gCfZ97X
AYIN4FIEJQCqZN90x1Ljnfo=
=qa5v
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: