Penetration Testing mailing list archives

Re: Alisse

From: matteo filippetto <matteo.filippetto () gmail com>
Date: Fri, 31 Jul 2009 13:51:51 +0200

2009/7/29 Yiannis Koukouras <ikoukouras () gmail com>:

Ioannis (Yiannis) Koukouras
Wim,

I am covered by the RoE for this system. However i can do any social
engineering attacks to get info for the server.
Bellow is the hexdump of the connection.

nc XXX.XXX.XXX.XXX 9025 | hexdump
0000000 3c06 4c41 5349 4553 303e 0226 5f20 f70f
0000010 c7b1 1d4b a902 9999 46b7 b50c a1f0 183e
0000020 3fb4 97fa 1eb9 229c 234b f420 0261 4902

I wrote a jolt client (stitching example code) in order to talk to the
Jolt server (if this is one of those), but it is not able to even open
a session to the system.
Thus, maybe we should be looking at another direction.

The sure thing is that this is not a rogue service. It is a legitimate
service and the client knows about it, but they won't disclose more
info. :(

On Tue, Jul 28, 2009 at 10:13 PM, Wim Remes<wremes () gmail com> wrote:

Yiannis,

if it is a BEA (Jolt) system, it is a web-service, but not necessarilly a
web server exposed to the world.
The response you get from the server doesn't tell very much, it looks like
it is some sort of binary code.

AFAIK the Jolt server functions as a service catalogue, but I'm not a BEA
expert ...

If you can get some inside knowledge about the server (through Social
Engineering?) or you know
a BEA expert to tell you something more, you might want to look into
Unicornscan with which you might
be able to craft some nifty packages to trigger the service to tell you
something more.

Looks like you found some exotic stuff there ...

Be sure that this kind of trickery is in your rules of engagement though ...
You don't want to get slapped on
the wrist for bringing down a business critical service ...

Cheers,

Wim

On 28 Jul 2009, at 12:47, Yiannis Koukouras wrote:

Hi,

Nmap says it is a windows pc.
unfortunately it is the only open port on the system and we can not
determine neither the OS or the business role of the system.

Of cource I will update you should I find anything.

I did a little reasearch on the BEA scenario and it appears that it
may be a BEA JSL (Jolt Server Listener). Hmm...if this is the case,
this is an exposed WS to the world. right?

Ioannis (Yiannis) Koukouras


On Tue, Jul 28, 2009 at 1:31 PM, administrator
-<illegal.visitor () gmail com> wrote:


Hi there,

A few questions regarding your mail:
- What OS is the system running?
- Any other ports/apps that might give a hint?
- If it is a company pc, what branche they operate in?

Answers on the above limit the scope of your/our search :-)

If you ever find out what is running, pls update us. Always good to
know. Cheers!

illegal_visit0r



On 7/27/09, Yiannis Koukouras <ikoukouras () gmail com> wrote:


Hello all,

During a black box pentest, I found port 9025 open on a system and
when I connected with nc I got the following reply (follow link to
view the reply as it is in non ASCII format):

http://pastebin.ca/1494670

Do you think this is a web service listener or something like that?

The tags indicate that tha this has something to do with XML.
Nevertheless, it does not respond to any input....

I am open to ideas...

Thnx,
Ioannis (Yiannis) Koukouras

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


Hi,

a simple search in google shows this information

http://www.seifried.org/security/ports/index.php?port_number=9025

Bye
-- 
Matteo Filippetto

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Alisse Yiannis Koukouras (Jul 27)
- Re: Alisse Wim Remes (Jul 28)
- Re: Alisse administrator - (Jul 28)
  - Re: Alisse Yiannis Koukouras (Jul 28)
    - Re: Alisse Christine Kronberg (Jul 30)
    - Message not available
    - Re: Alisse Yiannis Koukouras (Jul 30)
    - Re: Alisse matteo filippetto (Jul 31)
- Message not available
  - Re: Alisse Yiannis Koukouras (Jul 28)
    - Re: Alisse R. DuFresne (Jul 30)
- Re: Alisse gnix (Jul 28)
- <Possible follow-ups>
- Re: Alisse maniacode (Jul 30)