Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Opne ports 1863 & 5910 - pentest

From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Wed, 8 Jul 2009 15:12:56 -0400
Well, since you're new at this, what can you find out about those two
ports?  Perhaps check the services file on a linux box, maybe do a
search on the internet for them.  Perhaps they are either normally used
by some legitimate service or normally in use by some back door.  If you
find a match for one of your ports, then try to verify if that is in
fact the service that's running.  If you aren't personally familiar with
the service that you find, perhaps you could install it on a box in your
test lab and then do a packet capture of a variety of connections to
that service...something like a 3-way handshake by itself, then maybe
some additional stimuli afterward; a manual web page request (web pages
show up on all kinds of ports), hit enter and see what it does, maybe a
question mark, maybe a bunch of spaces or other characters.  You might
also want to see if one of the service identifiers can coax any
information out of it.

You mention that this is "pool" and that "most IPs" have these ports
responding.  Might this all be one box with a bunch of IPs, check
timestamps to verify that.

Also, don't get too hung up on what you don't know...concentrate on what
you DO know and try to fill in the blanks.  Also, make sure you don't
decide that you KNOW something to quick.  Just 'cuz it's on some common
port (25 for example) doesn't necessarily mean that it's a mail server.

Keep an eye out for anti-virus programs that proxy a bunch of ports too.
Sometimes you'll see "servers" running on boxes that you just know are
NOT servers...might be some proxy on a client that's supposed to be
monitoring outbound connections to some server...a mail server for
example.  Ideally, they shouldn't allow connections from somebody else
but sometimes they do.

This is your first "assignment" - that suggests you are part of a group
that does some pen-testing.  Are there any senior members that you can
bounce your work past.

A general suggestion - put a sniffer in the path of your pen-test
traffic so that you can monitor what you're sending and what comes back.
For a big test, that may not be practical but often, that can help you
verify the results from a scan or help identify "oddities" like what you
found.

I'd expect that you have permission for this too...you didn't just
decide to randomly scan a bunch of public IP addresses and call it a
"test pen-test" did you?

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of tomright006 () gmail com
Sent: Wednesday, July 08, 2009 12:08 PM
To: pen-test () securityfocus com
Subject: Opne ports 1863 & 5910 - pentest

Hi all,

I have just started my information security career & I am doing pentest
on pool of some public IP's as my first assignment in Pentest.

During pentest I found that port 1863 & port 5910 are common for most of
the IPs's ( In fact almost all).

I would like to know if anyone come across such situation while doing
pentest in past.

Thanks

Tom Right

Security Engineer

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: