On Thu, 2003-07-24 at 02:08, Bill McCarty wrote: > What might it be looking for on TCP 552-553 and, more particularly, why > might a scanner interested in RTSP also scan those ports? The ports are > registered for use by deviceshare and PIRP (Public Information Retrieval > Protocol). But, I don't suspect that the scanner is interested in those > services, since they don't seem to be associated with RTSP. Could the > scanner simply be comparing the response for port 554 with those for the > other ports, in order to assess possible firewall rules? Exactly. It's a common practice (at least in my shop :p) to scan so that you hit the ports you want to scan for and hope to be open, and then ports that have a good probability of being closed. That way you can examine the responses and see if and what type of filtering goes on. For example, if you do a TCP scan from port 135 to port 140 on a Windows box, and you receive nothing on 135, 136, 137, 138, 139, but a TCP Reset on 140, there is a high probability that an admin only put a firewall rules in place that simply says 'drop 135-139' to cover the RPC/NetBIOS range, but left the system otherwise unprotected, with Windows sending a Reset on port 140. (Of course you might want to confirm by 'pinging' a couple other closed ports, like port 109 or something). It is always good to get the 'full picture' of what a target looks like. Known negatives are just as useful as known positives. Regards, Frank
This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 10:17:03 PDT