Re: Port identification methodology

From: Franck Veysset (franck.veyssetat_private)
Date: Mon Jul 02 2001 - 10:12:21 PDT

Next message: Jonathan Rickman: "RE: Oracle8i"

Previous message: Yonatan Bokovza: "RE: Port identification methodology"
In reply to: Erik Norman: "Port identification methodology"
Next in thread: stephenat_private: "FW: Port identification methodology"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There have been some work done on this subject.

you can have a look at Nessus. There is a plugin called "find-services"
which do something like this. It just try to recognize which service is
running on which port.

This plugin, written in C, is available at :
http://cvs.nessus.org/cgi-bin/cvsweb.cgi/nessus-plugins/plugins/find_service/

If I remember well, Saurik have also done some work on Nmap. A patch
was performing such a function. More information at:

ftp://ftp.saurik.com/pub/nmap/

Hope this help...

-Franck


Erik Norman a écrit :
> 
> Hi all,
> 
> I have a question regarding methodology while performing a
> PT. It concerns identifying programs/services.
> 
> Imagine a full nmap scan has been performed. A handfull
> of open ports was found on a particular server. The
> usual 25, 53, 80 etc are identified, but one or two ports
> stand out from the crowd. Looking in various 'common ports'
> files does not provide a hint what the port is used for.
> 
> Connecting with telnet yields no text, and a tcpdump
> dump does not provide any text (in clear anyway).
> 
> Now what!???
> 
> How should one approach this?
> 
> /Erik
> 
> --------------------------------------------------------------------------------------
> 
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
> For more information on SecurityFocus' SIA service which automatically alerts you to
> the latest security vulnerabilities please see:
> 
> https://alerts.securityfocus.com/

-- 
Franck Veysset  E-mail: franck.veyssetat_private
http://www.INTRANODE.com  -  Tel: +33 (0)2 23 45 55 04
            -- Security Lab Engineer --

      O   ascii ribbon campaign against html
      |\    email and Microsoft attachments.

--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/

Next message: Jonathan Rickman: "RE: Oracle8i"
Previous message: Yonatan Bokovza: "RE: Port identification methodology"
In reply to: Erik Norman: "Port identification methodology"
Next in thread: stephenat_private: "FW: Port identification methodology"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 07:04:40 PDT