Penetration Testing mailing list archives
Re: [PEN-TEST] PC Anywhere protocol
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Wed, 6 Sep 2000 17:29:32 -0700
22 (UDP) Used in older versions, though newer version still use it for backwards compatibility. 5632 (UDP) Used to "ping" the host in order to check its status (whether the target host is running PCanywhere, and if the service is currently busy). 5631 (TCP) Remote control runs over this port PCAnywhere listens on ports 22 (TCP and UDP), 5631 (TCP) "pcanywheredata", and 5632 (TCP and UDP) "pcanywherestat), and 65301 (TCP). Uses an "IP discovery protocol" to find other PCAnywhere servers on the local segment, where the assumption is that the local segment is all IP addresses between "xxx.xxx.xxx.1" to "xxx.xxx.xxx.254" (i.e. the local class C allocation). Thus, cable-modem and DSL users will often see connections to this port from other people that have PCAnywhere installed. If you own PCAnywhere and want to turn this feature off, then you must disable the "browsing" feature in the registry: Key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\pcANYWHERE\CurrentVersion\System Value: TCPIPNetBroadcast Type: DWORD Settings: 0 = Do not browse for the host. 1 = Browse for the host by sending 254 directed UDP packets per network [DEFAULT] 2 = Browse for the host by sending one broadcast UDP packet per network. [8.0 only] (quoted from Symantec Website) A machine that allows PCAnywhere control MUST be given a strong password. Hackers regularly scan the Internet looking for open PCAnywhere machines, break in, then use these machines to attack more interesting sites (like the Pentagon, CIA, NSA, etc.). From the Symtantec KB How does encryption work? Before each connection, the host and remote generate new public/private keys. Immediately upon connection, before any other data is sent, the host sends its public key to the remote and the remote sends its public key to the host. The host encrypts its data stream with the remote's public key and the remote encrypts its data stream with the host's public key. The remote then decrypts the host's data stream using it's (the remote's) private key, and the host decrypts the remote's data stream using it's (the host's) private key. Even if someone captures the public keys, the transmission is secure because the private key, which is never sent, is required to decrypt the data stream. How many bits does the encryption use? The number of bits used to encrypt the pcAnywhere data stream depends on what crypto providers you have installed. If you have installed the 40-bit version of Internet Explorer 4.0 on Windows 9x or you are running the 40-bit version of Windows NT with Service Pack 3 or higher, then you will be using 40 bits to encrypt the pcAnywhere data stream. If you have installed the 128-bit versions of the Internet Explorer 4.0 or Windows NT 4.0, then you will be using 128 bits to encrypt the pcAnywhere data stream. If you use public-key encryption, is all of the data encrypted with that key pair? The public key is only used to authenticate that you are who you say you are. Once this authentication has been done, the rest of the data stream is encrypted using a symmetric key pair that the host and remote generate before each connection. This follows established procedures where public key encryption is used for signature authentication and short data blocks. Symmetric key pairs are used for bulk data encryption. This is done for performance reasons. NOTE: The pcAnywhere 8.0 negotiation phase, including login names and passwords, are encrypted. Also refer to http://service1.symantec.com/SUPPORT/pca.nsf/docid/1997728131230 for more information At 02:51 PM 9/6/00 -0700, Heather Field wrote:
Actually you can limit it to tcp with a registry key, for version 9. Heather Field Cambridge Technology Partners, CNS O: 310.563.4862 C: 310.489.5679 -----Original Message----- From: Constable, Bryan [mailto:constablebk () MSX UPMC EDU] Sent: Wednesday, September 06, 2000 10:57 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] PC Anywhere protocol It looks like the ports are udp-5630, tcp-5631,udp-5632, and udp ssh-22. I don't know if this helps -----Original Message----- From: Oliver Friedrichs [<mailto:ofriedrichs () SECURITYFOCUS COM>mailto:ofriedrichs () SECURITYFOCUS COM] Sent: Wednesday, September 06, 2000 12:44 PM To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] PC Anywhere protocol Does anyone know of any specifications that document the PC Anywhere protocol. I'm primarily interested in the initial authentication portions of it. - Oliver
Current thread:
- Re: [PEN-TEST] PC Anywhere protocol, (continued)
- Re: [PEN-TEST] PC Anywhere protocol Ph0nz (Sep 06)
- Re: [PEN-TEST] PC Anywhere protocol Constable, Bryan (Sep 06)
- [PEN-TEST] Carbon Copy Question Scott Lupro (Sep 07)
- Re: [PEN-TEST] Carbon Copy Question Teicher, Mark (Sep 07)
- Re: [PEN-TEST] Carbon Copy Question Jim Watt (Sep 07)
- [PEN-TEST] Carbon Copy Question Scott Lupro (Sep 07)
- Re: [PEN-TEST] PC Anywhere protocol Meritt, Jim (Sep 06)
- Re: [PEN-TEST] PC Anywhere protocol Oliver Friedrichs (Sep 06)
- Re: [PEN-TEST] PC Anywhere protocol Dug Song (Sep 07)
- Re: [PEN-TEST] PC Anywhere protocol krisk (Sep 07)
- Re: [PEN-TEST] PC Anywhere protocol Heather Field (Sep 06)
- Re: [PEN-TEST] PC Anywhere protocol Teicher, Mark (Sep 07)
- Re: [PEN-TEST] PC Anywhere protocol Eddie Gradek (Sep 07)
- Re: [PEN-TEST] PC Anywhere protocol Dunker, Noah (Sep 07)
- Re: [PEN-TEST] PC Anywhere protocol Security Related (Sep 07)
- Re: [PEN-TEST] PC Anywhere protocol Pascal Longpre (Sep 07)