Penetration Testing mailing list archives
RE: Opne ports 1863 & 5910 - pentest
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Wed, 8 Jul 2009 15:12:56 -0400
Well, since you're new at this, what can you find out about those two ports? Perhaps check the services file on a linux box, maybe do a search on the internet for them. Perhaps they are either normally used by some legitimate service or normally in use by some back door. If you find a match for one of your ports, then try to verify if that is in fact the service that's running. If you aren't personally familiar with the service that you find, perhaps you could install it on a box in your test lab and then do a packet capture of a variety of connections to that service...something like a 3-way handshake by itself, then maybe some additional stimuli afterward; a manual web page request (web pages show up on all kinds of ports), hit enter and see what it does, maybe a question mark, maybe a bunch of spaces or other characters. You might also want to see if one of the service identifiers can coax any information out of it. You mention that this is "pool" and that "most IPs" have these ports responding. Might this all be one box with a bunch of IPs, check timestamps to verify that. Also, don't get too hung up on what you don't know...concentrate on what you DO know and try to fill in the blanks. Also, make sure you don't decide that you KNOW something to quick. Just 'cuz it's on some common port (25 for example) doesn't necessarily mean that it's a mail server. Keep an eye out for anti-virus programs that proxy a bunch of ports too. Sometimes you'll see "servers" running on boxes that you just know are NOT servers...might be some proxy on a client that's supposed to be monitoring outbound connections to some server...a mail server for example. Ideally, they shouldn't allow connections from somebody else but sometimes they do. This is your first "assignment" - that suggests you are part of a group that does some pen-testing. Are there any senior members that you can bounce your work past. A general suggestion - put a sniffer in the path of your pen-test traffic so that you can monitor what you're sending and what comes back. For a big test, that may not be practical but often, that can help you verify the results from a scan or help identify "oddities" like what you found. I'd expect that you have permission for this too...you didn't just decide to randomly scan a bunch of public IP addresses and call it a "test pen-test" did you? -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of tomright006 () gmail com Sent: Wednesday, July 08, 2009 12:08 PM To: pen-test () securityfocus com Subject: Opne ports 1863 & 5910 - pentest Hi all, I have just started my information security career & I am doing pentest on pool of some public IP's as my first assignment in Pentest. During pentest I found that port 1863 & port 5910 are common for most of the IPs's ( In fact almost all). I would like to know if anyone come across such situation while doing pentest in past. Thanks Tom Right Security Engineer ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Opne ports 1863 & 5910 - pentest tomright006 (Jul 08)
- RE: Opne ports 1863 & 5910 - pentest John Perea (Jul 08)
- RE: Opne ports 1863 & 5910 - pentest Shenk, Jerry A (Jul 08)
- Re: Opne ports 1863 & 5910 - pentest jlay (Jul 08)
- Re: Opne ports 1863 & 5910 - pentest Andrew Kuriger (Jul 08)
- RE: Opne ports 1863 & 5910 - pentest Gorgon Beast (Jul 08)
- Re: Opne ports 1863 & 5910 - pentest JiPi DiNi (Jul 08)
- Re: Opne ports 1863 & 5910 - pentest Campbell Murray (Jul 09)