[prev in list] [next in list] [prev in thread] [next in thread]
List: dshield
Subject: Re: [Dshield] little experiment
From: Al Reust <areust () comcast ! net>
Date: 2005-03-01 21:02:22
Message-ID: 5.1.0.14.2.20050301115227.027a3060 () mail ! comcast ! net
[Download RAW message or body]
Johannes
This fairly interesting, what the test was looking through.
Netgear MR814v2, the firewall does "crappy" logs but is fairly good and
preventing unwanted things through.
What is displayed:
Browser ID : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Browser:Micro$oft Internet Exploder Version 6.0
Operating System:Windows 2000
This appears to come directly from what I would expect to see in the web
server logs (depending on what you are logging). The Nat'd IP was very good
note expected.
Done!
starting...
ICMP Test ("ping")
Your IP address does not respond to PING
Now testing TCP ports
Interesting ports on c-67-160-819-299.client.comcast.net (67.160.819.299):
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp filtered ssh
23/tcp filtered telnet
80/tcp open http Microsoft IIS webserver 5.0
113/tcp closed auth
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
6504/tcp filtered unknown
6667/tcp filtered irc
8080/tcp filtered http-proxy
41523/tcp filtered unknown
==> At this point it appears to be getting the only responder to state what
OS is running, this would be the firewall..
No exact OS matches for host (If you know what OS is running on it, see
http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.48%P=i386-redhat-linux-gnu%D=3/1%Time=4224BB04%O=80%C=21)
<snipped>
Nmap run completed -- 1 IP address (1 host up) scanned in 26.430 seconds
Now testing UDP ports
Note! This scanner tends to show firewalled UDP ports as open!
PORT STATE SERVICE VERSION
53/udp open domain?
137/udp open netbios-ns?
==> This is partially incorrect 53 is open 137 is filtered.
Nmap run completed -- 1 IP address (1 host up) scanned in 31.052 seconds
Trying to connect via Windows File sharing
Looking up status of 67.161.819.299
MAC Address = xx xx xx xx xx
end
At 06:53 PM 2/28/2005 -0500, you wrote:
>I setup a little experimental site that tries to do a couple simple
>security checks based on browser id and such, and a portscan. I do need a
>couple more people to see if it works / is helpful.
>
>http://www.amihacked.com is the URL. Let me know if it works or where it
>breaks. One of the goals is also to make some of the dshield information a
>bit more accessible. We already have the 'are you hacked' banner, but its
>a bit limited when it comes to the next step ("Why is the banner flashing
>at me?").
>
>thanks for any feedback.
R/
Al
-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
http://www.sans.org/orlando05
_______________________________________________
send all posts to list@lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic