'Re: Interesting GUID'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pen-test
Subject:    Re: Interesting GUID
From:       James Wright <jamfwright () gmail ! com>
Date:       2009-12-29 14:58:46
Message-ID: 769328c60912290658od6e0547j76e611208bd57ac6 () mail ! gmail ! com
[Download RAW message or body]

It may be MS RIS, as it uses client GUIDS as part of the
authentication to install MS operating systems.  Not sure if it sends
out it's own though.  A licensing server is a good guess, MS WDS may
be another possibility.


Thanks,
James


On Wed, Dec 23, 2009 at 4:47 PM, Jonathan Cran <jcran@0x0e.org> wrote:
> Judging by the lack of replies, you're sort of on your own here. It
> could be a licensing server, it could be some custom-build messaging
> system, it could just be injecting a little randomness into the
> universe *shrug*
> 
> amap probably isn't going to help in this case. i assume you've done
> fingerprinting on the box using nmap/nessus/nexpose?
> 
> Maybe try sequencing the GUIDs to identify any interesting patterns?
> 
> jcran
> 
> 
> On Sat, Dec 19, 2009 at 5:09 PM, Daniel Clemens
> <daniel.clemens@packetninjas.net> wrote:
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > 
> > While doing a pentest I ran across a service which responds with what looks to be \
> > a GUID. 
> > Example 1
> > Connection to x.x.x.x 35000 port [tcp/*] succeeded!
> > {8F418F3C-4530-4198-9988-8B6E8E646991}Q?,?,?w>f???)??
> > ?nX?W?EOL{8F418F3C-4530-4198-9988-8B6E8E646991}EOL
> > 
> > 
> > Example 2
> > 0000:  7b46 4641 3131 4334 442d 4437 4237 2d34    [ {FFA11C4D-D7B7-4 ]
> > 0010:  4139 312d 4146 4643 2d32 4133 3534 4143    [ A91-AFFC-2A354AC ]
> > 0020:  3331 4539 457d 1551 ab2c ae2c b077 3e66     [ 31E9E}.Q.,.,.w>f ]
> > 0030:  fbb8 cb29 02ab f30c fc6e 5816 1dd1 0400            [ ...).....nX..... ]
> > 0040:  0000 1800 0000 0400 0000 5786 0000 454f     [ ..........W...EO ]
> > 0050:  4c7b 4646 4131 3143 3444 2d44 3742 372d    [ L{FFA11C4D-D7B7- ]
> > 0060:  3441 3931 2d41 4646 432d 3241 3335 3441    [ 4A91-AFFC-2A354A ]
> > 0070:  4333 3145 3945 7d45 4f4c                                     [ C31E9E}EOL  \
> > ] 
> > 
> > Has anyone run across a service which act like the information provided above or \
> > could help in why or what a service responding with GUID information would be \
> > used for. (especially as an external service).
> > 
> > Any ideas would be appreciated.
> > 
> > > Daniel Uriah Clemens
> > > Packetninjas L.L.C | | http://www.packetninjas.net
> > > c. 205.567.6850      | | o. 866.267.8851
> > "Moments of sorrow are moments of sobriety"
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > -----BEGIN PGP SIGNATURE-----
> > 
> > iD8DBQFLLU8BlZy1vkUrR4MRAiQUAJ9hnh8Wrjrdb2PFl0/2tlsORxsUUACdFtzD
> > Zklf5QALah+nbM52KaGFf4U=
> > =e1IN
> > -----END PGP SIGNATURE-----
> > 
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review Board
> > 
> > Prove to peers and potential employers without a doubt that you can actually do a \
> > proper penetration test. IACRB CPT and CEPT certs require a full practical \
> > examination in order to become certified. http://www.iacertification.org
> > ------------------------------------------------------------------------
> > 
> 
> --
> Jonathan Cran
> jcran@0x0e.org
> 515.890.0070
> 
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
> 
> Prove to peers and potential employers without a doubt that you can actually do a \
> proper penetration test. IACRB CPT and CEPT certs require a full practical \
> examination in order to become certified. 
> http://www.iacertification.org
> ------------------------------------------------------------------------
> 
> 

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a \
proper penetration test. IACRB CPT and CEPT certs require a full practical \
examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic