RE: Open portsAug 15 2008 11:16PM Shenk, Jerry A (jshenk decommunications com)
Check the ports on some of those "all open" IPs while running tcpdump or some other sniffer to capture the stimulus and response traffic and manually examine it. You might be looking at a 'tarpit' or perhaps a firewall that reports eveeything as open...some of the Symantec firewalls do that.
You might want to also compare traffic from some of these "all open" IPs with some others that have ports open and act more "normal". You would want to specifically look at IPids, ttls and window sizes. Other fields may be interesting also but this is what i'd look at first.
-----Original Message-----
From: "skynetonsecurity (at) gmail (dot) com [email concealed]" <skynetonsecurity (at) gmail (dot) com [email concealed]>
To: "pen-test (at) securityfocus (dot) com [email concealed]" <pen-test (at) securityfocus (dot) com [email concealed]>
Sent: 8/15/08 3:58 PM
Subject: Open ports
Hi Guys,
I am doing pen-testing for pool of IP's, During pen-test I observed that some IP's are giving all ports open i.e. 65535 in NMAP result & Nessus is giving empty result.
**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
You might want to also compare traffic from some of these "all open" IPs with some others that have ports open and act more "normal". You would want to specifically look at IPids, ttls and window sizes. Other fields may be interesting also but this is what i'd look at first.
-----Original Message-----
From: "skynetonsecurity (at) gmail (dot) com [email concealed]" <skynetonsecurity (at) gmail (dot) com [email concealed]>
To: "pen-test (at) securityfocus (dot) com [email concealed]" <pen-test (at) securityfocus (dot) com [email concealed]>
Sent: 8/15/08 3:58 PM
Subject: Open ports
Hi Guys,
I am doing pen-testing for pool of IP's, During pen-test I observed that some IP's are giving all ports open i.e. 65535 in NMAP result & Nessus is giving empty result.
What could be the reason for this?
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
[ reply ]