From: p1g (killfactory@gmail.com)
Date: Thu Aug 23 2007 - 23:54:03 EDT
What John said.
Nessus can be used to determine this. You could write your own plugin to check.
PVS is nice.
On 8/23/07, John Lampe <jwlampe@tenablesecurity.com> wrote:
> Paul Melson wrote:
>
> > On 8/21/07, Tom Griffin <t.griffin@sheffield.ac.uk> wrote:
> >
> >>If I suspect that a particular port on a given host is listening for
> >>incoming Bittorrent data requests, is there a way I can prove it by
> >>means of a probe? I have attempted to find some protocol definition
> >>documentation so I can build a very basic script which will pretend to
> >>be another Bittorrent client to see how the application handles it, but
> >>I cannot find such detailed information.
> >>
> >>If anybody can help with this, it would be much appreciated.
> >
> >
> > How sure do you have to be? Personally, if I saw a host with port
> > 6881 listening, I would treat it as if it had BitTorrent running until
> > it was proven otherwise. You can try 'nmap -sV' to see if NMap can
> > identify the service listening, but if it is BitTorrent, NMap won't
> > identify it. It will fall back to a port number guess instead.
> >
> > Unfortunately, connecting to a BitTorrent peer port and getting
> > anything useful back requires knowing the hash of a torrent being
> > shared on that client, which is near impossible to guess. However, if
> > you can sniff traffic on this port, you should be able to positively
> > identify it as BitTorrent because it will contain the string
> > 'BitTorrent protocol' fairly early on in the packet data.
> >
>
> I know for a *fact* that it can be passively detected :-) We wrote a
> bunch of passive detection plugins for our PVS product.
>
> Actively, I was working on this same thing about a year or so ago. I
> was actually generating test cases for a bittorrent fuzzer and noted
> that if you sent up to (and including) 95 bytes of data to the peer port
> you got no response but if you sent 96 (and up) bytes, you got a
> response of varying byte length. I never had the time to track down
> why, what, etc....but, here is what I had to at least detect the
> service. Oh, and I only tested on a few bittorrent clients, so it might
> be product specific :-<
>
> port = 6881; # bittorrent
> #port = 63180; # mutorrent
>
>
> for (i=0; i<95; i++) {init = string(init, raw_string(rand() % 256));}
>
> for (i=0; i<96; i++) {req = string(req, raw_string(rand() % 256));}
>
>
> soc = open_sock_tcp(port);
>
> if (soc)
> {
> send(socket:soc, data:init);
> r1 = recv(socket:soc, length:65535, timeout:5);
> close (soc);
> }
>
> soc = open_sock_tcp(port);
>
> if (soc)
> {
> send(socket:soc, data:req);
> r2 = recv(socket:soc, length:65535, timeout:5);
> close (soc);
> }
>
> if ( (strlen(r1) == 0) && (strlen(r2) > 50) )
> security_hole(port);
>
>
>
>
>
> --
> John Lampe
> Senior Security Researcher
> TENABLE Network Security, Inc.
> jwlampe@{nessus.org,tenablesecurity.com}
> Tele: (410) 872-0555
> www.tenablesecurity.com
>
> Is your network TENABLE?
> ---------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
-- -p1g SnortCP ,,__ o" )~ oink oink ' ' ' ' If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:03 EDT