From: Josh Nunan (joshnunan123@yahoo.com)
Date: Tue Sep 14 2004 - 10:29:32 EDT
The following happened to me at work today... :s (IP
Addresses removed for obvious reasons.)
After syn-scanning an IP block, I noticed that an ip
address in the dns records as a mail server did not
have tcp/25 open... I telnet'd to it... and to my
suprise there was an smtp server sitting on port 25.
I've attached the relevant logs as tool output gets
butchered when wrapped.
The box running nmap is a Gentoo / Linux-2.6.7
(grsecurity/pax) -- no nat, simple (inbound) iptables
rules.
any idea what is happening here?
- Josh Nunan
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
my_box = hostname/ip address
remote_box = ip address
I telnet'd to it on port 25:
$ telnet remote_box 25
Trying remote_box...
Connected to remote_box.
Escape character is '^]'.
220 <removed> Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Tue, 14 Sep 2004 14:28:23 +0100
QUIT
221 2.0.0 <removed> Service closing transmission channel
Connection closed by foreign host.
... tried syn scanning it again ...
$ sudo nmap -sS -P0 -p 25 remote_box --packet_trace
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-14 14:04 GMT
SENT (0.0140s) TCP my_box:51278 > remote_box:25 S ttl=57 id=11229 iplen=40 seq=3329791464 win=2048
SENT (1.0140s) TCP my_box:51279 > remote_box:25 S ttl=58 id=32001 iplen=40 seq=3329857001 win=3072
Interesting ports on remote_box:
PORT STATE SERVICE
25/tcp filtered smtp
Nmap run completed -- 1 IP address (1 host up) scanned in 2.040 seconds
... and connect scanning ...
$ sudo nmap -sT -P0 -p 25 remote_box --packet_trace
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-14 14:04 GMT
CONN (0.0070s) TCP localhost > remote_box:25 => Operation now in progress
Interesting ports on remote_box:
PORT STATE SERVICE
25/tcp open smtp
Nmap run completed -- 1 IP address (1 host up) scanned in 0.055 seconds
!?!?!?!?!
tcpdump of connect-scan:
my_box ~ # tcpdump | grep remote_box
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
14:17:51.071324 IP my_box.35020 > remote_box.smtp: S 3252464103:3252464103(0) win 5840 <mss 1460,sackOK,timestamp 618217384[|tcp]>
14:17:51.106785 IP remote_box.smtp > my_box.35020: S 2154984799:2154984799(0) ack 3252464104 win 65535 <mss 1380,nop,wscale 0,nop,nop,timestamp[|tcp]>
14:17:51.106888 IP my_box.35020 > remote_box.smtp: . ack 1 win 5840 <nop,nop,timestamp 618217420 0>
14:17:51.107142 IP my_box.35020 > remote_box.smtp: R 1:1(0) ack 1 win 5840 <nop,nop,timestamp 618217420 0>
14:17:51.146028 IP remote_box.smtp > my_box.35020: P 1:132(131) ack 1 win 65535 <nop,nop,timestamp 5122340 618217420>
14:17:51.146068 IP my_box.35020 > remote_box.smtp: R 3252464104:3252464104(0) win 0
1267 packets captured
1353 packets received by filter
0 packets dropped by kernel
tcpdump of syn-scan:
my_box ~ # tcpdump | grep remote_box
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
14:18:41.748726 IP my_box.42450 > remote_box.smtp: S 356421039:356421039(0) win 1024
14:18:42.749153 IP my_box.42451 > remote_box.smtp: S 356486574:356486574(0) win 3072
516 packets captured
516 packets received by filter
0 packets dropped by kernel
using another packet injector (hping2 has the most stupid syntax)...
my_box ~ # packit -t tcp -h -d remote_box -D 25 -F S
Mode: Packet Injection using device: eth0
-| SND 1 |------------------------------------------------------------------
Timestamp: 14:27:56.833388
TCP header: Src Port: 63004 Dst Port: 25 Flag(s): S
Window: 65535 Seqn: 1540860489
IP header: Src Address: my_box Dst Address: remote_box
TTL: 128 ID: 19915 TOS: 0x0 Len: 40
-| No Response From Peer |--------------------------------------------------
-| Packet Injection Statistics |--------------------------------------------
Injected: 1 Received: 0 Loss: 100.0% Bytes Written: 40 Errors: 0
the random-source port generator seems to be little less biased towards lower ports, so I thought it might be dropping
packets with a high-source port...
my_box ~ # packit -t tcp -h -d remote_box -S 35020 -D 25 -F S
Mode: Packet Injection using device: eth0
-| SND 1 |------------------------------------------------------------------
Timestamp: 14:41:41.484670
TCP header: Src Port: 35020 Dst Port: 25 Flag(s): S
Window: 65535 Seqn: 782259597
IP header: Src Address: my_box Dst Address: remote_box
TTL: 128 ID: 15211 TOS: 0x0 Len: 40
-| No Response From Peer |--------------------------------------------------
-| Packet Injection Statistics |--------------------------------------------
Injected: 1 Received: 0 Loss: 100.0% Bytes Written: 40 Errors: 0
I dont geddit... if connect sends that syn, remote_box sends an ack....
help??
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT