[Dshield] little experiment

Al Reust areust at comcast.net
Tue Mar 1 21:02:22 GMT 2005


Johannes

This fairly interesting, what the test was looking through.

Netgear MR814v2, the firewall does "crappy" logs but is fairly good and 
preventing unwanted things through.

What is displayed:
Browser ID : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Browser:Micro$oft Internet Exploder Version 6.0
Operating System:Windows 2000

This appears to come directly from what I would expect to see in the web 
server logs (depending on what you are logging). The Nat'd IP was very good 
note expected.

Done!
starting...

ICMP Test ("ping")

Your IP address does not respond to PING

Now testing TCP ports
Interesting ports on c-67-160-819-299.client.comcast.net (67.160.819.299):
PORT      STATE    SERVICE      VERSION
21/tcp    closed   ftp
22/tcp    filtered ssh
23/tcp    filtered telnet
80/tcp    open     http         Microsoft IIS webserver 5.0
113/tcp   closed   auth
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
6504/tcp  filtered unknown
6667/tcp  filtered irc
8080/tcp  filtered http-proxy
41523/tcp filtered unknown

==> At this point it appears to be getting the only responder to state what 
OS is running, this would be the firewall..

No exact OS matches for host (If you know what OS is running on it, see 
http://www.insecure.org/cgi-bin/nmap-submit.cgi).

TCP/IP fingerprint:
SInfo(V=3.48%P=i386-redhat-linux-gnu%D=3/1%Time=4224BB04%O=80%C=21)
<snipped>

Nmap run completed -- 1 IP address (1 host up) scanned in 26.430 seconds
Now testing UDP ports
Note! This scanner tends to show firewalled UDP ports as open!

PORT    STATE SERVICE     VERSION
53/udp  open  domain?
137/udp open  netbios-ns?

==> This is partially incorrect 53 is open 137 is filtered.

Nmap run completed -- 1 IP address (1 host up) scanned in 31.052 seconds
Trying to connect via Windows File sharing
Looking up status of 67.161.819.299

         MAC Address = xx xx xx xx xx

end



At 06:53 PM 2/28/2005 -0500, you wrote:
>I setup a little experimental site that tries to do a couple simple 
>security checks based on browser id and such, and a portscan. I do need a 
>couple more people to see if it works / is helpful.
>
>http://www.amihacked.com is the URL. Let me know if it works or where it 
>breaks. One of the goals is also to make some of the dshield information a 
>bit more accessible. We already have the 'are you hacked' banner, but its 
>a bit limited when it comes to the next step ("Why is the banner flashing 
>at me?").
>
>thanks for any feedback.

R/

Al





More information about the list mailing list