|
-
December 5th, 2003, 01:29 PM
#1
Member
interesting ports on a win2k box
root@0[knoppix]# nmap -vv -sS -p 1-65535 -O -P0 x.x.x.x
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2000-04-13 05:54 CEST
Host server.comp-utec.local (x.x.x.x) appears to be up ... good.
Initiating SYN Stealth Scan against server.comp-utec.local (x.x.x.x) at 05:
54
Adding open port 40019/tcp
Adding open port 47624/tcp
Adding open port 135/tcp
Adding open port 1002/tcp
Adding open port 1720/tcp
Adding open port 1025/tcp
The SYN Stealth Scan took 7 seconds to scan 65535 ports.
For OSScan assuming that port 135 is open and port 1 is closed and neither are f
irewalled
Interesting ports on server.comp-utec.local (x.x.x.x):
(The 65529 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
1002/tcp open unknown
1025/tcp open NFS-or-IIS
1720/tcp open H.323/Q.931
40019/tcp open unknown
47624/tcp open unknown
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional
or Advanced Server, or Windows XP
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=2818%IPID=I%TS=0)
T1(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
TCP Sequence Prediction: Class=random positive increments
Difficulty=10264 (Worthy challenge)
TCP ISN Seq. Numbers: 5FEFBAE8 5FF0D551 5FF1D081 5FF2EF5E 5FF405B4 5FF577B1
IPID Sequence Generation: Incremental
Nmap run completed -- 1 IP address (1 host up) scanned in 10.137 seconds
root@0[knoppix]#
thats a recent nmap on myself. i have found some of these ports very interesting and i did not see these ports open before. the thing is i have found these ports open on my scanning fro poxies that have proxy flooded an irc server. does anyone know anything about the following ports?
1002/tcp open unknown
1025/tcp open NFS-or-IIS
1720/tcp open H.323/Q.931
40019/tcp open unknown
47624/tcp open unknown
box is win2k sp4 with all security patches enabled. running serv u ftp server as well but its not on now. i am also running DU Update to update my dyndns.
-
December 5th, 2003, 01:41 PM
#2
Member
this is an fport on the box:
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
396 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 139 TCP
8 System -> 445 TCP
824 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
8 System -> 1026 TCP
588 svchost -> 3002 TCP C:\WINNT\System32\svchost.exe
588 svchost -> 3003 TCP C:\WINNT\System32\svchost.exe
588 svchost -> 3004 TCP C:\WINNT\System32\svchost.exe
552 DUService -> 40019 TCP C:\PROGRA~1\DIRECT~1\DUService.exe
588 svchost -> 53 UDP C:\WINNT\System32\svchost.exe
588 svchost -> 67 UDP C:\WINNT\System32\svchost.exe
588 svchost -> 68 UDP C:\WINNT\System32\svchost.exe
8 System -> 137 UDP
8 System -> 138 UDP
8 System -> 445 UDP
232 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
588 svchost -> 3001 UDP C:\WINNT\System32\svchost.exe
i have now mapped port 40019 to the DU Update service. the thing that is worrying me is that the ports 1002, 1720, 47624 do not show up in the fport. does anyone know off a good tool so that i can check exactly what protocol is running on a port?
-
December 5th, 2003, 02:18 PM
#3
Wassup:
Port 1720: H323 Call Setup:- Used by Netmeeting, video conferencing, CUSeeme uses it. It seems to negotiate a TCP port for H232 protocol, see here
Port 1002: ILS, (Internet Locator Service, the user directory) which is also used by Netmeeting.
Port 47624: Gamevoice?
They all seem to be associated with audio/video stuff. Got netmeeting or anything else going on that box?
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
December 5th, 2003, 02:45 PM
#4
1026 is task scheduler. Perfectly normal.
If you want to see what the generic svchost processes are associated with, install the tool pack from the W2K CD. The tool you want to use is called tlist. Trust me, you'll keep tlist handy once you use it.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
December 5th, 2003, 04:45 PM
#5
Member
thats the funny thing. i dont have any netmeeting or any of that stuff going on. my dad has net2phone running but thats on a box on our internal lan.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
