Question about a scan
Results 1 to 8 of 8

Thread: Question about a scan

  1. #1
    Member
    Join Date
    Nov 2003
    Posts
    48

    Question about a scan

    Doing a little "work" this evening, I came across the following:

    Port State Service
    21/tcp open ftp
    22/tcp open ssh
    23/tcp open telnet
    53/tcp open domain
    80/tcp open http
    135/tcp filtered loc-srv
    139/tcp filtered netbios-ssn
    443/tcp open https
    445/tcp filtered microsoft-ds
    593/tcp filtered http-rpc-epmap
    3306/tcp open mysql
    4444/tcp filtered krb524
    5555/tcp filtered freeciv
    6346/tcp filtered gnutella
    6666/tcp filtered irc-serv
    6699/tcp filtered napster
    8888/tcp filtered sun-answerbook

    This is from an educational institution, and a quick telnet to port 23 does in fact give you a login prompt.

    No big deal there, however the question I have is this:

    Port 6699 is designted as "napster." I haven't seen this one before. Is this because:

    1. It is a napster server?

    2. They know students will use napster, so designte a port for it?

    3. Have no clue, and someone has set up napster to run through the server while the admin(s) re oblivious?

    Any guesses? Has anyone seen this before?

    - aftiel

  2. #2
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Did you telnet to port 6699 and do a banner grab? It could be some other service just running on the same port that Napster normally does. Be forewarned, your ISP may get an email from the University asking why you are scanning them.

  3. #3
    Member
    Join Date
    Nov 2003
    Posts
    48
    I telnetted to 6699 but there was no response (i.e. no response to any keypress.)

    Telnet to port 21 however givers the standard USER / PASS requirement, and they are nice enough to have the HELP command working.

    There IS a Guest account active, but I have no interest in guessing or brute force. I'm not out to hack anything.

    I am aware that scanning can result in e-mails, and for the record, I dont hack, have never hacked, and will never hack a computer (outside of the comps on my own network.) But thank you for the reminder.

    I am just curious about napster having a (seemingly) dedicated port active on a school server.

    - aftiel

  4. #4
    Member
    Join Date
    Nov 2003
    Posts
    48
    I should have mentioned the server in question is running FreeBSD.

    - aftiel

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    either you found a newbie trying out their new box or you've discovered a honeypot.

    a fair way to grab banners with NetCat:

    echo quit |nc -vv -n <ipaddy> <ports>
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Re: Question about a scan

    6699/tcp filtered napster
    From man nmap:
    The result of running nmap is usually a list of interesting ports on
    the machine(s) being scanned (if any). Nmap always gives the port's
    "well known" service name (if any), number, state, and protocol. The
    state is either "open", "filtered", or "unfiltered". Open means that
    the target machine will accept() connections on that port. Filtered
    means that a firewall, filter, or other network obstacle is covering
    the port and preventing nmap from determining whether the port is open.

    Unfiltered means that the port is known by nmap to be closed and no
    firewall/filter seems to be interfering with nmap's attempts to deter-
    mine this. Unfiltered ports are the common case and are only shown
    when most of the scanned ports are in the filtered state.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Member
    Join Date
    Nov 2003
    Posts
    48
    SirDice,

    Thanks for the reply. I understand perfectly well what filtered means, and perhaps I didn't phrase my original question very well.

    I was curious simply because I have never seen napster assigned to a port - open, closed, filtered, or otherwise.

    I recently saw a report where Universities are starting to address the problem of music downloads killing bandwidth. It was an interesting show.

    I wondered if this was a case where the school admin(s) had specifically set that port up for use with napster.

    If someone has seen this before, I'd be curious to know some details.

    Thanks again for all replies - much appreciated.


    - aftiel

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Well, it looks like they may have a default open policy (ie everything is allowed) and may have decided to only close the "most dangerous" ports on their firewall.

    The only reason nmap is reporting napster on that port is because it's defined as such in nmap-services (on my fbsd that's located in /usr/local/share/nmap). If you run napster on port 80, nmap will happely report an open 80/tcp http port eventhough napster is actually running on that port.

    Without the banner grabbing mentioned above you won't know for certain what the actual protocol is that's running on that port. Since port 6699 is filtered you cannot do a banner grab and therefor cannot be certain what's running, for all we know this port is closed (on the machine itself) and blocked by a firewall.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides