Collaborate Disseminate
I have been getting into backdooring computers and servers using either specialized software or some malicious command that spawns a backdoor on the target machine, then pipes the terminal to my listening netcat session on my… Continue reading Possible to backdoor a Netcat Listener?
Using nmap to do a protocol discovery (nmap myhost -sO) identifies the following on my target. Note reason switch is also used.
PROTOCOL STATE SERVICE REASON
1 open icmp echo-reply ttl 255
6 open tcp … Continue reading nmap – protocol discovery doesn’t work with fragmented packets
We seen suspicious probing from source port 53 to destination port 56183. May I know what services use port 56183 (udp)?
For this kind of things can use Country IP blocker , but it only gives whole country IP’s, so what im asking is , Is there any way to get All IP’s that belongs to given Zip code?
Continue reading Is it possible to get All IP’s that belongs to given zip code? [on hold]
Nmap shows that some ports are open, but when I test if the ports are open from the internet (using certain tools) it says that the ports are closed. Struggling quite a bit, can anyone explain why this would be the case?
… Continue reading nmap shows that some ports are open, but when i test it online it isnt
I have a specific sample I’d like feedback on, but my view is an answer about general techniques is more valuable for this site. I’ll leave the details in, in case anyone googling this bumped into the same service.
My questions:
What are general techniques and resources for identifying an unknown service, or something on a non-standard port that isn’t being talkative?
Does the behaviour below ring a bell with anyone? (Are there steps I have missed to further identify the service?)
–
While on an engagement, we have encountered an open port, 10001.
As you might’ve guessed, as far as I can tell it does not respond to protocols usually used on that port. My search has not been completely exhaustive but I have fuzzed the first three bytes and found a response for the first byte.
Observations on my specific unknown service:
Speaks TCP
When sent a capital i, I\n, it responds I213529 (last digits changed for privacy)
Messages seem to be null- and newline-terminated; anything but those after the capital i do not affect the behaviour, but a null before it will impair the response.
nmap shows it as scp-config, once as tcpwrapped
Continue reading General techniques for identifying an unknown service
I have a Windows 2008 R2 server in an intranet that has a TCP port open and client machines connect to from their software. Without intervening in the application to restrict the access only to selected users or selected comp… Continue reading Control TCP access by user
I am dealing with security issues and while my router is on medium setting for blocking, I would like to be able to game PvP online and/or not have to worry about Denial-of-service attacks on a daily basis. I am on a Mac (10…. Continue reading Ideal Security Settings to avoid DDos/Buffer Overflow/SYN Flood attacks [on hold]
I have a port forwarding rule sending 23 traffic to a “honeypot” (called “comp” below). Throughout the night, many bots from around the world attempted to connect, but there was no service running.
Now, I wrote a C program t… Continue reading Why aren’t telnet bots finishing the three-way handshake?
I want to mimic a replay attack on controller PR402. I connected my computer with this controller via TCP/IP <-> Serial Bridge and I would like to analyse packets sent between computer and controller.
First of all, I send a command “Disarm the system” from software provided by the producer and capture these packets in Wireshark. What I would like to do is to capture this packet, find out how and where this command is located in this packet and perform a replay attack by sending a generated frame to the controller. I am new to Wireshark and I am not sure how to begin analysing these packets – I focused on interface which is connected with controller and have few commands captured.
To be more specific – these are (with my knowledge) steps I need to perform:
Could anyone give me a tip or recommendation what should I do next to achieve the goals listed above? I am not sure how to capture these data to a file and transfer them next to the controller. If it helps to see any more Wireshark screenshots or connection configuration, just let me know and I will post them.
I upload 2 captures. These are just some packets from running the same command – “Disarm system”. I found out that packets from 1st to 8th from the first screen and from 2nd to 9th have the same length and I think there this “Disarm system” command was transmitted. Let me know if this is the right direction of analysis.
Continue reading How to analyse packets sent by controller in Wireshark?