Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Exploiting a Worm

from [Ian Gizak] Network Security [Permanent Link]
Subject: [Full-disclosure] Exploiting a Worm
Date: Tue, 13 Sep 2005 22:17:37 +0000 
Hi list,

I'm pentesting a client's network and I have found a Windows NT4 machine with ports 620 and 621 TCP ports open.

When I netcat this port, it returns garbage binary strings. When I connect to port 113 (auth), it replies with random USERIDs.

According to what I have found, this behaviour would mean the presence of the Agobot worm.

A full TCP scan revealed the following result:

(The 29960 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE
21/tcp    open     ftp
25/tcp    open     smtp
80/tcp    filtered http
113/tcp   open     auth
135/tcp   filtered msrpc
137/tcp   filtered netbios-ns
139/tcp   filtered netbios-ssn
443/tcp   open     https
445/tcp   filtered microsoft-ds
465/tcp   open     smtps
554/tcp   open     rtsp
621/tcp   open     unknown
622/tcp   open     unknown
1028/tcp  open     unknown
1031/tcp  open     iad2
1036/tcp  open     unknown
1720/tcp  filtered H.323/Q.931
1755/tcp  open     wms
4600/tcp  open     unknown
5400/tcp  filtered pcduo-old
5403/tcp  filtered unknown
5554/tcp  filtered unknown
5800/tcp  open     vnc-http
5900/tcp  open     vnc
6999/tcp  filtered unknown
8080/tcp  open     http-proxy
9996/tcp  filtered unknown
10028/tcp filtered unknown
10806/tcp filtered unknown
12278/tcp filtered unknown
14561/tcp filtered unknown
16215/tcp filtered unknown
17076/tcp filtered unknown
18420/tcp filtered unknown
18519/tcp filtered unknown
19464/tcp filtered unknown
20738/tcp filtered unknown
25717/tcp filtered unknown
25950/tcp filtered unknown
28974/tcp filtered unknown

I have checked the open ports and no-one seems to be the worm ftp server or something useful related to the worm. Some ports allow input but don't reply anything...

Does anyone knows a way to exploit this worm to get access to the system?

Thanks in advance,
Ian

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] btscanner 2.0 released, bluetooth
Next by Date:  Re: Whitespace in passwords, Tim
Previous by Thread:  [Full-disclosure] btscanner 2.0 released, bluetooth
Next by Thread:  RE: [Full-disclosure] Exploiting a Worm, Aditya Deshmukh
Indexes:  [Date] [Thread] [Top] [All Lists]