Help me with these two ports!

Lyecdevf · Post by **Lyecdevf** » 23 Apr 2009, 08:57

I have done some port scanning and I came over two sites with some odd ports. Nmap did not know what they are and I also could not connect to them with my webrowser.

Code: Select all

10000/udp open          unknown?

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

SF-Port10000-UDP:V=4.76%I=7%D=4/23%Time=49F13401%P=i686-pc-windows-windows

SF:%r(RPCCheck,10,"0\.0\.0\.0:13007:1:")%r(DNSVersionBindReq,10,"0\.0\.0\.

SF:0:13007:1:")%r(DNSStatusRequest,10,"0\.0\.0\.0:13007:1:")%r(SNMPv1publi

SF:c,10,"0\.0\.0\.0:13007:1:")%r(SNMPv3GetRequest,10,"0\.0\.0\.0:13007:1:"

SF:)%r(xdmcp,10,"0\.0\.0\.0:13007:1:")%r(AFSVersionRequest,10,"0\.0\.0\.0:

SF:13007:1:");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose

Running: FreeBSD 6.X

OS details: FreeBSD 6.1-RELEASE - 6.2

Network Distance: 7 hops


2222/tcp open  unknown?

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

SF-Port2222-TCP:V=4.76%I=7%D=4/24%Time=49F1394B%P=i686-pc-windows-windows%

SF:r(GetRequest,61,"HTTP/1\.1\x20302\x20Found\r\nLocation:\x20https://91\.

SF:185\.193\.144:2222\r\nContent-type:\x20text/html\r\n\r\nuse\x20https\r\

SF:n");

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose|WAP|firewall|telecom-misc

Running (JUST GUESSING) : FreeBSD 6.X (96%), OpenBSD 4.X (96%), FON Linux 2.4.X (88%), IPCop Linux 2.4.X (88%), Linux 2.4.X (87%), Avaya Linux 2.6.X (87%)

Aggressive OS guesses: FreeBSD 6.2-RELEASE (96%), OpenBSD 4.3 (96%), FON La Fonera WAP running OpenWrt w/Linux kernel 2.4.32 (88%), IPCop firewall 1.4.10 - 1.4.18 (Linux 2.4.31 - 2.4.34) (88%), OpenWrt 7.09 (Linux 2.4.34) (87%), Avaya Communication Manager (Linux 2.6.11) (87%)

No exact OS matches for host (test conditions non-ideal).

IP ID Sequence Generation: Busy server or unknown class

Post by **DNR** » 23 Apr 2009, 10:02

it could be a server hosting propriety services, a PBX, some sort of exchange. The only thing left I would try is to see if you can get a banner or packet. You can run a packetsniffer on your box and try to get a response from the port - the packet can contain nfo. Also I know you used your web browser, but try a telnet as well.

Scan the IP range, make a network map of all the devices on that network, maybe you'll put the peices together and the strange server will make more sense then.

DNR

Radar_mX · Post by **Radar_mX** » 25 Apr 2009, 14:32

Check suck-o port list on home page

Post by **bad_brain** » 25 Apr 2009, 15:43

hm, I don't know what scan options you used, but only connect scans provide reliable results...the more stealth you go the less reliable the results (or the more general and therefore useless).

if you want reliable results you should do a connect scan and probe the services with max. intensity:

Code: Select all

nmap -PN -sT -sV --version-all <IP here>

but well, there is also a negative side: such a scan is far away from being stealth. OS detection is not really necessary imo when using the options above, because if there is a service that can be identified it will allow conclusions about the OS...and if there is no service at all an OS detection would be too unreliable anyway.