[Pauldotcom] Service Fingerprinting

Thu Dec 9 16:26:40 UTC 2010

Netstat -ano will let you tie the listener to a PID.

On Dec 9, 2010, at 10:25 AM, "Kevin Shaw" <kevin.lee.shaw at gmail.com<mailto:kevin.lee.shaw at gmail.com>> wrote:

Perhaps you should run a netstat on the identified host. I would suggest seeing what is running on that system to determine what may be listening.

On Dec 9, 2010 9:01 AM, "Craig Freyman" <<mailto:craigfreyman at gmail.com>craigfreyman at gmail.com<mailto:craigfreyman at gmail.com>> wrote:
> I have not found any details on tcp 8474 anywhere. I've tried all nmap scans
> and didnt have any luck. Just tried amap, still nothing. Thanks for the
> ideas, I'll keep at it.
>
> -C
>
> On Wed, Dec 8, 2010 at 10:59 AM, Kevin Shaw <<mailto:kevin.lee.shaw at gmail.com>kevin.lee.shaw at gmail.com<mailto:kevin.lee.shaw at gmail.com>>wrote:
>
>> Amap has already been pointed out; but I would run an nmap scan a second
>> time and see if it still shows up. The port may have been open and not
>> necessarily a listening service and responded to the SYN packet; try some
>> other TCP flags and see what response you get. You've looked online, at
>> dhsield, etc. already?
>> On Dec 8, 2010 10:17 AM, "Dan King" <<mailto:xxsegfaultxx at gmail.com>xxsegfaultxx at gmail.com<mailto:xxsegfaultxx at gmail.com>> wrote:
>> > Try using amap[1]. It does a pretty good job at throwing data at services
>> to
>> > figure out what is running. It also comes with amapcrap which throws
>> random
>> > data at a service trying to force a response.
>> >
>> > [1] <http://freeworld.thc.org/thc-amap/> http://freeworld.thc.org/thc-amap/
>> >
>> > On Wed, Dec 8, 2010 at 11:56 AM, Craig Freyman <<mailto:craigfreyman at gmail.com>craigfreyman at gmail.com<mailto:craigfreyman at gmail.com>
>> >wrote:
>> >
>> >> I'm trying to identify what service is running on a specific port, tcp
>> >> 8474. Here's what I've tried:
>> >>
>> >> - nmap -sV -p8474 --version-all x.x.x.x
>> >> - telnet to the port - I get nothing
>> >> - browse to it with a web browser - I get nothing
>> >>
>> >> Nmap does tell me that the port is open though.
>> >> 8474/tcp open unknown
>> >>
>> >> The only thing I know about the server is that it is a Windows box.
>> >>
>> >> Is there anything else I can do to identify this service?
>> >>
>> >>
>> >> _______________________________________________
>> >> Pauldotcom mailing list
>> >> <mailto:Pauldotcom at mail.pauldotcom.com> Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com>
>> >> <http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> >> Main Web Site: <http://pauldotcom.com> http://pauldotcom.com
>> >>
>> >
>> >
>> >
>> > --
>> > I live in a world of cold steel and dungeons and mighty foes...
>>
>> _______________________________________________
>> Pauldotcom mailing list
>> <mailto:Pauldotcom at mail.pauldotcom.com> Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com>
>> <http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: <http://pauldotcom.com> http://pauldotcom.com
>>
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com<mailto:Pauldotcom at mail.pauldotcom.com>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: <http://pauldotcom.com> http://pauldotcom.com

******************************************************************************
This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, 
and is to be used only for the intended purpose of this communication.
******************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20101209/d3ba4f77/attachment.htm 