4

I have a specific sample I'd like feedback on, but my view is an answer about general techniques is more valuable for this site. I'll leave the details in, in case anyone googling this bumped into the same service.

My questions:

  1. What are general techniques and resources for identifying an unknown service, or something on a non-standard port that isn't being talkative?

  2. Does the behaviour below ring a bell with anyone? (Are there steps I have missed to further identify the service?)

While on an engagement, we have encountered an open port, 10001. As you might've guessed, as far as I can tell it does not respond to protocols usually used on that port. My search has not been completely exhaustive but I have fuzzed the first three bytes and found a response for the first byte.

Observations on my specific unknown service:

  • Speaks TCP

  • When sent a capital i, I\n, it responds I211568 \x00 \x00

  • Messages seem to be null- and newline-terminated; anything but those after the capital i do not affect the behaviour, but a null before it will impair the response.

  • nmap shows it as scp-config, once as tcpwrapped

EDIT:

Turns out it was the Remote Port of a Swann DVR

J.A.K.
  • 4,793
  • 13
  • 30
  • I appreciate that you prefaced your question with "this is general", which helps, but I think you have a "too broad and too narrow" question. At the beginning, you have "how to fuzz any service", which is broad, then your example doesn't leave us with much to work with in terms of a specific help. – schroeder Feb 13 '17 at 07:46
  • Thank you for the feedback, this is a feeling i got as well when typing the question. Do you see a way of rewording it to make it fit better? – J.A.K. Feb 13 '17 at 09:53

1 Answers1

2

I think what you're asking (in hindsight) is Port Independent Protocol Identification (PIPI), a method for detecting well-known (published as RFC) application layer protocol or dark-protocol (such as malware, covert backdoor etc.) being serviced on a non-standard port. Indeed, that's what researchers of protocol obfuscation, malware (and anti-malware) developers and IDS/IPS teams ponder on all the time. The goal in part is to identify the application without relying on the layer-4 port numbers. There are two techniques widely used in IDS,

  1. Statistical analysis of the traffic within a connection
  2. Locating protocol-specific byte patterns in the connection's payload

Do read this white paper for full explanation.

In your particular case you could,

  1. Customize nmap-services-probes file to add a new service signature based on the observations from your specific unknown service.
  2. Consider writing a Wireshark dissector once you gathered enough reliable details about the protocol behavior such as packet size, communication pattern, idiosyncrasies in the payload and the like.
Deepak Devanand
  • 36
  • 4
  • Thank you for the effort, I appreciate the edits and references you've added. I will definitely look into writing a dissector now i know what it is. – J.A.K. Feb 17 '17 at 09:40