6

I am trying to get access to one of the machines in my lab. it has 2 tcp ports that I am highly suspecting which are:

  • port 25 tcp
  • port 111 tcp

For port 25, it is supposed to be running SMTP, however, I think that it is running another service other than SMTP since nmap and Metasploit auxiliary smtp scanner were not able to identify the SMTP service version. I tried also connecting manually using nc -nvv x.x.x.x 25 but got nothing, not even a single response or word !

For port 111 it was identified as

111/tcp open  rpcbind
|  rpcinfo:  
|  100000 2-4     111/udp rpcbind
|  100024 1     57299/udp status
|  100000 2-4     111/tcp rpcbind
|_ 100024 1     46912/tcp status

I searched for public exploits for rpcbind and found nothing other than "DOS" exploit.Also tried the following command to see a clearer picture but nothing comes back !

attacker:~# rpcinfo -p x.x.x.x
program vers  proto  port
100000    4   tcp    111  portmapper
100000    3   tcp    111  portmapper
100000    2   tcp    111  portmapper
100000    4   udp    111  portmapper
100000    3   udp    111  portmapper
100000    2   udp    111  portmapper
100024    1   udp  57299  status
100024    1   tcp  46912  status

Any thoughts how to find a way in ? or a way to identify a service that is running on a non standard port like port 25 here?

Polynomial
  • 132,208
  • 43
  • 298
  • 379
Ahmed Taher
  • 701
  • 6
  • 13
  • 23
  • When you connect with netcat, try typing HELO foo. The service may simply be hiding its banner. – John Deters Nov 07 '13 at 19:49
  • Tried already but nothing returns. I even tried GET / HTTP/1.0 and nothing useful also ! – Ahmed Taher Nov 07 '13 at 19:54
  • Dang. Looks like you'll have to find the process that's bound to the port, and start taking it apart. Hint: when you find the process, take an md5 hash of it and google for it. Someone may have already identified it. – John Deters Nov 07 '13 at 19:59
  • Maybe try prefacing a request with a small integer. Many people write protocols that begin with the length of the message to follow. – John Deters Nov 07 '13 at 20:03
  • 2
    When you say "nc -nvv x.x.x.x 25 but got nothing", did the remote host closed the connection? Some email servers, as grey listing rule, impose a long delay between each characters sent to an unknown IP, maybe it's the case here? – WhiteWinterWolf Nov 08 '13 at 09:23

1 Answers1

3

Thanks guys for your help ! Stranegly I was able to identify what is running on that port just by opening this netcat connection "nc -nvv x.x.x.x 25" and waiting for a while without any interaction with the victim. After doing this, the banner popped up and it was running Sendmail.

It seems that it has been configured to slow the response to prevent automated scanners from identifying what is running on that port.

Ahmed Taher
  • 701
  • 6
  • 13
  • 23