TCP connect instead of Telnet ?

Discussion in 'Trojan Defence Suite' started by Pierre, Apr 24, 2003.

Thread Status:
Not open for further replies.
  1. Pierre

    Pierre Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    16
    Hi,

    I've tried "tcp connect" with domain name instead of IP...
    It seems to work, am I wrong ?


    I've done this because I haven't been able to use telnet for several month now... Is it possible that an ISP refuses a telnet request ? or maybe I'm just :p or paranoïd ?

    I was testing Port explorer possibilities and asked for http://www.diamondcs.com.au/portexplorer/spytest.htm
    with GET /portexplorer/spytest.htm HTTP/1.0
    and had the "whoopsie page" :eek: from
    http://www.wiredcity.com.au

    Where was I wrong ?

    Thanx in advance, friendly regards to all of U !!!
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Pierre,
    welcome here!

    I'm not able to answer all your questions, but some reactions here:

    It works indeed with TCP connect to give the domain name. Easy huh?

    Could be ISPs block telnet, not sure how/why or if it's seen as illegal use.

    Found the test page, i'll ask the DCS guys to help us with this.

    Which windows version are you using?
     
  3. Krustyman

    Krustyman Guest

  4. Pierre

    Pierre Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    16
    hi krustyman,

    was just trying Telnet www.diamondcs 80, following PE help( Socket Spy: Packet-sniffing with Port Explorer)...
    So I did run TDS TCP connect instead of telnet to follow my PE testing but...it seems I've missed the target ;) .

    Thanx for info about 'Windows 2000 Telnet Client NTLM Authentication' Vulnerability...wonder what isn't vulnerable :(

    The point is that I don't understand why I can't use it now ('cause I know it was possible several months ago...) , just curiosity !!!! :D

    friendly regards...
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    could you make sure you've been tcp-connected to the correct IP? In other words, first resolve www.diamondcs.com.au in TDS and then use that IP in the TCP Connect... thing. ...and also try to acccess that test page in your web browser replacing the dns name with the IP you got...

    Andreas

    ...just tried the IP-in-browser thing right now and got the whoopsie page too - it could be that DCS's ISP catches all requests that are not request-by-dns's but rather request-by-IP. I know that this is one of the tricks to secure a webserver...
     
  6. Pierre

    Pierre Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    16
    Bonjour Jooske,

    Glad to read you again...
    I try to manage with my old Windows Me ;)
    The same version that gave me the pleasure to meet,
    in the forum, a good number of you because of famous port 5000
    and ssdpsrv ;) ( when TDS3 was released instead of TDS2...)

    Thanx for confirmation about DNS with TCP connect, I wonder why I'm
    surprised, Diamond's team have always done a good job with their softw... :D
    maybeI'ld have a special price on next soft to buy...)

    friendly
     
  7. Pierre

    Pierre Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    16
    hi Andreas,

    thanx for your answer, I've exacty done what you've tested...
    Note that resolving diamondcs.com.au ,the NS= 203.161.127.131 = wiredcity.com.au where we got the whoopsie page.

    so TCP connect did the same query with DNS and IP...Question: what the browser did differently with IP and DNS ?

    Last and most important : when could I do this PE help test: "Example 1: Capturing a request to retrieve a webpage" [glow=red,2,300]just a joke[/glow] :D

    thanx
     
  8. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    just a suspicion: On the whoopsie page there are mentioned several reasons for accidentally getting there (404 etc). One of them is something like "your browser doesn't support the HOST header. That can happen with some older browsers". Now i would assume if there ever was an "old-browser-behaviour", this is what tcp-connect/telnet expose.
    So you could use PE to monitor the correctly-working browser session and inspect the captured data a bit more closely (look for something with HOST in it)... And i suppose you would then have to formulate your request differently or in two steps (GET after some "HOST"-handshake or something like it).
    Andreas
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I'm not familiar with telnet at all, so find it hard to try and run into more problems.
    For instance: when i run that telnet www.diamondcs.om.au 80 command i get an empty telnet page, nothing on it, so i am not sure to be anywhere or not. OK, the www dcs is in the titlebar.
    Looking in PE, i don't see the necessary process/socket to open the spy on it.
    Typing that GET /portexplorer/spytest.htm HTTP/1.0 in that empty telnet page gives after the two enters a page running by on high speed which i can't grab to read what's on it and in the end i see something with HOST and the pagename Pierre mentions and a popup telling session disconnected. The only possibility is to click that message, with which the text in the page disappears; if somebody knows a way to catch that page at easy read slow speed i'd be gratefull as all the description on the test site doesn't work for me at all.
    As i could not get the socket to spy on i have of course nothing in my spybin.
    Maybe all this is related to running win98se in stead of the NT series, but other processes dow up in the PE.
    An alternative should be look in TDS > System Analysis > Process list and hunt there for the telnet process and get it's PID there and type that in the PE socketspy; that option should work, but this is still apart from the page we get and which we should get.
    Unfortunately adding the PID manually i don't get any spy packets even though at adding the PID it is asked properly so no typos...... and i have seen the process ID properly in the socketspybut no packets......
    Hmmm so i don't get the test to work for my system in any way. I did make sure the packets were not disabled, but no results. NMight work only after a fresh reboot, as it's win98se.............
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Pierre, good to see you back finally! What kept you so long in the hidden?
    Really should see the DCS forums too, with the TDS private registered operators only still hidden while the other parts of the DCS forums are open for public and where the special goodies are announced and available!
    We just finished betatesting the AutostartViewer, a free nice tool certainly worth getting ad looking at your system.
     
  11. Pierre

    Pierre Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    16
    well , Jooske...

    I had no real problems runing TDS3 and honestly quite busy at work...
    That's the first reason of this long absence. 2nd reason is that , unfortunatly, I'm not an expert ... I just can offer poor help ! and many
    people in forum can offer much more than I'm able to ! But I'm improving my knowledge (my first computer was a TI994A ;) ), slowly but surely... :D

    By the way, thanx for your help with the 'minus sign' in PE socket spy manually...
    bye for now, friendly
    pierre
     
  12. Pierre

    Pierre Registered Member

    Joined:
    Apr 22, 2003
    Posts:
    16
    Andreas,

    PE spying browser gave:

    with "diamondcs.com.au"

    GET/HTTP/1.1..Accept:image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,application/vnd.ms-powerpoint,application/vnd.ms-excel,application/msword,application/x-shockwave-flash,*/*..Accept-Language:fr..Accept-Encoding:gzip,deflate..User-Agent:Mozilla/4.0(compatible;MSIE6.0;Windows98;Win9x4.90;KITV4Wanadoo)..Host:www.diamondcs.com.au..Connection:Keep-Alive..Cookie:bblastvisit=1051177523;PHPSESSID=6861cdf62fbbb3c256e17ffde831c683....


    HTTP/1.1200OK..Date:Fri,25Apr200312:51:07GMT..Server:Apache..X-Powered-By:pHP/4.0.6..Expires:Thu,19Nov198108:52:00GMT..Cache-Control:no-store,no-cache,must-revalidate,post-check=0,pre-check=0..Pragma:no-cache..Keep-Alive:timeout=15,max=100..Connection:Keep-Alive..Transfer-Encoding:chunked..Content-Type:text/html....e89..<html>.<!--Copyright(C)2002,DiamondComputerSystemsPty.Ltd.(http://www.diamondcs.com.au)-->.<head><title>DiamondCS-Leaderinantitrojan,antiwormandothersecurity&detectiontechnologies(TDSTrojanDefenceSuite,Wormguard,PortExplorer,andmore...)</title


    and with rhe resolved IP:

    GET/HTTP/1.1..Accept:image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,application/vnd.ms-powerpoint,application/vnd.ms-excel,application/msword,application/x-shockwave-flash,*/*..Accept-Language:fr..Accept-Encoding:gzip,deflate..User-Agent:Mozilla/4.0(compatible;MSIE6.0;Windows98;Win9x4.90;KITV4Wanadoo)..Host:203.161.127.141..Connection:Keep-Alive....

    HTTP/1.1200OK..Date:Fri,25Apr200312:46:30GMT..Server:Apache..Last-Modified:Tue,22Oct200206:49:16GMT..ETag:"1bc81-147c-3db4f4ec"..Accept-Ranges:bytes..Content-Length:5244..Keep-Alive:timeout=15,max=100..Connection:Keep-Alive..Content-Type:text/html....<!DOCTYPEHTMLPUBLIC"-//W3C//DTDHTML4.0Transitional//EN">....<html>..<head>..<title>Whoopsie!Page</title>


    Back to TCP connect instead of telnet, I was supposed to telnet diamondcs.com.au 80 and then to use the command line: GET /portexplorer/spytest.htm HTTP/1.0
    In each case (NS or IP) : whoopsie page obtained... just wonder why, because www.diamondcs.com.au/portexplorer/spytest.htm is a correct URL.

    Maybe the command line is wrong, really don't know why it doesn't work... :p
     
  13. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi Pierre,
    see the
    ..Host:www.diamondcs.com.au..
    in what you sent?

    You have to put that somehow in your page request. Was the captured session really a display of the /portexplorer/spytest.htm page or just the dcs homepage?
    If it was a capture of the spytest page then i know no further because i don't see where the exact page is requested. If it was just DCS homepage, open the spytest page in your browser and capture that. Then we should see how exactly the browser requests that page (where the relative path has to be entered).

    HTHH,
    Andreas
     
Thread Status:
Not open for further replies.