Pwnd2Pwnr Posted July 6, 2013 Share Posted July 6, 2013 I was running ettercap on a clients business network and found these remote hosts... are any of these a great concern>? I know that kerberos encryption is being used... but what about the others? I just found this strange... how bout you guys? Network Information ================================================== IP address : 18.85.44.59 OrgName: Massachusetts Institute of Technology OrgId: MIT-2 Address: Room W92-167 Address: 77 Massachusetts Avenue City: Cambridge StateProv: MA PostalCode: 02139-4307 Country: US RegDate: Updated: 2012-04-27 Ref: http://whois.arin.net/rest/org/MIT-2 DISTANCE : 17 TYPE : REMOTE host FINGERPRINT : OPERATING SYSTEM : UNKNOWN PORT : UDP 123 | ntp [] NOTES ON CONNECTION: http://www.speedguide.net/ip/18.85.44.59 ================================================== ================================================== IP address : 24.124.0.251 OrgName: WideOpenWest Finance LLC OrgId: WOPW Address: 1674 Frontenac Rd City: Naperville StateProv: IL PostalCode: 60563 Country: US RegDate: 2002-04-10 Updated: 2012-01-12 Ref: http://whois.arin.net/rest/org/WOPW NOTES ON CONNECTION: http://www.speedguide.net/ip/24.124.0.251 , http://www.bloomberg.com/news/2012-07-12/wideopenwest-sells-1-02-billion-of-debt-to-finance-knology-deal.html end start CustName: Sunflower Broadband Address: 1 Riverfront Plaza Address: Suite 301 City: Lawrence StateProv: KS PostalCode: 66044 Country: US RegDate: 2006-03-31 Updated: 2013-03-19 Ref: http://whois.arin.net/rest/customer/C01318887 end DISTANCE : 12 TYPE : REMOTE host FINGERPRINT : OPERATING SYSTEM : UNKNOWN PORT : UDP 123 | ntp [] ================================================== ================================================== IP address : 155.101.3.114 OrgName: University of Utah OrgId: UNIVER-15-Z Address: University of Utah Address: Netcom Address: 585 Komas City: Salt Lake City StateProv: UT PostalCode: 84108 Country: US RegDate: 2010-05-13 Updated: 2011-09-24 Ref: http://whois.arin.net/rest/org/UNIVER-15-Z NOTES ON CONNECTION: http://ip.robtex.com/155.101.3.114.html DISTANCE : 16 TYPE : REMOTE host FINGERPRINT : OPERATING SYSTEM : UNKNOWN PORT : UDP 123 | ntp [] ================================================== ================================================== IP address : 199.7.51.72 Hostname : ocsp.verisign.com DISTANCE : 16 TYPE : REMOTE host FINGERPRINT : 1FFE:05B4:FF:WS:0:0:1:0:A:2C OPERATING SYSTEM : unknown fingerprint (please submit it) NEAREST ONE IS : Novell NetWare 3.12 - 5.00 PORT : TCP 80 | http [] ================================================== ================================================== IP address : 199.7.52.72 Hostname : evsecure-ocsp.verisign.com DISTANCE : 17 TYPE : REMOTE host FINGERPRINT : 1FFE:05B4:FF:WS:0:0:1:0:A:2C OPERATING SYSTEM : unknown fingerprint (please submit it) NEAREST ONE IS : Novell NetWare 3.12 - 5.00 PORT : TCP 80 | http [] ================================================== ================================================== IP address : 208.53.158.34 OrgName: FDCservers.net OrgId: FDCSE Address: 141 W Jackson Blvd. #1135 City: Chicago StateProv: IL PostalCode: 60604 Country: US RegDate: 2003-05-20 Updated: 2012-03-28 Ref: http://whois.arin.net/rest/org/FDCSE DISTANCE : 10 TYPE : REMOTE host FINGERPRINT : OPERATING SYSTEM : UNKNOWN PORT : UDP 123 | ntp [] ================================================== Quote Link to comment Share on other sites More sharing options...
j4k3 Posted July 6, 2013 Share Posted July 6, 2013 I really mean no offense by this post so forgive me if I come across as an asshole. If you have to ask the question you just did, you really shouldn't be jacked into a clients network without supervision by someone with much better understanding, especially if you're playing with packets. Even those of us who have a good understanding of the workings of what we're playing with bring stuff down from time to time and I'd question your ability to put something right should you click the wrong button and hijack HSRP or cause a spanning tree loop or some other madness. Now the bit you were after: PORT : UDP 123 | ntp [] PORT : TCP 80 | http [] Judging by this, I'd assume those boxes are NTP and HTTP servers. NTP is network time protocol, lots of applications utilize it so it's not a big deal. HTTP is a standard web server port. Could just be someone browsing the internet. If you have any concerns about these (a lot of botnet C&C's are http nowadays) then my suggestion would be a proper analysis with wireshark or something else which will allow you to see the packets. Hope this helps. :) Quote Link to comment Share on other sites More sharing options...
newbi3 Posted July 6, 2013 Share Posted July 6, 2013 Pwnd I should have asked you yesterday is this from a client machine, server, or the whole network? Quote Link to comment Share on other sites More sharing options...
Pwnd2Pwnr Posted July 6, 2013 Author Share Posted July 6, 2013 LOL... it has been a forts age since I have been on the server end... so I am kicking off some rust. j4k3: I have a great understanding on how things work (and I know better than mess with a switch spanning tree). I merely watched outgoing traffic. No harm done. I thoroughly research everything before I touch anything. I know you did not mean to come across like a jerk; but I do know my way around a network. I am just asking the community if there would be something that I should be on a lookout.. because only the wise learns from others :) . I did not set up the server... but their machine was riddled with rogueware and malware. I am just doing some Recon. Newbi3: This is on a client machine... I got to see what the jack a** did to their server... but it is a mess. It has warning logs backed up for days... errrr.... Quote Link to comment Share on other sites More sharing options...
j4k3 Posted July 7, 2013 Share Posted July 7, 2013 Malware don't need Coffee ;) https://www.volatilesystems.com/default/volatility Should spike your interest, you can do some awesome stuff with it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.