[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] TCP ports 1025-1030 and DCOM exploit

To: <full-disclosure@lists.netsys.com>
Subject: [Full-Disclosure] TCP ports 1025-1030 and DCOM exploit
From: "Edward W. Ray" <support@mmicman.com>
Date: Sun, 10 Aug 2003 10:27:47 -0700

I have found that the RPC service in Windows also uses TCP ports 1025-1030
for communication with domain controllers (DCs).  I found this out by
accident by blocking ports in my Windows 2003 domain and observing failed
RPC connectivity using netdiag command on clients.  I also observed attempts
at connection on TCP port 1025.

Once I added TCP port 1025 to my list of allowed ports and ran netdiag, a
connection on the DC port 1025 and the client (higher port number) was
established.

Is this another possible attack vector?  I have not had time to test it
myself, which is why I am asking.

Regards,

Edward W. Ray
SANS GCIA, GCIH

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: +++++SPAM+++++ [Full-Disclosure] TCP ports 1025-1030 and DCOM exploit; false positive
  - From: "Edward W. Ray" <support@mmicman.com>

Prev by Date: Re: [Full-Disclosure] Ankit Fadia bullshit?
Next by Date: RE: +++++SPAM+++++ [Full-Disclosure] TCP ports 1025-1030 and DCOM exploit; false positive
Prev by thread: Re: [Full-Disclosure] Cox is blocking port 135 - off topic
Next by thread: RE: +++++SPAM+++++ [Full-Disclosure] TCP ports 1025-1030 and DCOM exploit; false positive
Index(es):
- Date
- Thread