TIP: Click on subject to list as thread!

ANSI

echo:	nthelp
to:	Gregg N
from:	Rich Gauszka
date:	2004-05-28 13:25:16
subject:	Re: Default network ports for Windows XP
From: "Rich Gauszka" This is a multi-part message in MIME format. ------=_NextPart_000_0015_01C444B7.379C9890 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable This may help http://www.security-forums.com/forum/viewtopic.php?p=3D81959 NCACN =3D Network Computing Architecture Connection=20 NCACN strings are RPC protocol sequences within Windows that are used to = issue RPC calls. For example, the following are valid ncacn protocol = sequences:=20 ncacn_ip_udp (RPC over UDP - port 135 (UDP))=20 ncacn_ip_tcp (RPC over TCP - port 135 (TCP))=20 ncacn_np (RPC over named pipes, via SMB)=20 ncacn_http (RPC over HTTP)=20 Through that port 6001 that you've found, you can issue RPC calls and = requests using the ncacn_http protocol sequence. A tool that you should = use to work out that's there is Todd Sabin's RPCtools package, available = from:=20 http://razor.bindview.com/tools/desc/rpctools1.0-readme.html=20 "Gregg N" wrote in message = news:40b76b8f$1{at}w3.nls.net... I am not sure if I am running with the best arguments and switches, = but the output of rpcdump and portqry are listed below. It looks like = port 1025 is being used by something called NCACN RPCDUMP -------------------------------------------------------------------------= ----- C:\Program Files\Resource Kit>rpcdump /i /v Querying Endpoint Mapper Database... 9 registered endpoints found. Collecting Data.... This may take a while. 0 10 20 30 40 50 60 70 80 90 100 \|----\|----\|----\|----\|----\|----\|----\|----\|----\|----\| ................................................... ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:192.168.50.99[1025] UUID:0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:192.168.50.99[1025] UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:192.168.50.99[1025] UUID:1ff70682-0a51-30e8-076d-740be8cee98b ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncalrpc Endpoint:OLE3 NetOpt: Annotation: IsListening:YES StringBinding:ncalrpc:[OLE3] UUID:0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncalrpc Endpoint:OLE3 NetOpt: Annotation: IsListening:YES StringBinding:ncalrpc:[OLE3] UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncalrpc Endpoint:OLE3 NetOpt: Annotation: IsListening:YES StringBinding:ncalrpc:[OLE3] UUID:1ff70682-0a51-30e8-076d-740be8cee98b ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncacn_np Endpoint:\PIPE\atsvc NetOpt: Annotation: IsListening:YES StringBinding:ncacn_np:\\\\IONET2A[\\PIPE\\atsvc] UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncacn_np Endpoint:\PIPE\atsvc NetOpt: Annotation: IsListening:YES StringBinding:ncacn_np:\\\\IONET2A[\\PIPE\\atsvc] UUID:1ff70682-0a51-30e8-076d-740be8cee98b ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 ProtSeq:ncacn_np Endpoint:\PIPE\atsvc NetOpt: Annotation: IsListening:YES StringBinding:ncacn_np:\\\\IONET2A[\\PIPE\\atsvc] UUID:0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor 0 rpcdump completed sucessfully after 1 seconds PORTQRY -------------------------------------------------------------------------= ----- C:\PortQryV2>portqry -n 127.0.0.1 -e 135 Querying target system called: 127.0.0.1 Attempting to resolve IP address to a name... IP address resolved to localhost querying... TCP port 135 (epmap service): LISTENING Using ephemeral source port Querying Endpoint Mapper Database... Server's response: UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53=20 ncacn_np:\\\\IONET2A[\\PIPE\\atsvc] UUID: 1ff70682-0a51-30e8-076d-740be8cee98b=20 ncalrpc:[OLE3] UUID: 1ff70682-0a51-30e8-076d-740be8cee98b=20 ncacn_ip_tcp:127.0.0.1[1025] UUID: 1ff70682-0a51-30e8-076d-740be8cee98b=20 ncacn_np:\\\\IONET2A[\\PIPE\\atsvc] UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f=20 ncalrpc:[OLE3] UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f=20 ncacn_ip_tcp:127.0.0.1[1025] UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f=20 ncacn_np:\\\\IONET2A[\\PIPE\\atsvc] UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53=20 ncalrpc:[OLE3] UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53=20 ncacn_ip_tcp:127.0.0.1[1025] Total endpoints found: 9 =3D=3D=3D=3D End of RPC Endpoint Mapper query response =3D=3D=3D=3D -------------------------------------------------------------------------= ----- Gregg "Rich" wrote in message news:40b6cfac$1{at}w3.nls.net... For RPC there is an endpoint mapper is queried to find the = endpoints supported for the service to which you want to connect if that = service is even available. I just noticed another tool called portqry or portqryv2 that will = give you the RPC endpoint info. See = http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;832919. I've = not tried the v2 but the original will give you the RPC info if you = query port 135 which is the end point mapper port. Rich "Gregg" wrote in message = news:Xns94F7B52ADED9gregginvalidinvalid{at}216.144.1.254... "Rich" wrote in news:40b6c1d4{at}w3.nls.net: > You appear to have still not tried the Microsoft tool to which I > referred you.=20 I admit I haven't, probably due to fear of the unfamiliar, but I will = try=20 it tomorrow when I get in. I guess I was not sure what I would be = looking=20 for when using it, and I thought I would first see what I could find = with=20 more familiar tools. > As for being documented, dynamically assigned ports would not be > documented by port number as the allocation is just that, = dynamic.=20 > The ranges used, if this is RPC, is well documented.=20 I don't understand the concept of listening on dynamically allocated = ports.=20 How does a potential client know on which port to connect if the port = is=20 not known a priori? Is this information communicated over a separate = well- known port? Thanks, Gregg ------=_NextPart_000_0015_01C444B7.379C9890 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable This may help htt=">http://www.security-forums.com/forum/viewtopic.php?p=3D81959">htt= p://www.security-forums.com/forum/viewtopic.php?p=3D81959= > NCACN =3D Network Computing Architecture Connection NCACN = strings are=20 RPC protocol sequences within Windows that are used to issue RPC calls. = For=20 example, the following are valid ncacn protocol sequences: = ncacn_ip_udp=20 (RPC over UDP - port 135 (UDP)) ncacn_ip_tcp (RPC over TCP - port = 135 (TCP))=20 ncacn_np (RPC over named pipes, via SMB) ncacn_http (RPC over = HTTP)=20 Through that port 6001 that you've found, you can issue RPC = calls and=20 requests using the ncacn_http protocol sequence. A tool that you should = use to=20 work out that's there is Todd Sabin's RPCtools package, available from:=20 http://razor.bindview.com/tools/desc/rpctools1.0-readme.html"=20 target=3D_blank>http://razor.bindview.com/tools/desc/rpctools1.0-readme.h= tml=20 "Gregg N" <greggn{at}invalid.invalid>">mailto:greggn{at}invalid.invalid">greggn{at}invalid.invalid> = wrote in=20 message news:40b76b8f$1{at}w3.nls.net... I am not sure if I am running with the best arguments and = switches, but=20 the output of rpcdump and portqry are listed below. It looks like port = 1025 is=20 being used by something called = NCACNRPCDUMP C:\Program Files\Resource = Kit>rpcdump /i=20 /vQuerying Endpoint Mapper Database... 9 registered endpoints = found. Collecting=20 Data.... This may take a while. =20 0 10 20 30 =20 40 50 60 70 = 80 =20 90 100 = = \|----\|----\|----\|----\|----\|----\|----\|----\|----\|----\| = =20 ................................................... ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:192.168.50.99[1025] UUID:0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor = 0 ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:192.168.50.99[1025] UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor = 0 ProtSeq:ncacn_ip_tcp Endpoint:1025 NetOpt: Annotation: IsListening:YES StringBinding:ncacn_ip_tcp:192.168.50.99[1025] UUID:1ff70682-0a51-30e8-076d-740be8cee98b ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor = 0 ProtSeq:ncalrpc Endpoint:OLE3 NetOpt: Annotation: IsListening:YES StringBinding:ncalrpc:[OLE3] UUID:0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor = 0 ProtSeq:ncalrpc Endpoint:OLE3 NetOpt: Annotation: IsListening:YES StringBinding:ncalrpc:[OLE3] UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor = 0 ProtSeq:ncalrpc Endpoint:OLE3 NetOpt: Annotation: IsListening:YES StringBinding:ncalrpc:[OLE3] UUID:1ff70682-0a51-30e8-076d-740be8cee98b ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor = 0 ProtSeq:ncacn_np Endpoint:\PIPE\atsvc NetOpt: Annotation: IsListening:YES StringBinding:ncacn_np:\\\\IONET2A[\\PIPE\\atsvc] UUID:378e52b0-c0a9-11cf-822d-00aa0051e40f ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor = 0 ProtSeq:ncacn_np Endpoint:\PIPE\atsvc NetOpt: Annotation: IsListening:YES StringBinding:ncacn_np:\\\\IONET2A[\\PIPE\\atsvc] UUID:1ff70682-0a51-30e8-076d-740be8cee98b ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor = 0 ProtSeq:ncacn_np Endpoint:\PIPE\atsvc NetOpt: Annotation: IsListening:YES StringBinding:ncacn_np:\\\\IONET2A[\\PIPE\\atsvc] UUID:0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT VersMajor 1 VersMinor = 0 rpcdump completed sucessfully after = 1=20 seconds PORTQRY C:\PortQryV2>portqry -n 127.0.0.1 -e=20 135 Querying target system=20 called: 127.0.0.1 Attempting to resolve IP address to a=20 name... IP address resolved to = localhost querying... TCP port 135 (epmap service): = LISTENING Using ephemeral source portQuerying = Endpoint=20 Mapper Database...Server's response: UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53=20 ncacn_np:\\\\IONET2A[\\PIPE\\atsvc] UUID: 1ff70682-0a51-30e8-076d-740be8cee98b=20 ncalrpc:[OLE3] UUID: 1ff70682-0a51-30e8-076d-740be8cee98b=20 ncacn_ip_tcp:127.0.0.1[1025] UUID: 1ff70682-0a51-30e8-076d-740be8cee98b=20 ncacn_np:\\\\IONET2A[\\PIPE\\atsvc] UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f=20 ncalrpc:[OLE3] UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f=20 ncacn_ip_tcp:127.0.0.1[1025] UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f=20 ncacn_np:\\\\IONET2A[\\PIPE\\atsvc] UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53=20 ncalrpc:[OLE3] UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53=20 ncacn_ip_tcp:127.0.0.1[1025] Total endpoints found: 9 =3D=3D=3D=3D End of RPC Endpoint Mapper = query response=20 =3D=3D=3D=3D Gregg "Rich" <{at}> wrote in = message=20 news:40b6cfac$1{at}w3.nls.net... For RPC there is an = endpoint=20 mapper is queried to find the endpoints supported for the service to = which you=20 want to connect if that service is even available. = I just=20 noticed another tool called portqry or portqryv2 that will give you = the RPC=20 endpoint info. See=20 = http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;832919. = I've not=20 tried the v2 but the original will give you the RPC info if you query = port 135=20 which is the end point mapper port.Rich"Gregg"=20 <gregg{at}invalid.invalid> wrote in message=20 news:Xns94F7B52ADED9gregginvalidinvalid{at}216.144.1.254..."Rich" = <{at}>=20 wrote in news:40b6c1d4{at}w3.nls.net:> You = appear to=20 have still not tried the Microsoft tool to which = I> =20 referred you. I admit I haven't, probably due to fear of the=20 unfamiliar, but I will try it tomorrow when I get in. I guess I = was not=20 sure what I would be looking for when using it, and I thought I = would=20 first see what I could find with more familiar=20 tools.> As for being documented, = dynamically=20 assigned ports would not be> documented by = port=20 number as the allocation is just that, dynamic. = > The=20 ranges used, if this is RPC, is well documented. I don't = understand=20 the concept of listening on dynamically allocated ports. How does = a=20 potential client know on which port to connect if the port is not = known a=20 priori? Is this information communicated over a separate = well-known=20 port?Thanks,Gregg ------=_NextPart_000_0015_01C444B7.379C9890-- --- BBBS/NT v4.01 Flag-5 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45) SEEN-BY: 633/267 270 @PATH: 379/45 1 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.