Solved

Cannot connect to service on Windows Host

Posted on 2014-03-04
13
502 Views
Last Modified: 2014-03-14
I am trying to connect to a services on a Windows 7 host running on port 2210 ("The Dude") as well as UDP 161 (SNMP) . Netstat on the Windows machine says it is listening on those ports to all addresses:

C:\Users\VIDEOCAST>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:445            VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:554            VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:2210           VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:2211           VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:2869           VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:5900           VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:5938           VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:7112           VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:10243          VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:30761          VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:49152          VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:49153          VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:49154          VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:49155          VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:49161          VIDEOCAST:0            LISTENING
  TCP    0.0.0.0:49167          VIDEOCAST:0            LISTENING
  TCP    127.0.0.1:5939         VIDEOCAST:0            LISTENING

Open in new window


Similar for the UDP Listeners

Open in new window


But probes from outside find the port closed:

aga@jaga-Desktop:/etc/nagios3/conf.d$ nmap videocast

Starting Nmap 5.21 ( http://nmap.org ) at 2014-03-04 09:12 EST
Nmap scan report for videocast (192.168.0.109)
Host is up (0.0090s latency).
rDNS record for 192.168.0.109: VIDEOCAST.local
Not shown: 987 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
2869/tcp  open  unknown
5900/tcp  open  vnc
10243/tcp open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49161/tcp open  unknown
49167/tcp open  unknown

Open in new window


Windows firewall is disabled and I have tried disabling anitvirus. Please advise.

-JG
0
Comment
Question by:Jeff swicegood
  • 7
  • 6
13 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39903837
Is the host  you ran namp from on the same IP subnet as the target host?
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 39903961
Yes, definitely.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39904394
I would run Wireshark on both computers you are testing with to make sure the packets are leaving and arriving correctly.

On the linux box (at least it looks like linux) you can just run tcpdump and then copy the file to someplace that has wireshark.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 39904434
You mean the packets from the Dude server +  client and the SNMP server + client?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39904564
I would start with capturing Dude and Client for now.   My guess is if you figure out what is happening with that is the same thing as SNMP.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 39910363
Dude started working on it's own. As far as SNMP I don't know enough about SNMP to know it 's working.

Here was the capture I did for SNMP.

jaga@jaga-Desktop:~$ sudo tcpdump udp  port 161 and host 192.168.0.109 -w dudecapture.out

Open in new window


That captured 6 packets with source VIDEOCAST and dst jaga-desktop, each and SNMP "get-next-request"
snmpcapture.dmp
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:Jeff swicegood
ID: 39910369
Note: I renamed dudecapture.out -->snmpcapture.dmp
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39910715
I am assuming your PC was 192.168.0.109, the capture shows that the request is leaving your PC.  You need to do a capture on 192.168.0.142 to see if it is getting there.

You do have the SNMP agent running on 192.168.0.142, right?
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 39924404
No, I discovered the  SNMP Client is actually running on the Router, 192.168.0.1 and the agent is on 192.168.0.109. There is also a client running on 109, that's why the packets. The capture  was run on 192.168.0.142.

I did a new capture on the router since Router OS does captures, but nothing shows up. There should be lots of SNMP requests coming from the Dude (Dude also has a SNMP client), which runs on the router, to all the hosts on the network, but nothing.

Also, running Wireshark on 192.168.0.109 captures nothing, although it captures lots of activity when I run the SNMP client on 109 as it attempts to find SNMP services on the local network.

Sorry I've been gone. We had an ice storm and the power was out for two days.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 39924447
So the capture was done on ".142".  That shows that the SNMP request is getting to ".142", but it is not responding.

That mean that one of the following could be true:

1) There is no SNMP agent running on ".142"
2) There is a firewall running that is blocking inbound UDP 161.
3) If there is an agent running on ".142" it is not configured to support V1 queries.
4) If there is an agent running on ".142" that does support V1 queries, it does snot support the community name of "public".
5) The SNMP agent is configured to only support queries from specific hosts and ".109" is not one of them.

I can't remember is  Dude a Linux box?  What is its IP address?
0
 
LVL 1

Author Closing Comment

by:Jeff swicegood
ID: 39928266
It's working. I hadn't configured the community name correctly in Dude. I'm still learning how to use SNMP. Thank you giltjr!

-JG
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39928281
Thanks and glad you found it.

A small suggestion, "public" is typically the default read community.  I would suggest that you do not use it.  This prevents somebody who might be interested in learning networking  from playing with SNMP and getting info from your devices that you might not want them to see.  

I would also not use any write communities unless you really, really need to and then I would use SNMP V3 for security.
0
 
LVL 1

Author Comment

by:Jeff swicegood
ID: 39928991
Thanks!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Resolve DNS query failed errors for Exchange
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now