Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
Gnutella detection
arboi at noos
Apr 30, 2002, 10:11 AM
Post #1 of 3 (680 views)
Permalink
This is a first & simple version of the script... We should test if
the service answers to the Gnutella protocol.
Gnutella is not really risky, but it should not be encountered on a
business network.
Re: Gnutella detection [ In reply to ]
j_lampe at bellsouth
Apr 30, 2002, 8:42 AM
Post #2 of 3 (647 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----

incidentally, the bearshare gnutella client runs a web server on that
port (6346) and you could grep for the string "BearShare" to find
those instances. If you want to be a little more robust, look at the
following snort dump:

04/30-15:36:57.385019 10.10.10.31:2702 -> 208.239.76.100:6346
TCP TTL:64 TOS:0x0 ID:23896 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0xF8B40406 Ack: 0x88B837EC Win: 0xFAF0 TcpLen: 20
47 4E 55 54 45 4C 4C 41 20 43 4F 4E 4E 45 43 54 GNUTELLA CONNECT
2F 30 2E 34 0A 0A /0.4..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+

04/30-15:36:57.453517 208.239.76.100:6346 -> 10.10.10.31:2702
TCP TTL:111 TOS:0x0 ID:35757 IpLen:20 DgmLen:53 DF
***AP*** Seq: 0x88B837EC Ack: 0xF8B4041C Win: 0x409A TcpLen: 20
47 4E 55 54 45 4C 4C 41 20 4F 4B 0A 0A GNUTELLA OK..


So, it seems that sending "GNUTELLA CONNECT/0.4\n\n" to port 6346
should elicit a "GNUTELLA OK" response.

John Lampe
https://f00dikator.hn.org/

"Knowledge will forever govern ignorance, and a people who mean to be
their own governors, must arm themselves with the power knowledge
gives. A popular government without popular information or the means
of acquiring it, is but a prologue to a farce or a tragedy or perhaps
both."
- --James Madison

- ----- Original Message -----
From: "Michel Arboi" <arboi@noos.fr>
To: <plugins-writers@list.nessus.org>
Sent: Tuesday, April 30, 2002 6:11 PM
Subject: Gnutella detection


> This is a first & simple version of the script... We should test if
> the service answers to the Gnutella protocol.
> Gnutella is not really risky, but it should not be encountered on a
> business network.
>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQEVAwUBPM67ZUXUt1lqbd/lAQHnnggAij9p3BTukM20KhsuRmOGGL4vP1IxePNG
tiKJnkHYqh4c8lEk5HyF+q5QpFcM+P3ynz6+AqqMWPgVhbLM8N4OD7oZrj5P+Y7i
pMrnUSJw+5wFD0dOvc369JnxHqPMx1jB1CgPcqQp8necTPXIpdYVEymK/NKw5gUM
+QYJTAn7D0OMhBhRJ1Bm2ydkUPo8EeCj0BttSbUV10H5zkey4uPNGcr1UNGHO1aZ
nWt6iIcSKKqkbSewNZAVAzaZpGUlXl3In3dP+/FkO3rYWYlOJz7A32Bj8UODlmmx
ALbpGQScZrkwE/opyz8/gypY6vsqxWM99ZJ5tRu9CGafRzKFMFDdVQ==
=B1NY
-----END PGP SIGNATURE-----
Re: Gnutella detection [ In reply to ]
arboi at noos
May 1, 2002, 2:20 AM
Post #3 of 3 (643 views)
Permalink
"John Lampe" <j_lampe@bellsouth.net> writes:

> So, it seems that sending "GNUTELLA CONNECT/0.4\n\n" to port 6346
> should elicit a "GNUTELLA OK" response.

yes, that's what the documentation on the Gnutella protocol says. But
I was lazy :)

For some unknown reason, gtk-gnutella or Morpheus sometimes drop the
connection without sending the "GNUTELLA OK" although they answered to
a GET HTTP request.

So I now use both methods: Gnutella connection + banner.
Here it is:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal