Discussion:
Unknown Service Detection
(too old to reply)
Mark Senior
2018-03-16 23:11:14 UTC
Permalink
Hello

I have encountered an ID: 1.3.6.1.4.1.25623.1.0.11154 result that I can confirm.

Locally, this information is available:

C:\Windows\system32>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
(...)
TCP 0.0.0.0:8083 0.0.0.0:0 LISTENING 9648
TCP 0.0.0.0:9099 0.0.0.0:0 LISTENING 9648

C:\Windows\system32>wmic process get ProcessID,Name,ExecutablePath
ExecutablePath Name ProcessId
(...)
C:\Program Files (x86)\Eyelock Corporation\MyrisSDK\bin\MyrisService.exe MyrisService.exe 9648

The service is related to Iris scanners https://www.eyelock.com/index.php/products/myris

This result was observed on port 8083/TCP:

Method: get_http

0x00: 55 6E 6B 6E 6F 77 6E 20 6D 65 73 73 61 67 65 Unknown message

The same process is also running an unidentified SSL-wrapped service on port 9099. It apparently doesn't use a certificate, only anonymous cipher suites were supported. OID 1.3.6.1.4.1.25623.1.0.900234 reported the following:


No 'Strong' cipher suites accepted by this service via the SSLv3 protocol.



'Medium' cipher suites accepted by this service via the SSLv3 protocol:



TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

TLS_ECDH_anon_WITH_AES_256_CBC_SHA



'Weak' cipher suites accepted by this service via the SSLv3 protocol:



TLS_ECDH_anon_WITH_RC4_128_SHA



No 'Null' cipher suites accepted by this service via the SSLv3 protocol.



'Anonymous' cipher suites accepted by this service via the SSLv3 protocol:



TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

TLS_ECDH_anon_WITH_AES_256_CBC_SHA

TLS_ECDH_anon_WITH_RC4_128_SHA



No 'Strong' cipher suites accepted by this service via the TLSv1.0 protocol.



'Medium' cipher suites accepted by this service via the TLSv1.0 protocol:



TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

TLS_ECDH_anon_WITH_AES_256_CBC_SHA



'Weak' cipher suites accepted by this service via the TLSv1.0 protocol:



TLS_ECDH_anon_WITH_RC4_128_SHA



No 'Null' cipher suites accepted by this service via the TLSv1.0 protocol.



'Anonymous' cipher suites accepted by this service via the TLSv1.0 protocol:



TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

TLS_ECDH_anon_WITH_AES_256_CBC_SHA

TLS_ECDH_anon_WITH_RC4_128_SHA



No 'Strong' cipher suites accepted by this service via the TLSv1.1 protocol.



'Medium' cipher suites accepted by this service via the TLSv1.1 protocol:



TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

TLS_ECDH_anon_WITH_AES_256_CBC_SHA



'Weak' cipher suites accepted by this service via the TLSv1.1 protocol:



TLS_ECDH_anon_WITH_RC4_128_SHA



No 'Null' cipher suites accepted by this service via the TLSv1.1 protocol.



'Anonymous' cipher suites accepted by this service via the TLSv1.1 protocol:



TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

TLS_ECDH_anon_WITH_AES_256_CBC_SHA

TLS_ECDH_anon_WITH_RC4_128_SHA



No 'Strong' cipher suites accepted by this service via the TLSv1.2 protocol.



'Medium' cipher suites accepted by this service via the TLSv1.2 protocol:



TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

TLS_ECDH_anon_WITH_AES_256_CBC_SHA



'Weak' cipher suites accepted by this service via the TLSv1.2 protocol:



TLS_ECDH_anon_WITH_RC4_128_SHA



No 'Null' cipher suites accepted by this service via the TLSv1.2 protocol.



'Anonymous' cipher suites accepted by this service via the TLSv1.2 protocol:



TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

TLS_ECDH_anon_WITH_AES_256_CBC_SHA

TLS_ECDH_anon_WITH_RC4_128_SHA


Thank you

Mark Senior
Senior Security Analyst, Information Risk Management
Alberta Health Services (Edmonton)
21st floor, 10004 - 104 Avenue Edmonton AB T5J 0K1
***@albertahealthservices.ca<mailto:***@albertahealthservices.ca>
Phone 780-809-8761


________________________________
This message and any attached documents are only for the use of the intended recipient(s), are confidential and may contain privileged information. Any unauthorized review, use, retransmission, or other disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately, and then delete the original message. Thank you.
Christian Fischer
2018-03-26 18:24:18 UTC
Permalink
Hi,

and thanks for providing this information.

A detection for the mentioned service was added to the following NVT:

Service Detection with 'GET' Request
OID: 1.3.6.1.4.1.25623.1.0.17975

Once this NVT has reached the feed in Revision 9208 the service on port
8083/tcp should be detected.

If there wasn't such an "Unknown Service Detection" message for the port
9099/tcp then there isn't that much we can do from NVT side and a
separate bugreport for the scanner might be required:

https://github.com/greenbone/openvas-scanner/issues

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Post by Mark Senior
Hello
I have encountered an ID: 1.3.6.1.4.1.25623.1.0.11154 result that I can confirm.
 
 
/C:\Windows\system32>netstat -ano/
/ /
/Active Connections/
/ /
/  Proto  Local Address          Foreign Address        State           PID/
/(…)/
/  TCP    0.0.0.0:8083           0.0.0.0:0              LISTENING      
9648/
/  TCP    0.0.0.0:9099           0.0.0.0:0              LISTENING      
9648/
/ /
/C:\Windows\system32>wmic process get ProcessID,Name,ExecutablePath/
/ExecutablePath                                                                          
                                       Name                       
          ProcessId/
/(…)/
/C:\Program Files (x86)\Eyelock
Corporation\MyrisSDK\bin\MyrisService.exe                         
MyrisService.exe           9648/
/ /
The service is related to Iris scanners
https://www.eyelock.com/index.php/products/myris
 
Method: get_http
 
0x00:  55 6E 6B 6E 6F 77 6E 20 6D 65 73 73 61 67 65       Unknown message
 
The same process is also running an unidentified SSL-wrapped service on
port 9099.  It apparently doesn’t use a certificate, only anonymous
cipher suites were supported.  OID 1.3.6.1.4.1.25623.1.0.900234 reported
 
No 'Strong' cipher suites accepted by this service via the SSLv3 protocol.
 
 
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
 
 
TLS_ECDH_anon_WITH_RC4_128_SHA
 
No 'Null' cipher suites accepted by this service via the SSLv3 protocol.
 
 
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
 
No 'Strong' cipher suites accepted by this service via the TLSv1.0 protocol.
 
 
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
 
 
TLS_ECDH_anon_WITH_RC4_128_SHA
 
No 'Null' cipher suites accepted by this service via the TLSv1.0 protocol.
 
 
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
 
No 'Strong' cipher suites accepted by this service via the TLSv1.1 protocol.
 
 
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
 
 
TLS_ECDH_anon_WITH_RC4_128_SHA
 
No 'Null' cipher suites accepted by this service via the TLSv1.1 protocol.
 
 
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
 
No 'Strong' cipher suites accepted by this service via the TLSv1.2 protocol.
 
 
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
 
 
TLS_ECDH_anon_WITH_RC4_128_SHA
 
No 'Null' cipher suites accepted by this service via the TLSv1.2 protocol.
 
 
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
 
 
Thank you
 
Mark Senior
Senior Security Analyst, Information Risk Management
Alberta Health Services (Edmonton)
21st floor, 10004 - 104 Avenue  Edmonton AB T5J 0K1
Phone 780-809-8761
 
------------------------------------------------------------------------
This message and any attached documents are only for the use of the
intended recipient(s), are confidential and may contain privileged
information. Any unauthorized review, use, retransmission, or other
disclosure is strictly prohibited. If you have received this message in
error, please notify the sender immediately, and then delete the
original message. Thank you.
_______________________________________________
Openvas-plugins mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
Loading...