I have read an interesting topic on another forum...
The guy finds out it is possible in wireless "NETWORK mode" to connect the PSP by FTP via port 21
of course it is password protected...
Maybe Telnet is working too.
I have no Wifi infrastructure at home so i can't confirm it by my own
source: http://forums.kavoo.com/viewtopic.php?p=170384#170384
Connect the PSP via FTP ?
Connect the PSP via FTP ?
Last edited by psp-robot on Thu Feb 10, 2005 3:21 am, edited 1 time in total.
-
Guest
That posting is indeed interesting. Now I thought otthers have done port scans and didn't detect anything useful. He did this in infrastrcture mode, not ad hoc, I wonder if that makes a difference.
Did he really get an ftp server response connecting to the PSP's port 21 ? My french comprehension is not 100% :P
Did he really get an ftp server response connecting to the PSP's port 21 ? My french comprehension is not 100% :P
I think he scanned for security issue on all psp ports, and the software "languard" found something on port 21, If he say that a password is asked, I think the ftp protocol is there, else there would be no response when trying to connect.
(I didn't see anything on firmware update in his post, why do you say that psp-robot ?)
(I didn't see anything on firmware update in his post, why do you say that psp-robot ?)
-
Guest
Possible, but doesn't make sense in this situation. Already the firmware is retrieved by http get I believe. Also, if ftp were to be used, it would be from the PSP as a client, not from the web to the PSP as a server. Port 21 would represent an FTP server functionality on the part of the PSP.Arakon wrote:it's possible that the PSP indeed uses a sort of basic ftp protocol to send the firmware updates to the psp.
Edit: this special 4 sentence message is dedicated to Nik.
I don't fully understand the post, at what point did he scan the PSP? Even though I do not know that, I will be suprised if we found an ftp daemon running on the PSP, no, I will be hitting my head very hard to see if I'm awake.
Me, and I guess thousends (millions?) of other people, has portscanned the PSP with no workable results (I know we can find three open ports at some point tho). It's nice to see more people trying to do anything else then video encoding, but an ftp daemon on the PSP is something we never will see released from Sony.
Me, and I guess thousends (millions?) of other people, has portscanned the PSP with no workable results (I know we can find three open ports at some point tho). It's nice to see more people trying to do anything else then video encoding, but an ftp daemon on the PSP is something we never will see released from Sony.
hi
excuse me for mmy english
it's mi for the post on the french forum
I have scanned my psp with languard
the result is 1 security failure on ftp port 21
after i have test one connexion with flashfxp and the connexion is good but i don't have the password for the connexion...
It's the big pb for my test
for informations
i test in update mode for find the connexion
my setting is a normaly lan connexion (exemple : my psp 192.168.0.3)
After one ping for see my psp i test one connexion
if you have any information for help mi .....
By
excuse me for mmy english
it's mi for the post on the french forum
I have scanned my psp with languard
the result is 1 security failure on ftp port 21
after i have test one connexion with flashfxp and the connexion is good but i don't have the password for the connexion...
It's the big pb for my test
for informations
i test in update mode for find the connexion
my setting is a normaly lan connexion (exemple : my psp 192.168.0.3)
After one ping for see my psp i test one connexion
if you have any information for help mi .....
By
Hi, im new here but ive been lurking since the dead firmware was posted.
Port 21 appears to be open as I can telnet to it, but I immediatly get disconnected.
If I try to connect using flashfxp I do not get prompted for a username or password. I just get could not connect to the site. Leads me to believe its not FTP.
I have tried this in both Firmware update and test connection modes.
Port 21 appears to be open as I can telnet to it, but I immediatly get disconnected.
If I try to connect using flashfxp I do not get prompted for a username or password. I just get could not connect to the site. Leads me to believe its not FTP.
I have tried this in both Firmware update and test connection modes.
As I said in my last post, I really doubt there is an ftp daemon running on the PSP. First off, I don't see the need for it at all. Why would they need an ftp running on the PSP while it's streaming data through http? It could be that it uses some datagram packages when it updates, diden't ooPo or gorim sniff while they did their update? It's still weird that is uses a static port for that, but anything is possible at the moment, just not the ftp thing. :)
As i told on the other Forum...
As Asmodi said, there is a confusion with port 21 which is not necessary associated with an FTP Daemon service.
Spawn, the autor of the original topic in French is not clear enough even when writting is French...
I have asked him to describe step by step how he did it but once again he's explanations are not clear.
Can someone reproduce it ?
Are you prompted to type a password ?
As Asmodi said, there is a confusion with port 21 which is not necessary associated with an FTP Daemon service.
Spawn, the autor of the original topic in French is not clear enough even when writting is French...
I have asked him to describe step by step how he did it but once again he's explanations are not clear.
Can someone reproduce it ?
Are you prompted to type a password ?
I will try to reproduce it tonight, which means within ~8 hours in my timezone. As you said psp-robot, his post is a bit unclear, but I don't believe it's prompting for a password. It's probebly closing the socket if it get's an unknown input, this could be solve with bruteforce. I don't think we should get our hopes to high about this tho.
See my post above. Port would appear to be open, but upon telnetting i get disconnected. I dont even get that far when I attempt to telnet to other ports. So it seems like it could be open. However, port scanning showed 0 open tcp ports, and I gave up while scanning udp as it was taking hours.psp-robot wrote:Can someone reproduce it ?
Are you prompted to type a password ?
Nothing in FlashFXP indicates that it is running a FTP Daemon. No password prompts, or password failures.
hi
it's my last csan result
this scan are make in testing mode after are configured the lan on the psp
for information, the wireless conexion don't stop in this mode
by
it's my last csan result
- <Scan UIScan="" Session="195846671" Profile="Default" CreatedOn="10/02/2005 19:58:48" ReadOnly="0">
<IPsToScan ProcessID="" LogonType="">192.168.0.24</IPsToScan>
- <hosts>
- <host visible="1">
<hostname />
<username />
<mac>00-01-4A-1E-09-6A</mac>
<ip>192.168.0.24</ip>
<snmp>0</snmp>
<smb>0</smb>
<nmb>0</nmb>
<mac_vendor>Sony Corporation</mac_vendor>
<ttl>255</ttl>
<real_ttl>255</real_ttl>
<iswindows>0</iswindows>
<respondedToPing>1</respondedToPing>
<timestamp>1</timestamp>
<os>probably Unix</os>
<domain />
<lanman />
<usage />
<servpack />
<language />
<scanended>1</scanended>
<wmi>1</wmi>
<usb enable="1" />
- <ports>
<port name="21" desc="FTP => File Transfer Protocol" isTrojan="0" />
</ports>
- <alerts>
- <severity level="0">
- <RPC_Alerts>
- <alert>
<name>RPC.ypasswdd service vulnerability</name>
<descr>RPC.ypasswdd service is vulnerable to a remote buffer overflow exploit</descr>
<bugtraq>http://www.securityfocus.com/bid/2763</bugtraq>
<details />
</alert>
</RPC_Alerts>
</severity>
</alerts>
</host>
</hosts>
</Scan>
this scan are make in testing mode after are configured the lan on the psp
for information, the wireless conexion don't stop in this mode
by
Try telnetting. Port 21 seems be behave differently to others. When you connect to others, u get "could not open connection", but to port 21 u get "Press any key..." as it would seem that you connected but immediatly got disconnected.asmodi wrote:Ok, I tested it. Nmap gives no open ports when I try a network update, same with testing of a connection. I know people did find three open ports before, unsure if my nmap is screwd :/
No i tested using both. Although, Ive not been logging anything. Just telnetting.asmodi wrote:I don't get anything different between port 21 and any random port. Get a zero package in the tcp log too, so I'm sure there is nothing going on. When do you try this, as you test the connection or when you are doing a network update? I'm not using a real gw or dns, might be a problem.
EDIT: Im prolly just mistaken. Im sure u know what you are doing more than I do. Im just reporting what I see. My port scan showed 0 tcp ports.
Just blindly suggesting standard connection methods like that is a poor way to go about trying to find out what the port does. Instead, why not whip up a program to try and brute force it by sending bytes of data to it sequentially until you get a response? From there you could use that info as a first step to figuring it out.
Because all you have right now is a port that may or may not be open and that could be anything, or nothing.
Because all you have right now is a port that may or may not be open and that could be anything, or nothing.
ooPo, I was going to do just that, IF the port was open. I can't find anything that indicates that the port is open. Nmap gives no open ports, telnetting to port 21 gives nothing. With nothing I really mean nothing, zero tcp packs in the tcp log, just like any random port.
cj, ssh has nothing to say as it's just an encrypted over protocoll for tcp. Telnet uses a stream socket (I think it tries both datagram and stream socket?), so even if the connection is encrypted, you should get an open connection.
Anyway, I have either done some bad misstakes while portscanning (which I don't believe) or port 21 isen't open what so ever (which we thought, or was led to believe).
cj, ssh has nothing to say as it's just an encrypted over protocoll for tcp. Telnet uses a stream socket (I think it tries both datagram and stream socket?), so even if the connection is encrypted, you should get an open connection.
Anyway, I have either done some bad misstakes while portscanning (which I don't believe) or port 21 isen't open what so ever (which we thought, or was led to believe).
Not working here either.asmodi wrote:ooPo, I was going to do just that, IF the port was open. I can't find anything that indicates that the port is open. Nmap gives no open ports, telnetting to port 21 gives nothing. With nothing I really mean nothing, zero tcp packs in the tcp log, just like any random port.
cj, ssh has nothing to say as it's just an encrypted over protocoll for tcp. Telnet uses a stream socket (I think it tries both datagram and stream socket?), so even if the connection is encrypted, you should get an open connection.
Anyway, I have either done some bad misstakes while portscanning (which I don't believe) or port 21 isen't open what so ever (which we thought, or was led to believe).
Let me show you my experiences. You can interpret them as you wish.
This is the response that I get from port 20 and 22.
This is what I get from Port 21.
In FlashFXP I get the following when I try to connect to port 21.
Connecting to 192.168.0.3
Connected to 192.168.0.3 -> IP=192.168.0.3 PORT=21
Connection failed (Connection lost)
This is the response that I get from port 20 and 22.
This is what I get from Port 21.
In FlashFXP I get the following when I try to connect to port 21.
Connecting to 192.168.0.3
Connected to 192.168.0.3 -> IP=192.168.0.3 PORT=21
Connection failed (Connection lost)
~>nmap -sS -vv mysonypsp.home.net
Starting nmap 3.77 ( http://www.insecure.org/nmap/ ) at 2005-02-12 14:03 CET
Initiating SYN Stealth Scan against 192.168.0.8 [1663 ports] at 14:03
The SYN Stealth Scan took 4.92s to scan 1663 total ports.
Host 192.168.0.8 appears to be up ... good.
All 1663 scanned ports on 192.168.0.8 are: closed
MAC Address: 00:01:4A:39:D0:10 (Sony)
Nmap run completed -- 1 IP address (1 host up) scanned in 6.137 seconds
nuff said
Starting nmap 3.77 ( http://www.insecure.org/nmap/ ) at 2005-02-12 14:03 CET
Initiating SYN Stealth Scan against 192.168.0.8 [1663 ports] at 14:03
The SYN Stealth Scan took 4.92s to scan 1663 total ports.
Host 192.168.0.8 appears to be up ... good.
All 1663 scanned ports on 192.168.0.8 are: closed
MAC Address: 00:01:4A:39:D0:10 (Sony)
Nmap run completed -- 1 IP address (1 host up) scanned in 6.137 seconds
nuff said
segobi wrote:~>nmap -sS -vv mysonypsp.home.net
Starting nmap 3.77 ( http://www.insecure.org/nmap/ ) at 2005-02-12 14:03 CET
Initiating SYN Stealth Scan against 192.168.0.8 [1663 ports] at 14:03
The SYN Stealth Scan took 4.92s to scan 1663 total ports.
Host 192.168.0.8 appears to be up ... good.
All 1663 scanned ports on 192.168.0.8 are: closed
MAC Address: 00:01:4A:39:D0:10 (Sony)
Nmap run completed -- 1 IP address (1 host up) scanned in 6.137 seconds
nuff said
We already confirmed this.
with you soft i have this result
Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-02-14 03:31 Paris, M
adrid
Initiating SYN Stealth Scan against 192.168.0.24 [1663 ports] at 03:31
The SYN Stealth Scan took 5.38s to scan 1663 total ports.
Warning: OS detection will be MUCH less reliable because we did not find at lea
st 1 open and 1 closed TCP port
Host 192.168.0.24 appears to be up ... good.
All 1663 scanned ports on 192.168.0.24 are: closed
MAC Address: 00:01:4A:1E:09:6A (Sony)
Aggressive OS guesses: Linux 1.0.9 (92%), Linux 1.2.8 - 1.2.13 (92%), SGI IRIX 6
.5 Origin2 (92%), Linux 1.2.13 (92%), Microsoft Windows 3.1 with Trumpet Winsock
2.0 revision B (92%), NetBSD 1.3I through 1.6 (92%), IPAD (Internet Protocol Ad
apter) Model 5000 or V.1.52 (92%), Cisco 1538M HUB running Cisco 1538M EES (1.00
.00) or Assured Access Technology ISAS Switch Release-2.3.0 or Thomson Multimedi
a RCA DCM245 Cable Modem (92%), Telebit NetBlazer router Version 3.05 (92%), Tel
ebit NetBlazer router version 3.0 (91%)
No exact OS matches for host (test conditions non-ideal).