Google-bot sniffing around on strange places :-)

[neusbeer]

I was a bit fooling around with metasploit and was checking some SMB exploit features.

using exploit/windows/smb/smb_relay listening on port 445
SMBRelay exploit
which gives me a listening process for SMB credentials of IP adresses that connects to my IP.
In a time of 30 min I get these connections.

• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.66.211:37403
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.71.138:64987
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.66.211:58744
• Unknown User-Agent Googlebot-Image/1.0 from 66.249.66.211:46322
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.66.211:46322
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.71.138:63995
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.66.211:53170
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.66.211:62513
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.71.138:49160
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.71.138:56062
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.66.211:59508
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.66.211:60226
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.71.138:60199
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.66.211:40733
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.71.138:41538
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.71.138:53025
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.71.138:42433
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.66.211:56617
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.66.211:43942
• Unknown User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) from 66.249.66.211:38227

why is Google scanning for/connecting to port 445? :-)
now I'm not sure Google is scanning my IP adres or my no-ip.org dns which is linked to the same IP.
But nevertheless is Google bot sniffing around.....

Or maybe it's the way of scanning of Metasploit, which gives me the info
if Google-Bot is scanning port 80.. Just bannergrabbing or something..
Like.. any connection is enough to give me the credentials.

[xzid]

Uhh I'm pretty sure theres nowhere in CIFS/SMB that would accept a HTTP user agent. I also see no reason for google connecting to 445 on your machine. sniff the ip, will give destination port.

Code: [Select]

# tcpdump -i eth0 src 66.249.66.211


[neusbeer]

I know it's not http on 445 ;-)
ehmz.. but I'm not sure metasploit is given me this info by the google-bot connected to my port 80, or that Google is checking all the ports..
When I have the time I'll do a packet scan..
(and it was on my windows machine..)


I do think it's something to do with the smbrelay function of metasploit.
with smbrelay3 I can even transpose a listening port on port 80 for this.