On a recent gig I was hit with hundreds of hosts running a service on port TCP 5405, the NetSupport remote management application. Running a version port scan on them revealed nothing more than:
5405/tcp open netsupport NetSupport PC remote control (Name: HOSTNAME)
The version scan didn’t reveal anything apart from the hostname. Connecting to the port with Netcat just returned the hostname.
Looking at the known vulnerabilities associated with the service, the most notable was a buffer overflow Not wanting to potentially cause disruption to hundreds of clients running the exploit against all of them I needed to find the version of the software running and also see if any of the hosts could be taken over using no authentication, for the quick win.
A quick search around revealed there wasn’t many free tools available to perform such checks.