Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: pen testing management and control system
From: <Jason.North () ch2m com>
Date: Fri, 27 Jun 2003 13:46:56 -0600

It looks to me like whatever you are scanning either is, or is behind, a proxy based firewall.  PBF's will answer (on 
behalf of any host behind them) on all kinds of ports, but won't pass the traffic unless they have specific 
configuration to do so (ie an answered port looks blocked). PBF's also have a habit of giving their own info during OS 
Detection.  My guess is a software based firewall running on Win2k (ISA is the first one that comes to mind, but there 
are several others...)

 

 

Jason C. North

Computer Security Engineer

CH2MHill Communications Group

 

(The opinions expressed in this email are not necessarily those of CH2MHill Communication Group)

 

-------------------------------------------

At what point in the scan did you get blocked? It looks like the portscan worked, except that there are a whole lot of 
ports I'd not expect to see on a server like that. Things that stand out are the presence of VNC with Terminal Server 
AND Metaframe, for example. And Metaframe on 2000 Advanced Server seems like a terrible idea as well, from what I know 
of the way it handles foreground/background priority, and how it's optimized for specific types of server apps. Are you 
sure that there isn't some kind of reactive (firewall or IDS) configuration that's meant to throw you some red herrings 
that automatically block you when you connect to them?

-----Original Message-----

From: Ronen Gottlib [mailto:ronen () avnet co il <mailto:ronen () avnet co il> ]

Sent: Friday, June 27, 2003 4:54 AM

To: pen-test () securityfocus com

Subject: pen testing management and control system





Hi All,



I am pen testing a windows 2000 advanced server, with some

kind of management and control software (e.g. Tivoli, 

Netcool). The system has IIS 6.0 running with lockdown enabled.



When I tried to run nessus, my ip was blocked for quite a

long time. same happened with nikto.



Further more, although quite a few ports were found to be

open on the remote machine, the management and control 

application is blocking the most of them while allowing 

access only to the following: 21, 23(ms telnet server), 

25(Microsoft ESMTP MAIL Service, Version: 6.0.2600.1106), 80 

(Microsoft-IIS/6.0), 110 (Microsoft Windows POP3 Service 

Version 2.0), 3389.





The system is also running Hummingbird Exceed.



Does anyone have any idea? I've kind of reached a dead end.

Below is the results of an Nmap, if it helps.



Thank you very much for your help-



Ronen.





Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

53/tcp open domain

80/tcp open http

98/tcp open linuxconf

110/tcp open pop-3

111/tcp open sunrpc

135/tcp open loc-srv

143/tcp open imap2

161/tcp open snmp

443/tcp open https

1080/tcp open socks

1433/tcp open ms-sql-s

1494/tcp open citrix-ica

1720/tcp filtered H.323/Q.931

1723/tcp filtered pptp

3389/tcp open ms-term-serv

4000/tcp filtered remoteanything

5135/tcp open unknown

5631/tcp open pcanywheredata

5632/tcp open pcanywherestat

5900/tcp open vnc

6112/tcp open dtspc

6660/tcp filtered unknown

6661/tcp filtered unknown

6662/tcp filtered unknown

6663/tcp filtered unknown

6664/tcp filtered unknown

6665/tcp filtered unknown

6666/tcp filtered irc-serv

6667/tcp filtered irc

6668/tcp filtered irc

6669/tcp filtered unknown

8875/tcp filtered unknown

28900/tcp filtered unknown





--------------------------------------------------------------

-------------

Latest attack techniques.



You're a pen tester, but is google.com still your R&D team?

Now you can get 

trustworthy commercial-grade exploits and the latest 

techniques from a 

world-class research group.



Visit us at: www.coresecurity.com/promos/sf_ept1

or call 617-399-6980

--------------------------------------------------------------

--------------





 

---------------------------------------------------------------------------

Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 

trustworthy commercial-grade exploits and the latest techniques from a 

world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 

or call 617-399-6980

----------------------------------------------------------------------------

 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]