Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Interesting challenge
From: "Serhan Sevim" <sevims () mezun com>
Date: Fri, 30 Jan 2004 14:50:55 -0500

We are doing a pen test for a client and have run into a 
interesting situation. The client has a server running IIS 
and Exchange we can get to it through a browser but when we 
try to run Nessus or Eeye Retina against it, neither product 
can find the server. The client is not running any IDS system 
has a simple firewall. A port scan revels no open port though 
port 80 is open since the server is serving pages.

How would you know if the client is protected by a "simple firewall"?
It *might* be a similar protection I use. If a host starts to scan the
target machine starting from TCP port 1 and
goes fast up incrementally one by one, up to say, 20th port under a
second. Than the portscanner protector is triggered
at the client host and you're blacklisted for,say, 20 minutes. For 20
minutes firewall chain will drop every packet coming
from the unknown scanning source. Meanwhile, by the time you're trying
to see if the ftp port 21 is open or not, you're already blacklisted.
Dropping every packet destined for a specific port depends on protected
clients' desire. In your case I guess he/she chose not to drop packets
destined for port 80. 
Well, this may or may not be your situation. But this is definitely
something in practice people use.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]