Security Basics mailing list archives

Re: Interpreting the results of an NMAP scan

From: "Andrew Kuriger" <a.kuriger () liquidphlux com>
Date: Fri, 24 Apr 2009 10:37:08 -0500 (CDT)


Hello Dan,

It looks as if you have OWA
(http://en.wikipedia.org/wiki/Outlook_Web_Access) running and this is
the reason for ports 80 and 443 being open. This allows users over the
internet to gain access to their e-mail over the internet, or local
intranet if you do not allow exchange access (the point of running
exchange).

If you ran your NMAP scan from outside the local inranet all the ports
you are seeing open are also available over the internet which is
probably not a good idea.

You most definitely do not want outsiders to be able to attempt
Brute/Dictionary attacks on your router (being linksys it is possible it
could be DoS'd fairly easily, and if the password is weak could very
well get owned (all traffic sniffed if the attacker gains access). Also,
since the linksys device uses HTTP AUTH any passwords are sent to the
device in plain text, a huge no no if you manage it over the internet
and you care about the business.

I would recommend looking into setting up a firewall to lock down some of
the ports that are unnedded over the internet (being port 25 if all it
is used to do is deliver and recieve e-mail. You may still want to allow
OWA but force users to use SSL at all times (port 443).

You could also look into NAT routing as a way of security as well only
allowing some ports (that you decide) to a specific machine.

Just a few things to look into.

Andrew Kuriger

On 4/24/2009, "Dan Fauxpoint" <danielfauxpoint () yahoo com> wrote:


Hello,

I am helping a small business owner to evaluate the quality of his IT setup. This company has one server which runs 
Windows Small Business Server 2003 R2 Premium Edition. This server hosts an Exchange instance which takes care of 
incoming and outgoing emails.

I ran an namp scan (nmap -T4 -A -v -PE -PA21,23,80,3389 <IP_address>) from a machine outside of the company network 
and got the results below. I am wondering why ports 80 and 443 are open since the server does not act as a web server. 
Also I am wondering if the Linksys router should be visible from the outside world ...

If anybody could comment on this and make suggestions on how to improve the security of that setup, I would appreciate 
it.

Cheers,
Dan.

Not shown: 990 closed ports
PORT     STATE    SERVICE      VERSION
25/tcp   filtered smtp
80/tcp   open     http         Microsoft IIS
|_ html-title: The page cannot be displayed
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap         Microsoft Exchange Server 2003 imapd 6.5.7638.1
443/tcp  open     ssl/https?
|_ sslv2: server still supports SSLv2
|  html-title: Microsoft Outlook Web Access
|_ Requested resource was https://<...snipped...>
445/tcp  filtered microsoft-ds
993/tcp  open     ssl/imap     Microsoft Exchange Server 2003 imapd 6.5.7638.1
|_ sslv2: server still supports SSLv2
1723/tcp open     pptp         Microsoft (Firmware: 3790)
8081/tcp open     http         Linksys router http config (device model BEFSR41/BEFSR11/BEFSRU31)
|  http-auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = Linksys BEFSR41/BEFSR11/BEFSRU31
|_ html-title: 401 Authorization Required





------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------

Current thread:

Interpreting the results of an NMAP scan Dan Fauxpoint (Apr 24)
- RE: Interpreting the results of an NMAP scan Pete.LeMay (Apr 24)
- RE: Interpreting the results of an NMAP scan Andy Belfield (Apr 24)
- Re: Interpreting the results of an NMAP scan Andrew Kuriger (Apr 24)
- Re: Interpreting the results of an NMAP scan Ansgar Wiechers (Apr 24)
- Re: Interpreting the results of an NMAP scan Jon Janego (Apr 24)
- Re: Interpreting the results of an NMAP scan infolookup (Apr 24)
  - RE: Interpreting the results of an NMAP scan Pete.LeMay (Apr 24)
- Re: Interpreting the results of an NMAP scan Francesc Vila (Apr 24)