RE: Interpreting the results of an NMAP scan

["Michael C. Maschke" <mmaschke () senseient com>]

Dan,

The Linksys router shouldn't be accessible from the outside world unless
remote administration is enabled, which it appears it is on port 8081.
With the installation of MS Exchange, a web site is created that allows
users to access their e-mail using an  Internet browser. This web site,
called Outlook Web Access, is hosted locally on the server and by
default will run on port 80 or 443, depending on whether or not SSL
authentication is required. These ports can be modified to non-default
ports for security purposes, and can be done so within the IIS
configuration for the Default Web Site. 

Mike


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of bartlettNSF
Sent: Monday, April 27, 2009 1:22 AM
To: francesc.vila () gmail com
Cc: security-basics () securityfocus com
Subject: Re: Interpreting the results of an NMAP scan

Francesc Vila wrote:
> Dan Fauxpoint wrote:
> > Hello,
> >
> > I am helping a small business owner to evaluate the quality of his IT

> > setup. This company has one server which runs Windows Small Business 
> > Server 2003 R2 Premium Edition. This server hosts an Exchange 
> > instance which takes care of incoming and outgoing emails.
> >
> > I ran an namp scan (nmap -T4 -A -v -PE -PA21,23,80,3389 <IP_address>)

> > from a machine outside of the company network and got the results 
> > below. I am wondering why ports 80 and 443 are open since the server 
> > does not act as a web server. Also I am wondering if the Linksys 
> > router should be visible from the outside world ...
> >
> > If anybody could comment on this and make suggestions on how to 
> > improve the security of that setup, I would appreciate it.
> >
> > Cheers,
> > Dan.
> >
> > Not shown: 990 closed ports
> > PORT     STATE    SERVICE      VERSION
> > 25/tcp   filtered smtp
> > 80/tcp   open     http         Microsoft IIS
> > |_ html-title: The page cannot be displayed
> > 135/tcp  filtered msrpc
> > 139/tcp  filtered netbios-ssn
> > 143/tcp  open     imap         Microsoft Exchange Server 2003 imapd 
> > 6.5.7638.1
> > 443/tcp  open     ssl/https?
> > |_ sslv2: server still supports SSLv2
> > |  html-title: Microsoft Outlook Web Access _ Requested resource was 
> > |https://<...snipped...>
> > 445/tcp  filtered microsoft-ds
> > 993/tcp  open     ssl/imap     Microsoft Exchange Server 2003 imapd 
> > 6.5.7638.1
> > |_ sslv2: server still supports SSLv2
> > 1723/tcp open     pptp         Microsoft (Firmware: 3790)
> > 8081/tcp open     http         Linksys router http config (device 
> > model BEFSR41/BEFSR11/BEFSRU31)
> > |  http-auth: HTTP Service requires authentication
> > |_   Auth type: Basic, realm = Linksys BEFSR41/BEFSR11/BEFSRU31
> > |_ html-title: 401 Authorization Required
> >
> >
> >
> >      
> > ---------------------------------------------------------------------
> > --- This list is sponsored by: InfoSec Institute
> >
> > Learn all of the latest penetration testing techniques in InfoSec 
> > Institute's Ethical Hacking class. Totally hands-on course with 
> > evening Capture The Flag (CTF) exercises, Certified Ethical Hacker 
> > and Certified Penetration Tester exams, taught by an expert with 
> > years of real pen testing experience.
> >
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ---------------------------------------------------------------------
> > ---
> >
> >   
> As far as I know, and taking into account the nmap output, 80/443 is 
> the Outlook Web Access. I don't know if it can be disabled from 
> Exchange, but it is part of it. If they don't need to access mail 
> outside the company, maybe it should be filtered.
>
> Regarding the Linksys router... I think that the web configuration 
> interface shouldn't be accessible from outside (let's hope that they 
> didn't leave the default password, because it would be dangerous)
>
> Just my two cents,
>
> F.
>
> ----------------------------------------------------------------------
> -- This list is sponsored by: InfoSec Institute
>
> Learn all of the latest penetration testing techniques in InfoSec 
> Institute's Ethical Hacking class. Totally hands-on course with 
> evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and

> Certified Penetration Tester exams, taught by an expert with years of 
> real pen testing experience.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------
> --
Out of curiosity, did you perform this scan internally or externally to
their network? The reason I ask would have to do with the responses you
got from the NMAP scan. I'm going on the assumption that you scanned
from an external connection, so please forgive me if I misunderstood.

I would recommend disabling the ability to respond to pings and other
such requests from the outside. Unless you truly have a service that
needs it. F is right about the web config interface. It is clearly
responding (8081/tcp open  http Linksys router http config ). That line
alone gives more information then anyone should need. Netbios is
responding as well and should be blocked at the firewall.

I agree. The ports being seen (80/443) are OWA. See this post on
msexchange.org. http://forums.msexchange.org/m_1800457226/tm.htm. I
would only do so if they do not need that access from outside the
physical network or if they prefer to use OWA internally instead of
Outlook. Of course there is always outlook through proxy. I have used
that as well. Another option would be to forward all outside requests on
ports 80 and 443 to be forwarded to the exchange server.

I hope this helps.

--
Stephen Bartlett
B.S. - INFOSEC, SSM, SA, ISSO, ISO, RA
Assistant Systems Administrator
Systems Security Analyst
Child and Family Tennessee



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec
Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises,
Certified Ethical Hacker and Certified Penetration Tester exams, taught
by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------