Re: Inaccessible Port 80 - Pentest

["ॐ aditya mukadam ॐ" <aditya.mukadam () gmail com>]

Arvind,

It is strange that you could find the port 80 open for those IPs if
firewall would have been blocking it. With my personal experience, I
donot think a firewall would block be blocking. As correctly mentioned
by few people, this is more of an application level.

Had the firewall been blocking this request, you would  have *not* got
"Access denied". You would ideally see 'connection timeout' as 'good'
firewall won't respond ! So, I would rule out filtering of this range
on the firewall ! This can be restriction ot an application level.

Could you please share what type of scan was performed ? Did you do a
syn scan ? Also, it would be interesting to check the wireshark output
when accessing the IPs for the response you get (if any from these
IPs).

Thanks,
Aditya Govind Mukadam





On Sun, Aug 10, 2008 at 4:39 AM, Steve Armstrong
<stevearmstrong () logicallysecure com> wrote:
> Arvind,
>
> Several people have mentioned firewalls, but stick to layer thee.  I believe
> the barrier you are facing is a layer 7 one.
>
> A mixture of layer 3 port filtering to restrict you to port 80 would seem to
> be inplace.
>
> This could be open to everyone to allow troubleshooting activities.
>  However, I believe you are also looking at a layer 7 proxy that is
> restricting access to the service behind it based upon source ip.
>
> The multiple ip addresses could be on the same box thus the strange
> presentation you see.
>
> There are several reasons for wanting this type of restriction. It to a
> certain degree priviatizes the website, is transparent to the end user,
> requires no installation on the client, allows traffic behind the FW to be
> monitored without the need for decryption.  And let's not forget permissions
> can be changed by the admin with no cost or implementation lag.
>
> It appears to be hidden in plain sight. Like a VPN without the V and some of
> the P.
>
> As an after thought, were you getting or putting Http data?  Perhaps it was
> a 'collection' server that only allowed clients to post or put Http.  That
> way the clients or agents use common protocols and the layer7 FW restricts
> their http command
>
> HTH
>
> Steve A
>
> ---------------------/
> Logically Secure
>
> On 8 Aug 2008, at 16:59, "arvind doraiswamy" <arvind.doraiswamy () gmail com>
> wrote:
>
> > Hey Guys,
> > Very recently we did a PenTest for a client where we came across a
> > strange(atleast to me) situation. Had an IP block which on scanning
> > revealed only port 80 open which sounded ok. Any kind of requests
> > though from the external world - I tried from multiple IP's and even
> > through TOR were blocked by a firewall which kept displaying its
> > custom "Access denied" page. So obviously there was some kind of IP
> > based restriction in  place which said -- Only these IP's can connect
> > to whatever is running on port 80. No problems till here.
> >
> > My question is: Why would anyone want to  have a live server on the
> > Internet, open one port on it and then block it from public use?
> > Obvious answers that sprung to mind were:
> > a) Maybe its an internal server running a web app to be accessed only
> > internally
> >          ----- So why is it public , in the DMZ then? Shouldnt it be
> > on the internal network?
> > b) Maybe some hosts/apps on the internal network needed to connect to
> > port 80 of a DMZ server before going out?
> >         ------ Then again why is it public. These servers could be
> > placed on an internal segment and the traffic could be NATTEd before
> > it goes out like all other Internet destined traffic. And Secondly I
> > am not able to think of a situation like this --- What traffic apart
> > from a proxy could behave this way --- where I have -- Internal IP
> > -------> DMZIP:80 ---------> Internet ? And mind you this wasnt just 1
> > IP - there were many, so I'm quite sure I've missed something.
> >
> > What are your thoughts?
> >
> > Thnx
> > Arvind
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Top 5 Common Mistakes in
> > Securing Web Applications
> > Get 45 Min Video and PPT Slides
> >
> > www.cenzic.com/landing/securityfocus/hackinar
> > ------------------------------------------------------------------------
>
> The information contained in this e-Mail and any subsequent correspondence
> is private and is intended solely for the intended recipient(s). The
> information in this communication may be confidential and/or legally
> privileged. Nothing in this e-mail is intended to conclude a contract on
> behalf of Logically Secure Ltd or make Logically Secure Ltd subject to any
> other legally binding commitments, unless the e-mail contains an express
> statement to the contrary or incorporates a formal Purchase Order.  For
> persons other than the intended recipient any disclosure, copying,
> distribution, or any action taken or omitted to be taken in reliance on such
> information is prohibited and may be unlawful.
>
> Registered in England and Wales No: 05967368.  Registered Office: 36 Tudor
> Road, Lincoln, LN6 3LL.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes inSecuring Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------