Security Basics mailing list archives
Re: Interpreting the results of an NMAP scan
From: bartlettNSF <bartlettNSF () comcast net>
Date: Mon, 27 Apr 2009 01:22:21 -0400
Francesc Vila wrote:
Out of curiosity, did you perform this scan internally or externally to their network? The reason I ask would have to do with the responses you got from the NMAP scan. I'm going on the assumption that you scanned from an external connection, so please forgive me if I misunderstood.Dan Fauxpoint wrote:As far as I know, and taking into account the nmap output, 80/443 is the Outlook Web Access. I don't know if it can be disabled from Exchange, but it is part of it. If they don't need to access mail outside the company, maybe it should be filtered.Hello,I am helping a small business owner to evaluate the quality of his IT setup. This company has one server which runs Windows Small Business Server 2003 R2 Premium Edition. This server hosts an Exchange instance which takes care of incoming and outgoing emails.I ran an namp scan (nmap -T4 -A -v -PE -PA21,23,80,3389 <IP_address>) from a machine outside of the company network and got the results below. I am wondering why ports 80 and 443 are open since the server does not act as a web server. Also I am wondering if the Linksys router should be visible from the outside world ...If anybody could comment on this and make suggestions on how to improve the security of that setup, I would appreciate it.Cheers, Dan. Not shown: 990 closed ports PORT STATE SERVICE VERSION 25/tcp filtered smtp 80/tcp open http Microsoft IIS |_ html-title: The page cannot be displayed 135/tcp filtered msrpc 139/tcp filtered netbios-ssn143/tcp open imap Microsoft Exchange Server 2003 imapd 6.5.7638.1443/tcp open ssl/https? |_ sslv2: server still supports SSLv2 | html-title: Microsoft Outlook Web Access |_ Requested resource was https://<...snipped...> 445/tcp filtered microsoft-ds993/tcp open ssl/imap Microsoft Exchange Server 2003 imapd 6.5.7638.1|_ sslv2: server still supports SSLv2 1723/tcp open pptp Microsoft (Firmware: 3790)8081/tcp open http Linksys router http config (device model BEFSR41/BEFSR11/BEFSRU31)| http-auth: HTTP Service requires authentication |_ Auth type: Basic, realm = Linksys BEFSR41/BEFSR11/BEFSRU31 |_ html-title: 401 Authorization Required------------------------------------------------------------------------This list is sponsored by: InfoSec InstituteLearn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------Regarding the Linksys router... I think that the web configuration interface shouldn't be accessible from outside (let's hope that they didn't leave the default password, because it would be dangerous)Just my two cents, F. ------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteLearn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
I would recommend disabling the ability to respond to pings and other such requests from the outside. Unless you truly have a service that needs it. F is right about the web config interface. It is clearly responding (8081/tcp open http Linksys router http config ). That line alone gives more information then anyone should need. Netbios is responding as well and should be blocked at the firewall.
I agree. The ports being seen (80/443) are OWA. See this post on msexchange.org. http://forums.msexchange.org/m_1800457226/tm.htm. I would only do so if they do not need that access from outside the physical network or if they prefer to use OWA internally instead of Outlook. Of course there is always outlook through proxy. I have used that as well. Another option would be to forward all outside requests on ports 80 and 443 to be forwarded to the exchange server.
I hope this helps. -- Stephen BartlettB.S. - INFOSEC, SSM, SA, ISSO, ISO, RA Assistant Systems Administrator
Systems Security Analyst Child and Family Tennessee ------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteLearn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Re: Interpreting the results of an NMAP scan bartlettNSF (May 01)
- RE: Interpreting the results of an NMAP scan Michael C. Maschke (May 01)
- <Possible follow-ups>
- Re: Interpreting the results of an NMAP scan Dan Fauxpoint (May 01)