Re: Interpreting the results of an NMAP scan

[bartlettNSF <bartlettNSF () comcast net>]

Francesc Vila wrote:
> Dan Fauxpoint wrote:
> > Hello,
> >
> > I am helping a small business owner to evaluate the quality of his IT 
> > setup. This company has one server which runs Windows Small Business 
> > Server 2003 R2 Premium Edition. This server hosts an Exchange 
> > instance which takes care of incoming and outgoing emails.
> >
> > I ran an namp scan (nmap -T4 -A -v -PE -PA21,23,80,3389 <IP_address>) 
> > from a machine outside of the company network and got the results 
> > below. I am wondering why ports 80 and 443 are open since the server 
> > does not act as a web server. Also I am wondering if the Linksys 
> > router should be visible from the outside world ...
> >
> > If anybody could comment on this and make suggestions on how to 
> > improve the security of that setup, I would appreciate it.
> >
> > Cheers,
> > Dan.
> >
> > Not shown: 990 closed ports
> > PORT     STATE    SERVICE      VERSION
> > 25/tcp   filtered smtp
> > 80/tcp   open     http         Microsoft IIS
> > |_ html-title: The page cannot be displayed
> > 135/tcp  filtered msrpc
> > 139/tcp  filtered netbios-ssn
> > 143/tcp  open     imap         Microsoft Exchange Server 2003 imapd 
> > 6.5.7638.1
> > 443/tcp  open     ssl/https?
> > |_ sslv2: server still supports SSLv2
> > |  html-title: Microsoft Outlook Web Access
> > |_ Requested resource was https://<...snipped...>
> > 445/tcp  filtered microsoft-ds
> > 993/tcp  open     ssl/imap     Microsoft Exchange Server 2003 imapd 
> > 6.5.7638.1
> > |_ sslv2: server still supports SSLv2
> > 1723/tcp open     pptp         Microsoft (Firmware: 3790)
> > 8081/tcp open     http         Linksys router http config (device 
> > model BEFSR41/BEFSR11/BEFSRU31)
> > |  http-auth: HTTP Service requires authentication
> > |_   Auth type: Basic, realm = Linksys BEFSR41/BEFSR11/BEFSRU31
> > |_ html-title: 401 Authorization Required
> >
> >
> >
> >      
> > ------------------------------------------------------------------------
> > This list is sponsored by: InfoSec Institute
> >
> > Learn all of the latest penetration testing techniques in InfoSec 
> > Institute's Ethical Hacking class. Totally hands-on course with 
> > evening Capture The Flag (CTF) exercises, Certified Ethical Hacker 
> > and Certified Penetration Tester exams, taught by an expert with 
> > years of real pen testing experience.
> >
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ------------------------------------------------------------------------
> >
> >   
> As far as I know, and taking into account the nmap output, 80/443 is 
> the Outlook Web Access. I don't know if it can be disabled from 
> Exchange, but it is part of it. If they don't need to access mail 
> outside the company, maybe it should be filtered.
>
> Regarding the Linksys router... I think that the web configuration 
> interface shouldn't be accessible from outside (let's hope that they 
> didn't leave the default password, because it would be dangerous)
>
> Just my two cents,
>
> F.
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Learn all of the latest penetration testing techniques in InfoSec 
> Institute's Ethical Hacking class. Totally hands-on course with 
> evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and 
> Certified Penetration Tester exams, taught by an expert with years of 
> real pen testing experience.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------
Out of curiosity, did you perform this scan internally or externally to 
their network? The reason I ask would have to do with the responses you 
got from the NMAP scan. I'm going on the assumption that you scanned 
from an external connection, so please forgive me if I misunderstood.

I would recommend disabling the ability to respond to pings and other 
such requests from the outside. Unless you truly have a service that 
needs it. F is right about the web config interface. It is clearly 
responding (8081/tcp open  http Linksys router http config ). That line 
alone gives more information then anyone should need. Netbios is 
responding as well and should be blocked at the firewall.

I agree. The ports being seen (80/443) are OWA. See this post on 
msexchange.org. http://forums.msexchange.org/m_1800457226/tm.htm. I 
would only do so if they do not need that access from outside the 
physical network or if they prefer to use OWA internally instead of 
Outlook. Of course there is always outlook through proxy. I have used 
that as well. Another option would be to forward all outside requests on 
ports 80 and 443 to be forwarded to the exchange server.

I hope this helps.

--
Stephen Bartlett
B.S. - INFOSEC, SSM, SA, ISSO, ISO, RA 
Assistant Systems Administrator
Systems Security Analyst
Child and Family Tennessee



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------