Penetration Testing mailing list archives
[PEN-TEST] Testing a "rogue site"
From: "Kelly, Mike" <Mike_Kelly () RYDER COM>
Date: Fri, 8 Sep 2000 09:29:16 -0400
Hi folks! I've got an interesting scenario/case study here. Very recently, there was a slight organizational change in our company and two out of town sites became added to our "circle of responsibility". Although they were added, company politics prevents us from dictating any IT policy to these new sites. One of the sites has just found itself an ISP. There is no firewall between the site's network and the rest of the Internet. Just a NT PDC Server. All of this was done without consulting our IT department, and the politics of the situation has allowed them to do this. Fortunately, they are not tied into our network just yet. Anyway. I was named Security Manager last year for no other reason than I have a greater interest in network security than most of the people here. (Now you've seen my entire set of credentials.) I've been asked to determine any vunerablity on the server at the new site so a report can be delivered to the CEO regarding what is going on down there. I've managed to get the IP address of this site and run some port scans. I've found 3 telnet ports (port 23), 1 ftp port (port 21) and 1 port 80. There are 10 addresses responding to pings and I'm guessing that at least one of them is an HP 4000 print server. (That was the FTP port) Connecting to port 23 doesn't give you any information about the OS or anything. Connecting to the FTP port (anonymously!) lets you see inside the HP 4000 printer server. Port 80 is on the same machine as the FTP port, so I'm comfortable in assuming that it is there for remote administration of the HP 4000. Port 80 is on the printer server as well and it's there for remote administration. I don't think they have set passwords on the print server; I looked at the tab marked security and it looks like it's still waiting to see it's first administrative password. (concluded thusly because the lines for "old password" are grayed out and inactive) The only real holes I've found are on the printer server. I haven't really tried doing anything other than connections on the telnet ports. I suspect that someone from the ISP must have "hardened" or at least inspected the PDC a little because the VNC service seems to have been turned off. I also know that the PDC is running NT 4, Service Pack 6. If you were me, which way would you look next? Physical access is impossible as they are probably an 8 hour flight from here. I've had thoughts about arranging for one of the IT guys there to stand by the server on a weekend while I try and Smurf it, but I'm not really excited about doing that if I can help it. We want to be able to make the case to the Boss that someone should have bought a firewall (we're a CISCO shop and we use PIX here) before getting online. And then we want to make them buy a firewall. Thanks folks, Mike Kelly
Current thread:
- [PEN-TEST] Testing a "rogue site" Kelly, Mike (Sep 08)
- Re: [PEN-TEST] Testing a "rogue site" Peter Van Epp (Sep 09)
- Re: [PEN-TEST] Testing a "rogue site" Missy, E (Sep 10)
- <Possible follow-ups>
- Re: [PEN-TEST] Testing a "rogue site" Mitch James (Sep 08)
- Re: [PEN-TEST] Testing a "rogue site" Rich Richenberg (Sep 08)
- Re: [PEN-TEST] Testing a "rogue site" Alexander Sarras (SEA) (Sep 11)
- Re: [PEN-TEST] Testing a "rogue site" Karyn Pichnarczyk (Sep 11)
- Re: [PEN-TEST] Testing a "rogue site" Missy, E (Sep 12)
- Re: [PEN-TEST] Testing a "rogue site" Wandering One (Sep 13)
- Re: [PEN-TEST] Testing a "rogue site" Karyn Pichnarczyk (Sep 11)
- Re: [PEN-TEST] Testing a "rogue site" Peter Van Epp (Sep 09)
- Re: [PEN-TEST] Testing a "rogue site" Meritt, Jim (Sep 11)
- Re: [PEN-TEST] Testing a "rogue site" Alexander Sarras (SEA) (Sep 13)