Penetration Testing mailing list archives
Re: RE: pen testing management and control system
From: lawal () shaw ca
Date: Fri, 27 Jun 2003 15:02:36 -0600
In addition to Jason's comments, it is equally possible that the Firewall protecting the device you are scanning may have implemented some form of intrusion prevention. If it is a linux based firewall for example with portsentry running, the firewall may have detected that an attack was in progress from your ip and then blocked all incoming connections from your attack box. If you can determine thet kind of Firewall it is, it may give you a better idea as to what the firewall may be doing... Hope this helps. Ola ----- Original Message ----- From: Jason.North () ch2m com Date: Friday, June 27, 2003 1:46 pm Subject: RE: pen testing management and control system
It looks to me like whatever you are scanning either is, or is behind, a proxy based firewall. PBF's will answer (on behalf of any host behind them) on all kinds of ports, but won't pass the traffic unless they have specific configuration to do so (ie an answered port looks blocked). PBF's also have a habit of giving their own info during OS Detection. My guess is a software based firewall running on Win2k (ISA is the first one that comes to mind, but there are several others...) Jason C. North Computer Security Engineer CH2MHill Communications Group (The opinions expressed in this email are not necessarily those of CH2MHill Communication Group)-------------------------------------------At what point in the scan did you get blocked? It looks like the portscan worked, except that there are a whole lot of ports I'd not expect to see on a server like that. Things that stand out are the presence of VNC with Terminal Server AND Metaframe, for example. And Metaframe on 2000 Advanced Server seems like a terrible idea as well, from what I know of the way it handles foreground/background priority, and how it's optimized for specific types of server apps. Are you sure that there isn't some kind of reactive (firewall or IDS) configuration that's meant to throw you some red herrings that automatically block you when you connect to them?-----Original Message-----From: Ronen Gottlib [ronen () avnet co il <')" >ronen () avnet co il> ]Sent: Friday, June 27, 2003 4:54 AMTo: pen-test () securityfocus comSubject: pen testing management and control systemHi All,I am pen testing a windows 2000 advanced server, with somekind of management and control software (e.g. Tivoli,Netcool). The system has IIS 6.0 running with lockdown enabled.When I tried to run nessus, my ip was blocked for quite along time. same happened with nikto.Further more, although quite a few ports were found to beopen on the remote machine, the management and controlapplication is blocking the most of them while allowingaccess only to the following: 21, 23(ms telnet server),25(Microsoft ESMTP MAIL Service, Version: 6.0.2600.1106), 80(Microsoft-IIS/6.0), 110 (Microsoft Windows POP3 ServiceVersion 2.0), 3389.The system is also running Hummingbird Exceed.Does anyone have any idea? I've kind of reached a dead end.Below is the results of an Nmap, if it helps.Thank you very much for your help-Ronen.Port State Service21/tcp open ftp22/tcp open ssh23/tcp open telnet25/tcp open smtp53/tcp open domain80/tcp open http98/tcp open linuxconf110/tcp open pop-3111/tcp open sunrpc135/tcp open loc-srv143/tcp open imap2161/tcp open snmp443/tcp open https1080/tcp open socks1433/tcp open ms-sql-s1494/tcp open citrix-ica1720/tcp filtered H.323/Q.9311723/tcp filtered pptp3389/tcp open ms-term-serv4000/tcp filtered remoteanything5135/tcp open unknown5631/tcp open pcanywheredata5632/tcp open pcanywherestat5900/tcp open vnc6112/tcp open dtspc6660/tcp filtered unknown6661/tcp filtered unknown6662/tcp filtered unknown6663/tcp filtered unknown6664/tcp filtered unknown6665/tcp filtered unknown6666/tcp filtered irc-serv6667/tcp filtered irc6668/tcp filtered irc6669/tcp filtered unknown8875/tcp filtered unknown28900/tcp filtered unknown---------------------------------------------------------------------------Latest attack techniques.You're a pen tester, but is google.com still your R&D team?Now you can gettrustworthy commercial-grade exploits and the latesttechniques from aworld-class research group.Visit us at: www.coresecurity.com/promos/sf_ept1or call 617-399-6980----------------------------------------------------------------------------------------------------------------------------------------------- -------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ------------------------------------------------------------------- ---------
--------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
Current thread:
- pen testing management and control system Ronen Gottlib (Jun 27)
- RE: pen testing management and control system Rob Shein (Jun 27)
- Re: pen testing management and control system Mark Wolfgang (Jun 27)
- <Possible follow-ups>
- RE: pen testing management and control system Jason.North (Jun 27)
- Re: RE: pen testing management and control system lawal (Jun 27)
- RE: pen testing management and control system Ronen Gottlib (Jun 27)
- RE: pen testing management and control system Rob Shein (Jun 27)