RE: Exhange 2003

["Zach Forsyth" <Zach.Forsyth () kiandra com>]

Is the PIX smtp fixup protocol enabled?
I have seen some very weird things when investigating network issue and
there is a PIX with smtp fixup somewhere in between.
If it is enabled, then do a couple of tests with it switched off.

Just a thought.

Cheers

Zach 

> -----Original Message-----
> From: John Swope [mailto:johns () akorn net] 
> Sent: Thursday, 4 March 2004 16:09 PM
> To: pen-test () securityfocus com
> Subject: RE: Exhange 2003
>
> All,
>
> I work for an enterprise email security company and saw 
> something rather odd just the other day and this might be related.
>
> I was troubleshooting a customer's mail environment, they 
> were an Exchange shop and our appliance is Unix based.  I was 
> noticing a 5 second delay between when I telnetted to port 25 
> and when the Exchange server actually presented it's 220 banner.
>
> Odd, hosts were connected via 100 Base-T, exchange server was 
> not overloaded. No lost packets.  What gives...
>
> Ran tcpdump -X -s1600 host exchange.customer.com
>
>
> Notice, no restriction on ports or types of traffic just on host...
>
>
> I noticed the Exchange server was performing 3 NBT broadcasts 
> to try to resolve the LMHOST name of my box.  Naturally it 
> did not work because I'm a Unix box not running Samba.
>
> So, could the exchange server in your case be doing the same? 
>  Would it explain the results?  Is the PIX allowing all 
> traffic from Exchange to external network?  I realize that I 
> was seeing broadcast traffic and one of the posts in the 
> thread mentioned the boxes are separated by a PIX, just 
> throwing this in as something worth checking...
>
> HTH,
> BJ
>
> At 05:45 AM 03/03/04, Deniz CEVIK wrote:
>
> >         Hi all,
> >
> > This host is behind the cisco pix firewall. I have scanned this host 
> > using several portscan tools. These tools show that only two 
> ports are 
> > open. (SMTP and POP3). Strange think is, if you don't 
> establish the TCP 
> > connection to one of these open ports, before run the 
> "nbtstat" command, you get nothing.
> > But if you open a tcp connection and after that run nbtstat command, 
> > you can see the details of netbios information of machine.
> >
> > Nbtstat command is sending packets to udp 137 port of 
> destination. As 
> > far as I see, firewall is accepting udp packets, if there is an 
> > established tcp connection from same source to same 
> destination as in 
> > udp connection request. I think there is a configuration 
> problem in the customer firewall.
> > For further analysis I requested firewall configuration and logs.
> >
> > Thanks for your helps.
> >
> > PS: HADXM is the hostname of the machine. I have modified some 
> > information in outputs before I posted the message.
> >
> > BR.
> >
> >
> > -----Original Message-----
> > From: jamesworld () intelligencia com 
> > [mailto:jamesworld () intelligencia com]
> > Sent: Wednesday, March 03, 2004 4:17 AM
> > To: Deniz CEVIK
> > Cc: pen-test () securityfocus com
> > Subject: Re: Exhange 2003
> >
> > Did you try
> >
> > netstat -an
> >
> > And see what ports were listening?
> >
> > Is there a local IP filtering policy active? You mentioned 
> only 2 ports 
> > as being active 25 and 100.  Perhaps there is a local IP policy only 
> > allowing those ports.  Perhaps the port 100 was supposed to 
> be port 110 
> > for POP3 mail access and they typod the entry.  Good of you to find 
> > their misconfiguration for them :-)
> >
> > Did you run fport (foundstone)?  If you've never used fport, 
> you should 
> > add it to your arsenal.
> >
> > Hopefully HADXM is the username that you are using.  If not, 
> look into 
> > the host being compromised.
> >
> > If you have more, post it to us.
> >
> > Cheers,
> > -James
> >
> > At 08:29 03/02/2004, Deniz CEVIK wrote:
> > > Hi All,
> > >
> > > While we are testing our customer network, we faced with 
> strange problem.
> > We
> > > are testing exchange 2003 server externally. When we 
> controlled open 
> > > services with port scan, I saw that only two ports (25 and 
> 100) are 
> > > shown
> > as
> > > open. Before I run the portscan, I have controlled the server with
> > "nbtstat"
> > > command of windows. It returned error messages as below.
> > >
> > > nbtstat -A EXCH_IP
> > >
> > > Local Area Connection:
> > > Node IpAddress: [MY_MACHINE] Scope Id: []
> > >
> > >     Host not found.
> > >
> > > After the port scan is finished, in order to see the banner 
> > > information of mail server, I opened the connection to 
> port 25 using 
> > > telnet command
> > (telnet
> > > EXCH_IP 25). Same time when I run "nbtstat -A" command 
> from another 
> > > window by mistake and I saw that below output.
> > >
> > > nbtstat -A EXCH_IP
> > >
> > > Local Area Connection:
> > > Node IpAddress: [MY_MACHINE] Scope Id: []
> > >
> > >            NetBIOS Remote Machine Name Table
> > >
> > >        Name               Type         Status
> > >     ---------------------------------------------
> > >     HADXM           <1F>  UNIQUE      Registered
> > >     HADXM           <00>  UNIQUE      Registered
> > >     HADXM           <20>  UNIQUE      Registered
> > >     EXCHANGE        <00>  GROUP       Registered
> > >     EXCHANGE        <1C>  GROUP       Registered
> > >     EXCHANGE        <1B>  UNIQUE      Registered
> > >     EXCHANGE        <1E>  GROUP       Registered
> > >     HADXM           <03>  UNIQUE      Registered
> > >     ADMINISTRATOR   <03>  UNIQUE      Registered
> > >     EXCHANGE        <1D>  UNIQUE      Registered
> > >     ..__MSBROWSE__. <01>  GROUP       Registered
> > >     HADXM           <6A>  UNIQUE      Registered
> > >     HADXM           <87>  UNIQUE      Registered
> > >
> > >     MAC Address = MAC_ADDRESS_OF_EXCHANGE
> > >
> > > If there isn't any connection to open port of the server you can't 
> > > see this nbtstat outputs.
> > >
> > > Has any body faced with same situations before?
> > >
> > > BR
> >
> > ---------------------------------------------------------------------
> > > ------ Free 30-day trial: firewall with virus/spam protection, URL 
> > > filtering, VPN, wireless security
> > >
> > > Protect your network against hackers, viruses, spam and 
> other risks 
> > > with Astaro Security Linux, the comprehensive security 
> solution that 
> > > combines six applications in one software solution for ease of use 
> > > and lower total cost
> > of
> > > ownership.
> > >
> > > Download your free trial at
> > > http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
> >
> > ---------------------------------------------------------------------
> > > ------
> > -
> >
> >
> > -------------------------------------------------------------
> ----------
> > ---- Ethical Hacking at the InfoSec Institute. Mention this 
> ad and get 
> > $545 off any course! All of our class sizes are guaranteed to be 10 
> > students or less to facilitate one-on-one interaction with 
> one of our 
> > expert instructors.
> > Attend a course taught by an expert instructor with years of 
> > in-the-field pen testing experience in our state of the art hacking 
> > lab. Master the skills of an Ethical Hacker to better assess 
> the security of your organization.
> > Visit us at:
> > http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040303
> > -------------------------------------------------------------
> ----------
> > -----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------