Penetration Testing mailing list archives
RE: Exhange 2003
From: "Zach Forsyth" <Zach.Forsyth () kiandra com>
Date: Fri, 5 Mar 2004 09:04:07 +1100
Is the PIX smtp fixup protocol enabled? I have seen some very weird things when investigating network issue and there is a PIX with smtp fixup somewhere in between. If it is enabled, then do a couple of tests with it switched off. Just a thought. Cheers Zach
-----Original Message----- From: John Swope [mailto:johns () akorn net] Sent: Thursday, 4 March 2004 16:09 PM To: pen-test () securityfocus com Subject: RE: Exhange 2003 All, I work for an enterprise email security company and saw something rather odd just the other day and this might be related. I was troubleshooting a customer's mail environment, they were an Exchange shop and our appliance is Unix based. I was noticing a 5 second delay between when I telnetted to port 25 and when the Exchange server actually presented it's 220 banner. Odd, hosts were connected via 100 Base-T, exchange server was not overloaded. No lost packets. What gives... Ran tcpdump -X -s1600 host exchange.customer.com Notice, no restriction on ports or types of traffic just on host... I noticed the Exchange server was performing 3 NBT broadcasts to try to resolve the LMHOST name of my box. Naturally it did not work because I'm a Unix box not running Samba. So, could the exchange server in your case be doing the same? Would it explain the results? Is the PIX allowing all traffic from Exchange to external network? I realize that I was seeing broadcast traffic and one of the posts in the thread mentioned the boxes are separated by a PIX, just throwing this in as something worth checking... HTH, BJ At 05:45 AM 03/03/04, Deniz CEVIK wrote:Hi all, This host is behind the cisco pix firewall. I have scanned this host using several portscan tools. These tools show that only twoports areopen. (SMTP and POP3). Strange think is, if you don'testablish the TCPconnection to one of these open ports, before run the"nbtstat" command, you get nothing.But if you open a tcp connection and after that run nbtstat command, you can see the details of netbios information of machine. Nbtstat command is sending packets to udp 137 port ofdestination. Asfar as I see, firewall is accepting udp packets, if there is an established tcp connection from same source to samedestination as inudp connection request. I think there is a configurationproblem in the customer firewall.For further analysis I requested firewall configuration and logs. Thanks for your helps. PS: HADXM is the hostname of the machine. I have modified some information in outputs before I posted the message. BR. -----Original Message----- From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com] Sent: Wednesday, March 03, 2004 4:17 AM To: Deniz CEVIK Cc: pen-test () securityfocus com Subject: Re: Exhange 2003 Did you try netstat -an And see what ports were listening? Is there a local IP filtering policy active? You mentionedonly 2 portsas being active 25 and 100. Perhaps there is a local IP policy only allowing those ports. Perhaps the port 100 was supposed tobe port 110for POP3 mail access and they typod the entry. Good of you to find their misconfiguration for them :-) Did you run fport (foundstone)? If you've never used fport,you shouldadd it to your arsenal. Hopefully HADXM is the username that you are using. If not,look intothe host being compromised. If you have more, post it to us. Cheers, -James At 08:29 03/02/2004, Deniz CEVIK wrote:Hi All, While we are testing our customer network, we faced withstrange problem.Weare testing exchange 2003 server externally. When wecontrolled openservices with port scan, I saw that only two ports (25 and100) areshownasopen. Before I run the portscan, I have controlled the server with"nbtstat"command of windows. It returned error messages as below. nbtstat -A EXCH_IP Local Area Connection: Node IpAddress: [MY_MACHINE] Scope Id: [] Host not found. After the port scan is finished, in order to see the banner information of mail server, I opened the connection toport 25 usingtelnet command(telnetEXCH_IP 25). Same time when I run "nbtstat -A" commandfrom anotherwindow by mistake and I saw that below output. nbtstat -A EXCH_IP Local Area Connection: Node IpAddress: [MY_MACHINE] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- HADXM <1F> UNIQUE Registered HADXM <00> UNIQUE Registered HADXM <20> UNIQUE Registered EXCHANGE <00> GROUP Registered EXCHANGE <1C> GROUP Registered EXCHANGE <1B> UNIQUE Registered EXCHANGE <1E> GROUP Registered HADXM <03> UNIQUE Registered ADMINISTRATOR <03> UNIQUE Registered EXCHANGE <1D> UNIQUE Registered ..__MSBROWSE__. <01> GROUP Registered HADXM <6A> UNIQUE Registered HADXM <87> UNIQUE Registered MAC Address = MAC_ADDRESS_OF_EXCHANGE If there isn't any connection to open port of the server you can't see this nbtstat outputs. Has any body faced with same situations before? BR--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam andother riskswith Astaro Security Linux, the comprehensive securitysolution thatcombines six applications in one software solution for ease of use and lower total costofownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_pen-test_040201---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention thisad and get$545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction withone of ourexpert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assessthe security of your organization.Visit us at: http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040303 ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Exhange 2003 Deniz CEVIK (Mar 02)
- Re: Exhange 2003 jamesworld (Mar 03)
- RE: Exhange 2003 Deniz CEVIK (Mar 03)
- RE: Exhange 2003 John Swope (Mar 04)
- RE: Exhange 2003 joey (Mar 05)
- Re[2]: Exhange 2003 Marius Huse Jacobsen (Mar 15)
- RE: Exhange 2003 Deniz CEVIK (Mar 03)
- Re: Exhange 2003 jamesworld (Mar 03)
- <Possible follow-ups>
- RE: Exhange 2003 Meidinger Chris (Mar 03)
- RE: Exhange 2003 Zach Forsyth (Mar 05)
- RE: Exhange 2003 Bowden, Sean (Mar 07)
- RE: Exhange 2003 Blurred Vision (Mar 08)