Re: Interpreting the results of an NMAP scan

[Jon Janego <jonjanego () gmail com>]

Dan,

The machine may not "supposed" to act as a webserver, but IIS is
running a web server on 80 and 443.  Reconfigure IIS to not run this
service (or disable IIS entirely, if it's only hosting Exchange).

It's normal for the Linksys is visible from the outside world, but you
should probably reconfigure the router (via its config page) to only
allow users on a local IP address (NAT-ted, not from the Internet,
i.e. 192.168.0.X) to login to the config page.

Jon

On Wed, Apr 22, 2009 at 8:57 PM, Dan Fauxpoint
<danielfauxpoint () yahoo com> wrote:
> Hello,
>
> I am helping a small business owner to evaluate the quality of his IT setup. This company has one server which runs 
> Windows Small Business Server 2003 R2 Premium Edition. This server hosts an Exchange instance which takes care of 
> incoming and outgoing emails.
>
> I ran an namp scan (nmap -T4 -A -v -PE -PA21,23,80,3389 <IP_address>) from a machine outside of the company network 
> and got the results below. I am wondering why ports 80 and 443 are open since the server does not act as a web 
> server. Also I am wondering if the Linksys router should be visible from the outside world ...
>
> If anybody could comment on this and make suggestions on how to improve the security of that setup, I would 
> appreciate it.
>
> Cheers,
> Dan.
>
> Not shown: 990 closed ports
> PORT     STATE    SERVICE      VERSION
> 25/tcp   filtered smtp
> 80/tcp   open     http         Microsoft IIS
> |_ html-title: The page cannot be displayed
> 135/tcp  filtered msrpc
> 139/tcp  filtered netbios-ssn
> 143/tcp  open     imap         Microsoft Exchange Server 2003 imapd 6.5.7638.1
> 443/tcp  open     ssl/https?
> |_ sslv2: server still supports SSLv2
> |  html-title: Microsoft Outlook Web Access
> |_ Requested resource was https://<...snipped...>
> 445/tcp  filtered microsoft-ds
> 993/tcp  open     ssl/imap     Microsoft Exchange Server 2003 imapd 6.5.7638.1
> |_ sslv2: server still supports SSLv2
> 1723/tcp open     pptp         Microsoft (Firmware: 3790)
> 8081/tcp open     http         Linksys router http config (device model BEFSR41/BEFSR11/BEFSRU31)
> |  http-auth: HTTP Service requires authentication
> |_   Auth type: Basic, realm = Linksys BEFSR41/BEFSR11/BEFSRU31
> |_ html-title: 401 Authorization Required
>
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
> Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
> Penetration Tester exams, taught by an expert with years of real pen testing experience.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------