Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Interpreting the results of an NMAP scan

From: Dan Fauxpoint <danielfauxpoint () yahoo com>
Date: Mon, 27 Apr 2009 13:18:33 -0700 (PDT)

I wanted to thank all the people who took the time to reply to my question. I am not a system admin by trade, and I do 
not have plans to become one in the near future :-). This server was setup by an IT professional services company which 
I suspect might not have taken the time to cross all the t's and dot all the i's ... 

I am trying to help my friend understand what potential issues might exist with his current setup, help fix anything 
that is an emergency, and then help him select a new IT services provider.

I would like to recap what I understand from the various answers I got, and ask a few follow-up questions. I apologize 
for the length of this post ...

1 - Ports 80 and 443 are open because Outlook Web Access is enabled. The thing is, none of the employees of the 
business use OWA. People do need to have email access remotely, but they do so using the regular Outlook client over 
VPN, as well as through iphones and blackberries. I think I will recommend that these 2 ports be closed to the outside 
world since I can't see a real need for them to be open. The firm doesn't use Sharepoint or remote workplace or any of 
the other MS stuff that's bundled w/ Windows SBS 2003.

The server also has a Dell application called Open Manage Server Administrator. I can't recall what port this is 
available on, probably the default one (1311). From what I gathered this app has its own web server (i.e. it's not 
served by IIS), can anybody confirm that ?

2 - There is an Exchange server running on the server to accept incoming email and send outgoing email. I'm confused 
about the nmap scan reporting port 25 as 'filtered'. If I understand what the nmap doc says, this means that nothing 
can connect to that port from the outside world. I tried to telnet on port 25 and indeed got a 'connection failed' 
message. But if that is the case, how can external mail servers connect to the Exchange server to relay incoming emails 
?

Also I don't know how the Outlook clients are configured to access the Exchange server: they probably don't use smtp 
either, more likely MAPI or IMAP.

4 - I believe the rationale for the VPN setup (and therefore the 1723 port for pptp) is because users need to access 
data located on shares on the server when working from home or from a hotel room. Since VPN is required, I'm not sure 
why ports 143 and 993 should be visible from the outside world either: these ports should be accessible for users on 
the company LAN only, shouldn't they ? Or maybe the intent was to provide a means to access emails remotely without 
having to establish a VPN connection first if the user did not need to access data on the drive shares.

The only reason for leaving imap ports visible from the internet might be for the iphones and blackberry clients. If 
that is the case, I would imagine we would want to expose only 993 to force imap over SSL ?

5 - For the linksys router, the admin password has been changed. I'm not sure what the role of that piece of hardware 
is exactly. I don't think it should be visible from the outside world and some of you agreed.

I do not know if ISA is being used either like some of the responders suggested. There are also a few Trend Micro 
products installed:

  * Trend Micro Client/Server/Messaging Security for SMB Version 7.6 *
  * Trend Micro End User Quarantine Version 1.2 *
  * Trend Micro ScanMail for Exchange Version 7.5 *

Between Trend, ISA and the Linksys router I'm not sure what is used for which security needs. And there is also a 
netgear wireless router on the network to provide wireless access. And zero documentation provided by the guys who 
installed all that stuff ...

Again, a big thank you for your patience and feedback !
Dan.

---- Scan results from my original post for reference

Not shown: 990 closed ports
PORT     STATE    SERVICE      VERSION
25/tcp   filtered smtp
80/tcp   open     http         Microsoft IIS
|_ html-title: The page cannot be displayed
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap         Microsoft Exchange Server 2003 imapd
6.5.7638.1
443/tcp  open     ssl/https?
|_ sslv2: server still supports SSLv2
|  html-title: Microsoft Outlook Web Access
|_ Requested resource was https://<...snipped...>
445/tcp  filtered microsoft-ds
993/tcp  open     ssl/imap     Microsoft Exchange Server 2003 imapd
6.5.7638.1
|_ sslv2: server still supports SSLv2
1723/tcp open     pptp         Microsoft (Firmware: 3790)
8081/tcp open     http         Linksys router http config (device model
BEFSR41/BEFSR11/BEFSRU31)
|  http-auth: HTTP Service requires authentication
|_   Auth type: Basic, realm = Linksys BEFSR41/BEFSR11/BEFSRU31
|_ html-title: 401 Authorization Required



      

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: