RE: pen testing management and control system

["Rob Shein" <shoten () starpower net>]

At what point in the scan did you get blocked?  It looks like the portscan
worked, except that there are a whole lot of ports I'd not expect to see on
a server like that.  Things that stand out are the presence of VNC with
Terminal Server AND Metaframe, for example.  And Metaframe on 2000 Advanced
Server seems like a terrible idea as well, from what I know of the way it
handles foreground/background priority, and how it's optimized for specific
types of server apps.  Are you sure that there isn't some kind of reactive
(firewall or IDS) configuration that's meant to throw you some red herrings
that automatically block you when you connect to them?

> -----Original Message-----
> From: Ronen Gottlib [mailto:ronen () avnet co il] 
> Sent: Friday, June 27, 2003 4:54 AM
> To: pen-test () securityfocus com
> Subject: pen testing management and control system
>
>
> Hi All,
>
> I am pen testing a windows 2000 advanced server, with some 
> kind of management and control software (e.g. Tivoli, 
> Netcool). The system has IIS 6.0 running with lockdown enabled.
>
> When I tried to run nessus, my ip was blocked for quite a 
> long time. same happened with nikto.
>
> Further more, although quite a few ports were found to be 
> open on the remote machine, the management and control 
> application is blocking the most of them while allowing 
> access only to the following: 21, 23(ms telnet server), 
> 25(Microsoft ESMTP MAIL Service, Version: 6.0.2600.1106), 80 
> (Microsoft-IIS/6.0), 110 (Microsoft Windows POP3 Service 
> Version 2.0), 3389.
>
>
> The system is also running Hummingbird Exceed.
>
> Does anyone have any idea? I've kind of reached a dead end. 
> Below is the results of an Nmap, if it helps.
>
> Thank you very much for your help-
>
> Ronen.
>
>
> Port State Service
> 21/tcp open   ftp
> 22/tcp open   ssh
> 23/tcp open   telnet
> 25/tcp open           smtp
> 53/tcp open           domain
> 80/tcp open   http
> 98/tcp open   linuxconf
> 110/tcp open  pop-3
> 111/tcp open  sunrpc
> 135/tcp open  loc-srv
> 143/tcp open  imap2
> 161/tcp open          snmp
> 443/tcp open  https
> 1080/tcp open         socks
> 1433/tcp open         ms-sql-s
> 1494/tcp open         citrix-ica
> 1720/tcp filtered H.323/Q.931
> 1723/tcp filtered pptp
> 3389/tcp open         ms-term-serv
> 4000/tcp filtered remoteanything
> 5135/tcp open         unknown
> 5631/tcp open         pcanywheredata
> 5632/tcp open         pcanywherestat
> 5900/tcp open         vnc
> 6112/tcp open         dtspc
> 6660/tcp filtered unknown
> 6661/tcp filtered unknown
> 6662/tcp filtered unknown
> 6663/tcp filtered unknown
> 6664/tcp filtered unknown
> 6665/tcp filtered unknown
> 6666/tcp filtered irc-serv
> 6667/tcp filtered irc
> 6668/tcp filtered irc
> 6669/tcp filtered unknown
> 8875/tcp filtered unknown
> 28900/tcp filtered unknown
>
>
> --------------------------------------------------------------
> -------------
> Latest attack techniques.
>
> You're a pen tester, but is google.com still your R&D team? 
> Now you can get 
> trustworthy commercial-grade exploits and the latest 
> techniques from a 
> world-class research group.
>
> Visit us at: www.coresecurity.com/promos/sf_ept1 
> or call 617-399-6980
> --------------------------------------------------------------
> --------------


---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------