Penetration Testing mailing list archives
Re: pen testing management and control system
From: Mark Wolfgang <moonpie () moonpie org>
Date: Fri, 27 Jun 2003 15:48:23 -0400
Yeah, a reactionary firewall such as portsentry binds the ports it wants to monitor, then when one attempts to connect to any of the monitor ports, it either blocks or records the offending IP. Running a server with VNC, Terminal Services, PC Anywhere, and citrix seems a bit improbable. As does running telnet and ssh. Then again, I have seem some odd stuff... Good luck. On Fri, Jun 27, 2003 at 03:28:49PM -0400 or thereabouts, Rob Shein wrote:
At what point in the scan did you get blocked? It looks like the portscan worked, except that there are a whole lot of ports I'd not expect to see on a server like that. Things that stand out are the presence of VNC with Terminal Server AND Metaframe, for example. And Metaframe on 2000 Advanced Server seems like a terrible idea as well, from what I know of the way it handles foreground/background priority, and how it's optimized for specific types of server apps. Are you sure that there isn't some kind of reactive (firewall or IDS) configuration that's meant to throw you some red herrings that automatically block you when you connect to them?-----Original Message----- From: Ronen Gottlib [mailto:ronen () avnet co il] Sent: Friday, June 27, 2003 4:54 AM To: pen-test () securityfocus com Subject: pen testing management and control system Hi All, I am pen testing a windows 2000 advanced server, with some kind of management and control software (e.g. Tivoli, Netcool). The system has IIS 6.0 running with lockdown enabled. When I tried to run nessus, my ip was blocked for quite a long time. same happened with nikto. Further more, although quite a few ports were found to be open on the remote machine, the management and control application is blocking the most of them while allowing access only to the following: 21, 23(ms telnet server), 25(Microsoft ESMTP MAIL Service, Version: 6.0.2600.1106), 80 (Microsoft-IIS/6.0), 110 (Microsoft Windows POP3 Service Version 2.0), 3389. The system is also running Hummingbird Exceed. Does anyone have any idea? I've kind of reached a dead end. Below is the results of an Nmap, if it helps. Thank you very much for your help- Ronen. Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 98/tcp open linuxconf 110/tcp open pop-3 111/tcp open sunrpc 135/tcp open loc-srv 143/tcp open imap2 161/tcp open snmp 443/tcp open https 1080/tcp open socks 1433/tcp open ms-sql-s 1494/tcp open citrix-ica 1720/tcp filtered H.323/Q.931 1723/tcp filtered pptp 3389/tcp open ms-term-serv 4000/tcp filtered remoteanything 5135/tcp open unknown 5631/tcp open pcanywheredata 5632/tcp open pcanywherestat 5900/tcp open vnc 6112/tcp open dtspc 6660/tcp filtered unknown 6661/tcp filtered unknown 6662/tcp filtered unknown 6663/tcp filtered unknown 6664/tcp filtered unknown 6665/tcp filtered unknown 6666/tcp filtered irc-serv 6667/tcp filtered irc 6668/tcp filtered irc 6669/tcp filtered unknown 8875/tcp filtered unknown 28900/tcp filtered unknown -------------------------------------------------------------- ------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 -------------------------------------------------------------- ----------------------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
-- Risk accepted by one is imposed on all http://moonpie.org --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
Current thread:
- pen testing management and control system Ronen Gottlib (Jun 27)
- RE: pen testing management and control system Rob Shein (Jun 27)
- Re: pen testing management and control system Mark Wolfgang (Jun 27)
- <Possible follow-ups>
- RE: pen testing management and control system Jason.North (Jun 27)
- Re: RE: pen testing management and control system lawal (Jun 27)
- RE: pen testing management and control system Ronen Gottlib (Jun 27)
- RE: pen testing management and control system Rob Shein (Jun 27)