Penetration Testing mailing list archives

Re: pen testing management and control system

From: Mark Wolfgang <moonpie () moonpie org>
Date: Fri, 27 Jun 2003 15:48:23 -0400

Yeah, a reactionary firewall such as portsentry binds the ports it
wants to monitor, then when one attempts to connect to any of the
monitor ports, it either blocks or records the offending IP.  

Running a server with VNC, Terminal Services, PC Anywhere, and citrix
seems a bit improbable.  As does running telnet and ssh.  

Then again, I have seem some odd stuff...

Good luck.

On Fri, Jun 27, 2003 at 03:28:49PM -0400 or thereabouts, Rob Shein wrote:

At what point in the scan did you get blocked?  It looks like the portscan
worked, except that there are a whole lot of ports I'd not expect to see on
a server like that.  Things that stand out are the presence of VNC with
Terminal Server AND Metaframe, for example.  And Metaframe on 2000 Advanced
Server seems like a terrible idea as well, from what I know of the way it
handles foreground/background priority, and how it's optimized for specific
types of server apps.  Are you sure that there isn't some kind of reactive
(firewall or IDS) configuration that's meant to throw you some red herrings
that automatically block you when you connect to them?

-----Original Message-----
From: Ronen Gottlib [mailto:ronen () avnet co il] 
Sent: Friday, June 27, 2003 4:54 AM
To: pen-test () securityfocus com
Subject: pen testing management and control system

Hi All,

I am pen testing a windows 2000 advanced server, with some 
kind of management and control software (e.g. Tivoli, 
Netcool). The system has IIS 6.0 running with lockdown enabled.

When I tried to run nessus, my ip was blocked for quite a 
long time. same happened with nikto.

Further more, although quite a few ports were found to be 
open on the remote machine, the management and control 
application is blocking the most of them while allowing 
access only to the following: 21, 23(ms telnet server), 
25(Microsoft ESMTP MAIL Service, Version: 6.0.2600.1106), 80 
(Microsoft-IIS/6.0), 110 (Microsoft Windows POP3 Service 
Version 2.0), 3389.

The system is also running Hummingbird Exceed.

Does anyone have any idea? I've kind of reached a dead end. 
Below is the results of an Nmap, if it helps.

Thank you very much for your help-

Ronen.

Port State Service
21/tcp open         ftp
22/tcp open         ssh
23/tcp open         telnet
25/tcp open         smtp
53/tcp open         domain
80/tcp open         http
98/tcp open         linuxconf
110/tcp open        pop-3
111/tcp open        sunrpc
135/tcp open        loc-srv
143/tcp open        imap2
161/tcp open        snmp
443/tcp open        https
1080/tcp open       socks
1433/tcp open       ms-sql-s
1494/tcp open       citrix-ica
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp
3389/tcp open       ms-term-serv
4000/tcp filtered remoteanything
5135/tcp open       unknown
5631/tcp open       pcanywheredata
5632/tcp open       pcanywherestat
5900/tcp open       vnc
6112/tcp open       dtspc
6660/tcp filtered unknown
6661/tcp filtered unknown
6662/tcp filtered unknown
6663/tcp filtered unknown
6664/tcp filtered unknown
6665/tcp filtered unknown
6666/tcp filtered irc-serv
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered unknown
8875/tcp filtered unknown
28900/tcp filtered unknown

--------------------------------------------------------------
-------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? 
Now you can get 
trustworthy commercial-grade exploits and the latest 
techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
--------------------------------------------------------------
--------------



---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------


-- 
Risk accepted by one is imposed on all
http://moonpie.org

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------

Current thread:

pen testing management and control system Ronen Gottlib (Jun 27)
- RE: pen testing management and control system Rob Shein (Jun 27)
  - Re: pen testing management and control system Mark Wolfgang (Jun 27)
- <Possible follow-ups>
- RE: pen testing management and control system Jason.North (Jun 27)
- Re: RE: pen testing management and control system lawal (Jun 27)
- RE: pen testing management and control system Ronen Gottlib (Jun 27)