RE: pen testing management and control system

["Ronen Gottlib" <ronen () avnet co il>]

Thank  you for your help and answers guys and thousands of apologies.

I guess I was rather incomplete in describing the network that I am
testing.

According to the network's administrator, there is no firewall ( not
even a Personal one) or IDS that are filtering the traffic towards my
target.

It was approved that the application that is filtering my connections to
the seemed to be open ports, is the management and control application
(I have a rough guess that it's some kind of IBM's Tivoli app.).

I can port scan the target, but I cant run any scanner to build a rough
image of security status of the system.

I am getting my hands dirty for the last week, but with no avail. 

Does anyone has any idea about methods to bypass management apps (maybe
I need to try and DoS it)?


Thanks again, 
Ronen.


-----Original Message-----
From: Ronen Gottlib [mailto:ronen () avnet co il] 
Sent: Friday, June 27, 2003 10:54 AM
To: pen-test () securityfocus com
Subject: pen testing management and control system


Hi All,

I am pen testing a windows 2000 advanced server, with some kind of
management and control software (e.g. Tivoli, Netcool). The system has
IIS 6.0 running with lockdown enabled.

When I tried to run nessus, my ip was blocked for quite a long time.
same happened with nikto.

Further more, although quite a few ports were found to be open on the
remote machine, the management and control application is blocking the
most of them while allowing access only to the following: 21, 23(ms
telnet server), 25(Microsoft ESMTP MAIL Service, Version:
6.0.2600.1106), 80 (Microsoft-IIS/6.0), 110 (Microsoft Windows POP3
Service Version 2.0), 3389.


The system is also running Hummingbird Exceed.

Does anyone have any idea? I've kind of reached a dead end. 
Below is the results of an Nmap, if it helps.

Thank you very much for your help-

Ronen.


Port State Service
21/tcp open     ftp
22/tcp open     ssh
23/tcp open     telnet
25/tcp open             smtp
53/tcp open             domain
80/tcp open     http
98/tcp open     linuxconf
110/tcp open    pop-3
111/tcp open    sunrpc
135/tcp open    loc-srv
143/tcp open    imap2
161/tcp open    snmp
443/tcp open    https
1080/tcp open   socks
1433/tcp open   ms-sql-s
1494/tcp open   citrix-ica
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp
3389/tcp open   ms-term-serv
4000/tcp filtered remoteanything
5135/tcp open   unknown
5631/tcp open   pcanywheredata
5632/tcp open   pcanywherestat
5900/tcp open   vnc
6112/tcp open   dtspc
6660/tcp filtered unknown
6661/tcp filtered unknown
6662/tcp filtered unknown
6663/tcp filtered unknown
6664/tcp filtered unknown
6665/tcp filtered unknown
6666/tcp filtered irc-serv
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered unknown
8875/tcp filtered unknown
28900/tcp filtered unknown


------------------------------------------------------------------------
---
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can
get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------