Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Interesting challenge

From: "Serhan Sevim" <sevims () mezun com>
Date: Fri, 30 Jan 2004 14:50:55 -0500



We are doing a pen test for a client and have run into a 
interesting situation. The client has a server running IIS 
and Exchange we can get to it through a browser but when we 
try to run Nessus or Eeye Retina against it, neither product 
can find the server. The client is not running any IDS system 
has a simple firewall. A port scan revels no open port though 
port 80 is open since the server is serving pages.


How would you know if the client is protected by a "simple firewall"?
It *might* be a similar protection I use. If a host starts to scan the
target machine starting from TCP port 1 and
goes fast up incrementally one by one, up to say, 20th port under a
second. Than the portscanner protector is triggered
at the client host and you're blacklisted for,say, 20 minutes. For 20
minutes firewall chain will drop every packet coming
from the unknown scanning source. Meanwhile, by the time you're trying
to see if the ftp port 21 is open or not, you're already blacklisted.
Dropping every packet destined for a specific port depends on protected
clients' desire. In your case I guess he/she chose not to drop packets
destined for port 80. 
Well, this may or may not be your situation. But this is definitely
something in practice people use.
Serhan.


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: