Penetration Testing mailing list archives
RE: Exhange 2003
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Wed, 3 Mar 2004 11:11:00 +0100
nbtstat is outputting the remote name table. that will always be present,
assuming there is network connectivity and at least one connection has been
made in the last minutes. at the minimum 0x20 (self name) and 0x1[a | b | c
| d ] (domain/workgroup name and master browser name) should be present.
check around technet for the meanings of all netbios codes.
I think you were trying to run netstat -a (or netstat -an) to see what
sockets are listening/established/waiting whatever.
The output looks like this:
Administrator@flytrap / $ netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4750 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4751 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4752 0.0.0.0:0 LISTENING
TCP 10.53.2.69:135 10.53.2.69:1033 ESTABLISHED
TCP 10.53.2.69:139 0.0.0.0:0 LISTENING
TCP 10.53.2.69:1033 10.53.2.69:135 ESTABLISHED
[... snip ...]
UDP 10.53.2.69:138 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1280 *:*
UDP 127.0.0.1:2644 *:*
Administrator@flytrap / $
The output of nbtstat should be interpreted to see what other machines your
target knows about.
Administrator@flytrap / $ nbtstat -A 10.53.2.69
Local Area Connection:
Node IpAddress: [10.53.2.69] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
FLYTRAP <00> UNIQUE Registered
HONEYNET <00> GROUP Registered
FLYTRAP <20> UNIQUE Registered
HONEYNET <1E> GROUP Registered
HONEYNET <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
FLYTRAP <01> UNIQUE Registered
MAC Address = 00-04-75-AF-93-7B
Local Area Connection 2:
Node IpAddress: [0.0.0.0] Scope Id: []
Host not found.
So, what this means is that the host (named flytrap) knows himself (0x00,
netbios host entry from the workstation service) and his workgroup honeynet
(also 0x00).
According to
http://www.microsoft.com/technet/prodtechnol/winntas/plan/capacityplanning/a
05_reg.mspx and
http://www.microsoft.com/technet/prodtechnol/winntas/plan/winswp.mspx, the
0x20 means that the server service registered itself. 0x1d and 0x1e are the
domain name and group. The msbrowse 0x01 relates to the browser hierarchy in
the subnet, in this case 10.53.2.0/24.
Any more questions, feel free to mail.
Cheers,
Chris
-----Original Message-----
From: deniz () edizayn com tr [mailto:deniz () edizayn com tr]
Sent: Tuesday, March 02, 2004 3:30 PM
To: pen-test () securityfocus com
Subject: Exhange 2003
Hi All,
While we are testing our customer network, we faced with strange problem. We
are testing exchange 2003 server externally. When we controlled open
services with port scan, I saw that only two ports (25 and 100) are shown as
open. Before I run the portscan, I have controlled the server with "nbtstat"
command of windows. It returned error messages as below.
nbtstat -A EXCH_IP
Local Area Connection:
Node IpAddress: [MY_MACHINE] Scope Id: []
Host not found.
After the port scan is finished, in order to see the banner information of
mail server, I opened the connection to port 25 using telnet command (telnet
EXCH_IP 25). Same time when I run "nbtstat -A" command from another window
by mistake and I saw that below output.
nbtstat -A EXCH_IP
Local Area Connection:
Node IpAddress: [MY_MACHINE] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
HADXM <1F> UNIQUE Registered
HADXM <00> UNIQUE Registered
HADXM <20> UNIQUE Registered
EXCHANGE <00> GROUP Registered
EXCHANGE <1C> GROUP Registered
EXCHANGE <1B> UNIQUE Registered
EXCHANGE <1E> GROUP Registered
HADXM <03> UNIQUE Registered
ADMINISTRATOR <03> UNIQUE Registered
EXCHANGE <1D> UNIQUE Registered
..__MSBROWSE__. <01> GROUP Registered
HADXM <6A> UNIQUE Registered
HADXM <87> UNIQUE Registered
MAC Address = MAC_ADDRESS_OF_EXCHANGE
If there isn't any connection to open port of the server you can't see this
nbtstat outputs.
Has any body faced with same situations before?
BR
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with
Astaro Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
----------------------------------------------------------------------------
Current thread:
- Exhange 2003 Deniz CEVIK (Mar 02)
- Re: Exhange 2003 jamesworld (Mar 03)
- RE: Exhange 2003 Deniz CEVIK (Mar 03)
- RE: Exhange 2003 John Swope (Mar 04)
- RE: Exhange 2003 joey (Mar 05)
- Re[2]: Exhange 2003 Marius Huse Jacobsen (Mar 15)
- RE: Exhange 2003 Deniz CEVIK (Mar 03)
- Re: Exhange 2003 jamesworld (Mar 03)
- <Possible follow-ups>
- RE: Exhange 2003 Meidinger Chris (Mar 03)
- RE: Exhange 2003 Zach Forsyth (Mar 05)
- RE: Exhange 2003 Bowden, Sean (Mar 07)
- RE: Exhange 2003 Blurred Vision (Mar 08)