Penetration Testing mailing list archives

RE: Exhange 2003

From: deniz () edizayn com tr (Deniz CEVIK)
Date: Wed, 3 Mar 2004 12:45:16 +0200

        Hi all,

This host is behind the cisco pix firewall. I have scanned this host using
several portscan tools. These tools show that only two ports are open. (SMTP
and POP3). Strange think is, if you don't establish the TCP connection to
one of these open ports, before run the "nbtstat" command, you get nothing.
But if you open a tcp connection and after that run nbtstat command, you can
see the details of netbios information of machine.

Nbtstat command is sending packets to udp 137 port of destination. As far as
I see, firewall is accepting udp packets, if there is an established tcp
connection from same source to same destination as in udp connection
request. I think there is a configuration problem in the customer firewall.
For further analysis I requested firewall configuration and logs.

Thanks for your helps.

PS: HADXM is the hostname of the machine. I have modified some information
in outputs before I posted the message.

BR.


-----Original Message-----
From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com]
Sent: Wednesday, March 03, 2004 4:17 AM
To: Deniz CEVIK
Cc: pen-test () securityfocus com
Subject: Re: Exhange 2003

Did you try

netstat -an

And see what ports were listening?

Is there a local IP filtering policy active? You mentioned only 2 ports as
being active 25 and 100.  Perhaps there is a local IP policy only allowing
those ports.  Perhaps the port 100 was supposed to be port 110 for POP3
mail access and they typod the entry.  Good of you to find their
misconfiguration for them :-)

Did you run fport (foundstone)?  If you've never used fport, you should add
it to your arsenal.

Hopefully HADXM is the username that you are using.  If not, look into the
host being compromised.

If you have more, post it to us.

Cheers,
-James

At 08:29 03/02/2004, Deniz CEVIK wrote:

Hi All,

While we are testing our customer network, we faced with strange problem.

We

are testing exchange 2003 server externally. When we controlled open
services with port scan, I saw that only two ports (25 and 100) are shown

as

open. Before I run the portscan, I have controlled the server with

"nbtstat"

command of windows. It returned error messages as below.

nbtstat -A EXCH_IP

Local Area Connection:
Node IpAddress: [MY_MACHINE] Scope Id: []

    Host not found.

After the port scan is finished, in order to see the banner information of
mail server, I opened the connection to port 25 using telnet command

(telnet

EXCH_IP 25). Same time when I run "nbtstat -A" command from another window
by mistake and I saw that below output.

nbtstat -A EXCH_IP

Local Area Connection:
Node IpAddress: [MY_MACHINE] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    HADXM           <1F>  UNIQUE      Registered
    HADXM           <00>  UNIQUE      Registered
    HADXM           <20>  UNIQUE      Registered
    EXCHANGE        <00>  GROUP       Registered
    EXCHANGE        <1C>  GROUP       Registered
    EXCHANGE        <1B>  UNIQUE      Registered
    EXCHANGE        <1E>  GROUP       Registered
    HADXM           <03>  UNIQUE      Registered
    ADMINISTRATOR   <03>  UNIQUE      Registered
    EXCHANGE        <1D>  UNIQUE      Registered
    ..__MSBROWSE__. <01>  GROUP       Registered
    HADXM           <6A>  UNIQUE      Registered
    HADXM           <87>  UNIQUE      Registered

    MAC Address = MAC_ADDRESS_OF_EXCHANGE

If there isn't any connection to open port of the server you can't see this
nbtstat outputs.

Has any body faced with same situations before?

BR


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost

of

ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
---------------------------------------------------------------------------

-


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040303
----------------------------------------------------------------------------

Current thread:

Exhange 2003 Deniz CEVIK (Mar 02)
- Re: Exhange 2003 jamesworld (Mar 03)
  - RE: Exhange 2003 Deniz CEVIK (Mar 03)
    - RE: Exhange 2003 John Swope (Mar 04)
    - RE: Exhange 2003 joey (Mar 05)
    - Re[2]: Exhange 2003 Marius Huse Jacobsen (Mar 15)
- <Possible follow-ups>
- RE: Exhange 2003 Meidinger Chris (Mar 03)
- RE: Exhange 2003 Zach Forsyth (Mar 05)
- RE: Exhange 2003 Bowden, Sean (Mar 07)
- RE: Exhange 2003 Blurred Vision (Mar 08)