Penetration Testing mailing list archives
RE: Exchange 2003
From: "Ward, Jon" <jonward () bellsouth net>
Date: Thu, 4 Mar 2004 16:59:04 -0500
Did someone say there was a firewall in the middle somewhere? This behavior seems plausible if there's a stateful firewall in the middle that's at first doing what it's supposed to do by not allowing any packets to the Windows box excepting TCP/25 and TCP/100. That being the case, then clearly, you won't get anything back from an nbtstat, because that's the firewall's job. If this is truly the case that the firewall isn't supposed to allow NBT traffic, then the question is "Why does it allow it after there's a connection?". If there's a firewall, it sounds like a problem in the stateful inspection part of the firewall. The firewall would disallow at first, then allow a legitimate connection, then allow an illegitimate connection because a state already exists. This is just brainstorming, of course, but is there a firewall in the middle? I think I missed that part of the discussion. Jon -----Original Message----- From: Meidinger Chris [mailto:chris.meidinger () badenit de] Sent: Thursday, March 04, 2004 06:24 To: xterrabart () comcast net; pen-test () securityfocus com; deniz () edizayn com tr Subject: RE: Exchange 2003 Hi all, if this is a production server, the symptom is almost unimaginable. I have been unable to reproduce the behavior except by shutting down the network cards, doing an nbtstat, then restarting them and doing it again. If I disable netbios over tcp/ip, then I get the following excerpt:* (* I am preceding the cmd.exe output with #, for clarity. also, all of these tests are being done on win2k3 enterprise server, without exchange 2003 on it. It is entirely possible that the results would look different on an exchange server, however, I doubt it) # Administrator@flytrap / $ nbtstat -A 10.53.2.69 # # Local Area Connection: # Node IpAddress: [10.53.2.69] Scope Id: [] # # Host Not Found # # Local Area Connection 2: # Node IpAddress: [0.0.0.0] Scope Id: [] # # Host Not Found No matter how many connections I build, I cannot get any names in that table. (Which makes sense, seeing as nbt is disabled) Assuming that NetBios is not disabled, then the 'Remote Machine Name Table' (nbtstat -c / nbtstat -A ${IP_ADDR} will show it) always includes at least the following entries: # Administrator@flytrap / $ nbtstat -A 10.53.2.69 # # Local Area Connection: # Node IpAddress: [10.53.2.69] Scope Id: [] # # NetBIOS Remote Machine Name Table # # Name Type Status # --------------------------------------------- # FLYTRAP <00> UNIQUE Registered # FLYTRAP <20> UNIQUE Registered # HONEYNET <00> GROUP Registered # HONEYNET <1E> GROUP Registered # HONEYNET <1D> UNIQUE Registered # ..__MSBROWSE__.<01> GROUP Registered # # MAC Address = 00-04-75-AF-93-7B # # # Local Area Connection 2: # Node IpAddress: [0.0.0.0] Scope Id: [] # # Host not found. As I mentioned yesterday, the 0x00 and 0x20 entries are from the workstation and server services. The 0x1e and 0x1d are the domain/workgroup. (In an NT Domain these can include 0x1b and 0x1c as well and I think even 0x1a. Don't be alarmed if your 0x1* entries are different.) I am not aware of any windows hardening technique (I am NOT a windows super-guru, so it is entirely possible that such techniques exist, or are even common practice) which shuts off the workstation AND server services, while leaving netbios itself active. Even if exchange is in a DMZ somewhere, and cannot talk to any other windows system, it MUST have its own workgroup (in BR's case EXCHANGE, as evidenced by the 0x1b, 0x1c and 0x1e entries) because it's wintendo, so that will also not explain why the entries are missing. Where is this all leading? I think that 1) the exchange server may have serious problems if its nbtcache doesn't even know its own name 2) I need to see the results of nbtstat -c, nbtstat -S, nbtstat -n and nbtstat -r to have an idea of what's b0rked 3) if this is some hardening technique I would be grateful to anyone who can provide a link or an explanation of what's happening to this guy 4) if this host is multihomed (say like 3 NIC's) I could imagine that you are pulling nbtstat -A on the wrong one. Remember: nbtstat -A is designed to see REMOTE name tables. The c, S, n and r switches are for local stuff. It IS possible that the exchange server is somehow unwilling to give that information out to just anyone without a connection. I am also not sure how nbtstat behaves when called by an unprivledged user. Another interesting question would be to know what user you are using, if it is the true administrator (uid 500) or if it is someone else. So, to you BR, can you provide more information? I had been assuming that you were local (with telnet) on the exchange, and had been running nbtstat that way. If your last post should be interpreted to mean that you were running nbtstat -A through the firewall, then more ports must be open. You can't run netbios commands over smtp or pop3. I suspect your analysis is right that a session with one port was opening the firewall completely between those two hosts. Questions: 1 Are you local on the box? 2 Can you give us the output of the above mentioned netbios commands, before and after you build a telnet connection*? 3 What is the firewall config telling you, are you hitting the exchange through the firewall, or are you local? *By 'telnet connection' do you mean a connection to the telnet service, or a connection using telnet to the listeners on sockets 25 and 110? 4 Do you have any idea how exotically this exchange is configured? 5 What is the output of nbtstat -A ${FW_IP} ? Maybe you are hitting static port forwarding or something like that, and it just looks like you're getting to the exchange. (Because you modified the output, I cannot be 100% sure based on your nbtstat output what I'm seeing) Ok guys, I never meant to write a book here, so I'll stop now, Cheers, Chris -----Original Message----- From: xterrabart () comcast net [mailto:xterrabart () comcast net] Sent: Wednesday, March 03, 2004 4:50 PM To: pen-test () securityfocus com Subject: Exchange 2003 Here is my interpretation of BR's original post since there seems to be some confusion on what the scenario is... I believe they are explaining that they attempted to run an NBTSTAT against one of their Exchange servers and received a Host Not Found error, but ran it again after making a telnet connection to the Exchange server on 25/tcp, and received the correct information. The question was if anyone else has experienced this? I hope this better explains their question...That is if I am correct in my understanding of it. ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040303 ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ----
Attachment:
smime.p7s
Description:
Current thread:
- Exchange 2003 xterrabart (Mar 03)
- <Possible follow-ups>
- RE: Exchange 2003 Meidinger Chris (Mar 04)
- RE: Exchange 2003 Ward, Jon (Mar 05)
- OPST and CEH ucanbreached (Mar 07)
- RE: OPST and CEH Mario Guerrero (Mar 08)
- RE: Exchange 2003 Ward, Jon (Mar 05)