Penetration Testing mailing list archives

RE: Exhange 2003

From: "Blurred Vision" <really_blurred_vision () hotmail com>
Date: Mon, 08 Mar 2004 17:59:52 +1100

This is standard for Exchange. When you connect to it, it will talk to port139 on your system. Exchange tries to log your friendly windows hostname inthe system logs. This in turn populates the netbios table on your systemwith it's info, hence the nbtstat response (coming from your cache). if youwant to test this, perform these steps:

Look at the cached netbios table to show it's empty (you may need to purgeit...)

c:\> nbtstat -c

telnet to the remote mail server:
c:\>telnet exchange.mycompany.com 25

then look at the cached netbios table again:
c:\> nbtstat -c

TCPDUMP it, and you will see the traffic.

Worth mentioning in thepentest report as an information leak.

hope this helps.

Blurr.

-----Original Message-----
From: Deniz CEVIK [mailto:deniz () edizayn com tr]
Sent: Wednesday, 3 March 2004 1:30 AM
To: pen-test () securityfocus com
Subject: Exhange 2003


Hi All,

While we are testing our customer network, we faced with strange problem. We
are testing exchange 2003 server externally. When we controlled open
services with port scan, I saw that only two ports (25 and 100) are shown as
open. Before I run the portscan, I have controlled the server with "nbtstat"
command of windows. It returned error messages as below.

nbtstat -A EXCH_IP

Local Area Connection:
Node IpAddress: [MY_MACHINE] Scope Id: []

   Host not found.

After the port scan is finished, in order to see the banner information of
mail server, I opened the connection to port 25 using telnet command (telnet
EXCH_IP 25). Same time when I run "nbtstat -A" command from another window
by mistake and I saw that below output.

nbtstat -A EXCH_IP

Local Area Connection:
Node IpAddress: [MY_MACHINE] Scope Id: []

          NetBIOS Remote Machine Name Table

      Name               Type         Status
   ---------------------------------------------
   HADXM           <1F>  UNIQUE      Registered
   HADXM           <00>  UNIQUE      Registered
   HADXM           <20>  UNIQUE      Registered
   EXCHANGE        <00>  GROUP       Registered
   EXCHANGE        <1C>  GROUP       Registered
   EXCHANGE        <1B>  UNIQUE      Registered
   EXCHANGE        <1E>  GROUP       Registered
   HADXM           <03>  UNIQUE      Registered
   ADMINISTRATOR   <03>  UNIQUE      Registered
   EXCHANGE        <1D>  UNIQUE      Registered
   ..__MSBROWSE__. <01>  GROUP       Registered
   HADXM           <6A>  UNIQUE      Registered
   HADXM           <87>  UNIQUE      Registered

   MAC Address = MAC_ADDRESS_OF_EXCHANGE

If there isn't any connection to open port of the server you can't see this
nbtstat outputs.

Has any body faced with same situations before?

BR


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks withAstaro

Security Linux, the comprehensive security solution that combines six

applications in one software solution for ease of use and lower total costof

ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
----------------------------------------------------------------------------

_________________________________________________________________

Personalise your phone with chart ringtones and polyphonics. Go tohttp://ringtones.com.au/ninemsn/control?page=/ninemsn/main.jsp



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

Exhange 2003 Deniz CEVIK (Mar 02)
- Re: Exhange 2003 jamesworld (Mar 03)
  - RE: Exhange 2003 Deniz CEVIK (Mar 03)
    - RE: Exhange 2003 John Swope (Mar 04)
    - RE: Exhange 2003 joey (Mar 05)
    - Re[2]: Exhange 2003 Marius Huse Jacobsen (Mar 15)
- <Possible follow-ups>
- RE: Exhange 2003 Meidinger Chris (Mar 03)
- RE: Exhange 2003 Zach Forsyth (Mar 05)
- RE: Exhange 2003 Bowden, Sean (Mar 07)
- RE: Exhange 2003 Blurred Vision (Mar 08)