Re: Inaccessible Port 80 - Pentest

["arvind doraiswamy" <arvind.doraiswamy () gmail com>]

Derrick suggested a honeypot. One machine..probably but 10 IP's in the
same way all 403 denied? Not so sure.

Jerry: Not the admin port coz I get 403'd straight away and its not
just one IP again.

@Everyone else: Thanks...various ways to help clients access the setup
is what I got. True. But IF I find out who their clients are and get
those IP's as well, time permitting how long is it going to take to
bypass the IP restrictions? Not the best way IMO.

Hey Kevin,
My replies inline...

On Sat, Aug 9, 2008 at 7:11 AM, kevin horvath <kevin.horvath () gmail com> wrote:
> Hi Arvind,
>
> You said the port was open so if it was a firewall filtering it by
> source address then your scan would have shown a result of filtered or
> closed depending on how the firewall was configured or if it was a
> router acl.  Regardless if it shows open and you are being denied then
> you should try looking at it using a proxy such as Burp, paros, or
> webscarab.  When you make a GET request then you can see what error
> code you get in response such as failed due to NTLM/Basic
> authentication, directory listing denied, etc as most likely the
> webserver or app is blocking you not a network firewall.

An ISA firewall blocked it.  There were around 10 IP's which behaved
the exact same way. The ISA changed the IP each time in the error
message , each time I tried a new IP address. Error was 403 forbidden
through a browser and also through telnet to port 80(GET) and through
Burp as well. So I'm guessing I cannot access what there is on that
site.

 It may even
> be a web app thats root directory is not at your typical "/" but
> somewhere else and there are no redirects setup for anyone requesting
> the default root directory.  Basically your most likely not being
> blocked by a firewall but at the app layer by whatever web server is
> running.  So do I as I listed above and then also fingerprint the
> device through various methods (telnet to port, nc to port, use
> HTTPprint, etc).  Once you have done this then put your results back
> up here so we can give you a more educated answer.

I thought of that too. But if I keep getting a 403 on the root dir
itself, there's no hope of me trying to do a directory enumeration to
find out the actual app directory which might be:
http://2.4.5.6/APPLICATION ----------- instead of http://2.4.5.6
I even tried using DirBuster which predictably failed to go past the
root directory because it got the 403 first up. I did try telnetting,
not Netcat but got a 403 there too.

One question
> though when you said below "So obviously there was some kind of IP
> > based restriction in  place which said -- Only these IP's can connect
> > to whatever is running on port 80." did it actually display only these IP's x.x.x.x-x.x.x.x can connect or are you 
> > just making an educated guess?
Yeah it did. Kept changing the IP on screen. I checked every IP
manually as well.

> As for why a company would want to do this there are many different
> reasons.  Until you know the basics such as what web platform (apache,
> iis, etc) it is then at this point your just shooting in the dark.  If
> only port 80 is open then I hope for this companies sake its nothing
> sensitive.

Thats what I want to know. A lot of guys here have responded by saying
there could be setups which certain clients want to be able to access
over the Internet/App thick clients/VPN's etc and not the whole
Internet. Is that the only reason possible? Or is there anything else.
I dont know whats running apart from guesses made by scanners.
Scanners are guessing Windows systems with IIS/Apache but thats about
it.

Lastly what else could I have tried anyway? Apart from running
Nikto/Nessus/XYZ vuln scanner.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------