Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?

From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 13 Mar 2009 12:05:17 +0100 (ora solare Europa occidentale)
On Thu, 12 Mar 2009, Richard Miles wrote:


Hi Marco,

Nice to see your reply.


;)


Yes, it say OPEN|FILTERED as all other ports at this host.
Weird. What I meant in my previous email is that you should try something along the lines of: 

root@shaolin:~# nmap -n --packet-trace --reason 10.0.0.220 -p 440-445

Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-13 11:46 CET
SENT (0.0780s) ARP who-has 10.0.0.220 tell 10.0.0.144
RCVD (0.0790s) ARP reply 10.0.0.220 is-at 00:0C:29:19:94:EF
SENT (0.1070s) TCP 10.0.0.144:53535 > 10.0.0.220:443 S ttl=41 id=4691 iplen=44 seq=2996612997 win=2048 <mss 1460> SENT (0.1070s) TCP 10.0.0.144:53535 > 10.0.0.220:441 S ttl=39 id=33943 iplen=44 seq=2996612997 win=4096 <mss 1460> SENT (0.1070s) TCP 10.0.0.144:53535 > 10.0.0.220:445 S ttl=38 id=25659 iplen=44 seq=2996612997 win=3072 <mss 1460> SENT (0.1070s) TCP 10.0.0.144:53535 > 10.0.0.220:442 S ttl=56 id=2974 iplen=44 seq=2996612997 win=1024 <mss 1460> SENT (0.1070s) TCP 10.0.0.144:53535 > 10.0.0.220:440 S ttl=57 id=4341 iplen=44 seq=2996612997 win=2048 <mss 1460> SENT (0.1070s) TCP 10.0.0.144:53535 > 10.0.0.220:444 S ttl=55 id=57289 iplen=44 seq=2996612997 win=4096 <mss 1460> RCVD (0.1070s) TCP 10.0.0.220:443 > 10.0.0.144:53535 SA ttl=128 id=44500 iplen=44 seq=4269415853 win=64240 ack=2996612998 <mss 1460> RCVD (0.1070s) TCP 10.0.0.220:441 > 10.0.0.144:53535 RA ttl=128 id=44501 iplen=40 seq=0 win=0 ack=2996612998 RCVD (0.1070s) TCP 10.0.0.220:445 > 10.0.0.144:53535 SA ttl=128 id=44502 iplen=44 seq=3878712938 win=64240 ack=2996612998 <mss 1460> RCVD (0.1080s) TCP 10.0.0.220:442 > 10.0.0.144:53535 RA ttl=128 id=44503 iplen=40 seq=0 win=0 ack=2996612998 RCVD (0.1080s) TCP 10.0.0.220:440 > 10.0.0.144:53535 RA ttl=128 id=44504 iplen=40 seq=0 win=0 ack=2996612998 RCVD (0.1080s) TCP 10.0.0.220:444 > 10.0.0.144:53535 RA ttl=128 id=44505 iplen=40 seq=0 win=0 ack=2996612998 
Interesting ports on 10.0.0.220:
PORT    STATE  SERVICE       REASON
440/tcp closed sgcp          reset
441/tcp closed decvms-sysmgt reset
442/tcp closed cvc_hostd     reset
443/tcp open   https         syn-ack
444/tcp closed snpp          reset
445/tcp open   microsoft-ds  syn-ack
MAC Address: 00:0C:29:19:94:EF (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
The "REASON" field and the packet trace should give you the information you need to understand why Nmap reports open|filtered on all TCP ports?! 

--
Marco Ivaldi, OPST
Lead Security Analyst     Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/
Previous By Date Next
Previous By Thread Next

Current thread: