Hi list, Recently I came against a weird network infrastructure. Can you help me identify the types of devices used? I have this: [Internet] ---------------------- [An unknown device] ---------------------------------------- [Box 1-Webserver] [Box 2-Mailserver] I was able to compromise the mailserver using web exploits. Portscans of each devices from either the internet or the mailserver yields different results as shown above. ------------------ From the internet: ------------------ Unknown device: Open ports: 21,23,25,53,80,109,110,442 Closed ports: 49400,54320,61439,61440,61441,65301 Filtered: Everything else Replies to echo requests: No Nmap tcp fingerprint: FreeBSD 2.2.1 - 4.1, FreeBSD 4.1.1 - 4.3 (X86) Webserver: Open ports: 21,80,3306 Closed ports: 49400,54320,61439,61440,61441,65401 Filtered: Everything else Replies to echo requests: No Nmap tcp fingerprint: FreeBSD 2.2.1 - 4.1, FreeBSD 4.1.1 - 4.3 (X86) Mailserver: Open ports: 80,110 Closed ports: None Filtered: Everything else Replies to echo requests: No Nmap tcp fingerprint: spcheck reports SP6 b1381 --------------------- From the mailserver: --------------------- Unknown device: Open ports: 21,23,25,43,53,80,81,86,109,110,113,119,137,138,139,210,443,808,2000,3306,66 68,8080 Closed ports: None Filtered: Everything else Replies to echo requests: No Nmap tcp fingerprint: N/A * Webserver: Open ports: 21,23,25,43,80,81,86,109,110,113,119,137,138,139,210,443,808,2000,3306,6668, 8080 Closed ports: None Filtered: Everything else Replies to echo requests: No Nmap tcp fingerprint: N/A * Mailserver: Open ports: N/A Closed ports: N/A Filtered: N/A Replies to echo requests: N/A Nmap tcp fingerprint: N/A * I couldn't install properly winpcap to have it identify tcp fingerprints since it would require a reboot and I have no physical access to the system. So here some things we can identify are: 1) The presence of the cvc_hostd (442) port on the two interfaces of the unknown device... anyone could comment? 2) Everything being ICMP traffic that goes through the unknown devices is blocked. 3) Some ACLs are used to restrict traffic to both some ports of the unknown device and the two boxes. 4) The majority of the ports open on the unknown device are forwards to open ports on the Webserver EXCEPT port 53. I tried to nslookup -class=chaos -type=txt version.bind [the device] and it returns unknown domain so I evaluate that the chances for it to be bind are fairly low. 5) The telnet port on the internal interface of the device seems to be broken, no daemon listens to it even it the port is open. Anyone sees any telltale signs of a particular OS/device here? In my opinion it could be a cisco or maybe a freebsd box but I'm really unsure. Some help/comments would be appreciated. --TB ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 13:19:27 PDT