Re: pen testing management and control system

From: Mark Wolfgang (moonpieat_private)
Date: Fri Jun 27 2003 - 12:48:23 PDT

Next message: Jason.Northat_private: "RE: pen testing management and control system"

Previous message: Rob Shein: "RE: pen testing management and control system"
In reply to: Rob Shein: "RE: pen testing management and control system"
Next in thread: Jason.Northat_private: "RE: pen testing management and control system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yeah, a reactionary firewall such as portsentry binds the ports it
wants to monitor, then when one attempts to connect to any of the
monitor ports, it either blocks or records the offending IP.  

Running a server with VNC, Terminal Services, PC Anywhere, and citrix
seems a bit improbable.  As does running telnet and ssh.  

Then again, I have seem some odd stuff...

Good luck.

On Fri, Jun 27, 2003 at 03:28:49PM -0400 or thereabouts, Rob Shein wrote:
> At what point in the scan did you get blocked?  It looks like the portscan
> worked, except that there are a whole lot of ports I'd not expect to see on
> a server like that.  Things that stand out are the presence of VNC with
> Terminal Server AND Metaframe, for example.  And Metaframe on 2000 Advanced
> Server seems like a terrible idea as well, from what I know of the way it
> handles foreground/background priority, and how it's optimized for specific
> types of server apps.  Are you sure that there isn't some kind of reactive
> (firewall or IDS) configuration that's meant to throw you some red herrings
> that automatically block you when you connect to them?
> 
> > -----Original Message-----
> > From: Ronen Gottlib [mailto:ronenat_private] 
> > Sent: Friday, June 27, 2003 4:54 AM
> > To: pen-testat_private
> > Subject: pen testing management and control system
> > 
> > 
> > Hi All,
> > 
> > I am pen testing a windows 2000 advanced server, with some 
> > kind of management and control software (e.g. Tivoli, 
> > Netcool). The system has IIS 6.0 running with lockdown enabled.
> > 
> > When I tried to run nessus, my ip was blocked for quite a 
> > long time. same happened with nikto.
> > 
> > Further more, although quite a few ports were found to be 
> > open on the remote machine, the management and control 
> > application is blocking the most of them while allowing 
> > access only to the following: 21, 23(ms telnet server), 
> > 25(Microsoft ESMTP MAIL Service, Version: 6.0.2600.1106), 80 
> > (Microsoft-IIS/6.0), 110 (Microsoft Windows POP3 Service 
> > Version 2.0), 3389.
> > 
> > 
> > The system is also running Hummingbird Exceed.
> > 
> > Does anyone have any idea? I've kind of reached a dead end. 
> > Below is the results of an Nmap, if it helps.
> > 
> > Thank you very much for your help-
> > 
> > Ronen.
> > 
> > 
> > Port State Service
> > 21/tcp open 	ftp
> > 22/tcp open 	ssh
> > 23/tcp open 	telnet
> > 25/tcp open	 	smtp
> > 53/tcp open		domain
> > 80/tcp open 	http
> > 98/tcp open 	linuxconf
> > 110/tcp open 	pop-3
> > 111/tcp open 	sunrpc
> > 135/tcp open 	loc-srv
> > 143/tcp open 	imap2
> > 161/tcp open  	snmp
> > 443/tcp open 	https
> > 1080/tcp open 	socks
> > 1433/tcp open 	ms-sql-s
> > 1494/tcp open 	citrix-ica
> > 1720/tcp filtered H.323/Q.931
> > 1723/tcp filtered pptp
> > 3389/tcp open 	ms-term-serv
> > 4000/tcp filtered remoteanything
> > 5135/tcp open 	unknown
> > 5631/tcp open 	pcanywheredata
> > 5632/tcp open 	pcanywherestat
> > 5900/tcp open 	vnc
> > 6112/tcp open 	dtspc
> > 6660/tcp filtered unknown
> > 6661/tcp filtered unknown
> > 6662/tcp filtered unknown
> > 6663/tcp filtered unknown
> > 6664/tcp filtered unknown
> > 6665/tcp filtered unknown
> > 6666/tcp filtered irc-serv
> > 6667/tcp filtered irc
> > 6668/tcp filtered irc
> > 6669/tcp filtered unknown
> > 8875/tcp filtered unknown
> > 28900/tcp filtered unknown
> > 
> > 
> > --------------------------------------------------------------
> > -------------
> > Latest attack techniques.
> > 
> > You're a pen tester, but is google.com still your R&D team? 
> > Now you can get 
> > trustworthy commercial-grade exploits and the latest 
> > techniques from a 
> > world-class research group.
> > 
> > Visit us at: www.coresecurity.com/promos/sf_ept1 
> > or call 617-399-6980
> > --------------------------------------------------------------
> > --------------
> > 
> > 
> 
> 
> ---------------------------------------------------------------------------
> Latest attack techniques.
> 
> You're a pen tester, but is google.com still your R&D team? Now you can get 
> trustworthy commercial-grade exploits and the latest techniques from a 
> world-class research group.
> 
> Visit us at: www.coresecurity.com/promos/sf_ept1 
> or call 617-399-6980
> ----------------------------------------------------------------------------
> 

-- 
Risk accepted by one is imposed on all
http://moonpie.org

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------

Next message: Jason.Northat_private: "RE: pen testing management and control system"
Previous message: Rob Shein: "RE: pen testing management and control system"
In reply to: Rob Shein: "RE: pen testing management and control system"
Next in thread: Jason.Northat_private: "RE: pen testing management and control system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 27 2003 - 13:17:44 PDT