RE: Exhange 2003

From: Deniz CEVIK (deniz_at_edizayn.com.tr)
Date: 03/03/04

  • Next message: xterrabart_at_comcast.net: "Exchange 2003"
    To: <jamesworld@intelligencia.com>, "Deniz CEVIK" <deniz@edizayn.com.tr>
    Date: Wed, 3 Mar 2004 12:45:16 +0200
    
    

            Hi all,

    This host is behind the cisco pix firewall. I have scanned this host using
    several portscan tools. These tools show that only two ports are open. (SMTP
    and POP3). Strange think is, if you don't establish the TCP connection to
    one of these open ports, before run the "nbtstat" command, you get nothing.
    But if you open a tcp connection and after that run nbtstat command, you can
    see the details of netbios information of machine.

    Nbtstat command is sending packets to udp 137 port of destination. As far as
    I see, firewall is accepting udp packets, if there is an established tcp
    connection from same source to same destination as in udp connection
    request. I think there is a configuration problem in the customer firewall.
    For further analysis I requested firewall configuration and logs.

    Thanks for your helps.

    PS: HADXM is the hostname of the machine. I have modified some information
    in outputs before I posted the message.

    BR.

    -----Original Message-----
    From: jamesworld@intelligencia.com [mailto:jamesworld@intelligencia.com]
    Sent: Wednesday, March 03, 2004 4:17 AM
    To: Deniz CEVIK
    Cc: pen-test@securityfocus.com
    Subject: Re: Exhange 2003

    Did you try

    netstat -an

    And see what ports were listening?

    Is there a local IP filtering policy active? You mentioned only 2 ports as
    being active 25 and 100. Perhaps there is a local IP policy only allowing
    those ports. Perhaps the port 100 was supposed to be port 110 for POP3
    mail access and they typod the entry. Good of you to find their
    misconfiguration for them :-)

    Did you run fport (foundstone)? If you've never used fport, you should add
    it to your arsenal.

    Hopefully HADXM is the username that you are using. If not, look into the
    host being compromised.

    If you have more, post it to us.

    Cheers,
    -James

    At 08:29 03/02/2004, Deniz CEVIK wrote:
    >Hi All,
    >
    >While we are testing our customer network, we faced with strange problem.
    We
    >are testing exchange 2003 server externally. When we controlled open
    >services with port scan, I saw that only two ports (25 and 100) are shown
    as
    >open. Before I run the portscan, I have controlled the server with
    "nbtstat"
    >command of windows. It returned error messages as below.
    >
    >nbtstat -A EXCH_IP
    >
    >Local Area Connection:
    >Node IpAddress: [MY_MACHINE] Scope Id: []
    >
    > Host not found.
    >
    >After the port scan is finished, in order to see the banner information of
    >mail server, I opened the connection to port 25 using telnet command
    (telnet
    >EXCH_IP 25). Same time when I run "nbtstat -A" command from another window
    >by mistake and I saw that below output.
    >
    >nbtstat -A EXCH_IP
    >
    >Local Area Connection:
    >Node IpAddress: [MY_MACHINE] Scope Id: []
    >
    > NetBIOS Remote Machine Name Table
    >
    > Name Type Status
    > ---------------------------------------------
    > HADXM <1F> UNIQUE Registered
    > HADXM <00> UNIQUE Registered
    > HADXM <20> UNIQUE Registered
    > EXCHANGE <00> GROUP Registered
    > EXCHANGE <1C> GROUP Registered
    > EXCHANGE <1B> UNIQUE Registered
    > EXCHANGE <1E> GROUP Registered
    > HADXM <03> UNIQUE Registered
    > ADMINISTRATOR <03> UNIQUE Registered
    > EXCHANGE <1D> UNIQUE Registered
    > ..__MSBROWSE__. <01> GROUP Registered
    > HADXM <6A> UNIQUE Registered
    > HADXM <87> UNIQUE Registered
    >
    > MAC Address = MAC_ADDRESS_OF_EXCHANGE
    >
    >If there isn't any connection to open port of the server you can't see this
    >nbtstat outputs.
    >
    >Has any body faced with same situations before?
    >
    >BR
    >
    >
    >---------------------------------------------------------------------------
    >Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    >wireless security
    >
    >Protect your network against hackers, viruses, spam and other risks with
    >Astaro
    >Security Linux, the comprehensive security solution that combines six
    >applications in one software solution for ease of use and lower total cost
    of
    >ownership.
    >
    >Download your free trial at
    >http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
    >---------------------------------------------------------------------------
    -

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040303
    ----------------------------------------------------------------------------


  • Next message: xterrabart_at_comcast.net: "Exchange 2003"

    Relevant Pages

    • Re: AS4.2/WM5/OUTLOOK2K3 suddenly not syncing, please help
      ... there is a connection EXIST between the device because I ... connection on port 26675 but on the PPC the port number keeps ... Outlook, countless times of reinstalling Activesync, removing Windows ... Firewall set to NO). ...
      (microsoft.public.pocketpc.activesync)
    • Re: printer
      ... firewall on your router, and the machines you want to connect to are on ... it appears port 631 is listening on all ... Do you get a "Could not open connection to the host" error? ...
      (Ubuntu)
    • RE: FTP Window of opportunity?
      ... target on the line when in reality it was just a firewall lying to them. ... The connection connects and then immediately ... Subject: FTP Window of opportunity? ... the FTP port shows up. ...
      (Pen-Test)
    • Re: Adding Rules for Blackberry ES to ISA 2000 - SOLVED
      ... I found that their connection actually initiated a connection on port ... any lan machine to any outside host:: allow host to ... Note that in order to get outbound bes to work on an isa server (when ...
      (microsoft.public.isaserver)
    • Re: Adding Rules for Blackberry ES to ISA 2000 - SOLVED
      ... I found that their connection actually initiated a connection on port ... any lan machine to any outside host:: allow host to ... Note that in order to get outbound bes to work on an isa server (when ...
      (microsoft.public.isaserver)