RE: Exhange 2003

From: Blurred Vision (really_blurred_vision_at_hotmail.com)
Date: 03/08/04

  • Next message: Irvin Temp: "RE: setting up security research lab" 
    To: deniz@edizayn.com.tr
Date: Mon, 08 Mar 2004 17:59:52 +1100

    This is standard for Exchange. When you connect to it, it will talk to port
    139 on your system. Exchange tries to log your friendly windows hostname in
    the system logs. This in turn populates the netbios table on your system
    with it's info, hence the nbtstat response (coming from your cache). if you
    want to test this, perform these steps:

    Look at the cached netbios table to show it's empty (you may need to purge
    it...)
    c:\> nbtstat -c

    telnet to the remote mail server:
    c:\>telnet exchange.mycompany.com 25

    then look at the cached netbios table again:
    c:\> nbtstat -c

    TCPDUMP it, and you will see the traffic.

    Worth mentioning in thepentest report as an information leak.

    hope this helps.

    Blurr.

    -----Original Message-----
    From: Deniz CEVIK [mailto:deniz@edizayn.com.tr]
    Sent: Wednesday, 3 March 2004 1:30 AM
    To: pen-test@securityfocus.com
    Subject: Exhange 2003

    Hi All,

    While we are testing our customer network, we faced with strange problem. We
    are testing exchange 2003 server externally. When we controlled open
    services with port scan, I saw that only two ports (25 and 100) are shown as
    open. Before I run the portscan, I have controlled the server with "nbtstat"
    command of windows. It returned error messages as below.

    nbtstat -A EXCH_IP

    Local Area Connection:
    Node IpAddress: [MY_MACHINE] Scope Id: []

        Host not found.

    After the port scan is finished, in order to see the banner information of
    mail server, I opened the connection to port 25 using telnet command (telnet
    EXCH_IP 25). Same time when I run "nbtstat -A" command from another window
    by mistake and I saw that below output.

    nbtstat -A EXCH_IP

    Local Area Connection:
    Node IpAddress: [MY_MACHINE] Scope Id: []

               NetBIOS Remote Machine Name Table

           Name Type Status
        ---------------------------------------------
        HADXM <1F> UNIQUE Registered
        HADXM <00> UNIQUE Registered
        HADXM <20> UNIQUE Registered
        EXCHANGE <00> GROUP Registered
        EXCHANGE <1C> GROUP Registered
        EXCHANGE <1B> UNIQUE Registered
        EXCHANGE <1E> GROUP Registered
        HADXM <03> UNIQUE Registered
        ADMINISTRATOR <03> UNIQUE Registered
        EXCHANGE <1D> UNIQUE Registered
        ..__MSBROWSE__. <01> GROUP Registered
        HADXM <6A> UNIQUE Registered
        HADXM <87> UNIQUE Registered

        MAC Address = MAC_ADDRESS_OF_EXCHANGE

    If there isn't any connection to open port of the server you can't see this
    nbtstat outputs.

    Has any body faced with same situations before?

    BR

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with
    Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost
    of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
    ----------------------------------------------------------------------------

    _________________________________________________________________
    Personalise your phone with chart ringtones and polyphonics. Go to
    http://ringtones.com.au/ninemsn/control?page=/ninemsn/main.jsp

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Irvin Temp: "RE: setting up security research lab"

    Relevant Pages

    • Re: How to Maintain an IIS Server?
      ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
      (microsoft.public.inetserver.iis.security)
    • LPD/LPR printing or alternative
      ... Configuring LPD for Microsoft Windows XP or Windows 2003 Server ... LPR port. ... protocol address of the HP Jetdirect print server. ...
      (comp.os.os2.misc)
    • RE: xp pro sharing printer
      ... How to troubleshoot network printing problems in Windows XP ... SMB-connected print server ... Incompatible print driver ... and then redirect the port to the network server. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: How to Maintain an IIS Server?
      ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
      (microsoft.public.inetserver.iis.security)
    • RE: Printing from Win9x clients stops
      ... since this issue only occurs on all Windows 9x ... Open Server Management Console, ... Verify basic network connectivity. ... >> Create a local printer and in the Ports section, ...
      (microsoft.public.windows.server.sbs)