RE: Inaccessible Port 80 - Pentest



- Maybe that's the administrative port on their firewall and they're not
doing an adequate job blocking access.
- Maybe it's not really a web site and you aren't doing the appropriate
handshake

Have you tried connecting using Netcat or something like that....maybe
it's giving you more than you think.

Does it drop you RIGHT AWAY or does it only drop you after some amount
of time, some amount/type of input?

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of arvind doraiswamy
Sent: Thursday, August 07, 2008 11:45 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Inaccessible Port 80 - Pentest

Hey Guys,
Very recently we did a PenTest for a client where we came across a
strange(atleast to me) situation. Had an IP block which on scanning
revealed only port 80 open which sounded ok. Any kind of requests
though from the external world - I tried from multiple IP's and even
through TOR were blocked by a firewall which kept displaying its
custom "Access denied" page. So obviously there was some kind of IP
based restriction in place which said -- Only these IP's can connect
to whatever is running on port 80. No problems till here.

My question is: Why would anyone want to have a live server on the
Internet, open one port on it and then block it from public use?
Obvious answers that sprung to mind were:
a) Maybe its an internal server running a web app to be accessed only
internally
----- So why is it public , in the DMZ then? Shouldnt it be
on the internal network?
b) Maybe some hosts/apps on the internal network needed to connect to
port 80 of a DMZ server before going out?
------ Then again why is it public. These servers could be
placed on an internal segment and the traffic could be NATTEd before
it goes out like all other Internet destined traffic. And Secondly I
am not able to think of a situation like this --- What traffic apart
from a proxy could behave this way --- where I have -- Internal IP
-------> DMZIP:80 ---------> Internet ? And mind you this wasnt just 1
IP - there were many, so I'm quite sure I've missed something.

What are your thoughts?

Thnx
Arvind

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



Relevant Pages

  • Re: [Firewalls] Checkpoint FW-1 - Static NAT
    ... These services perform port mapping. ... destination port and IP address of a connection can be changed. ... After installing the new policy on the target Firewall Module, ... One to the internet, and the other to ...
    (comp.security.firewalls)
  • Re: Inaccessible Port 80 - Pentest
    ... donot think a firewall would block be blocking. ... A mixture of layer 3 port filtering to restrict you to port 80 would seem to ... Internet, open one port on it and then block it from public use? ...
    (Pen-Test)
  • Re: I have too much firewall activity
    ... It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. ... Standard Internet behaviour requires port connection attempts to be answered with a success or refusal response. ... it is good that you have a firewall. ...
    (microsoft.public.windowsxp.general)
  • Re: I have too much firewall activity
    ... It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. ... Standard Internet behaviour requires port connection attempts to be answered with a success or refusal response. ... it is good that you have a firewall. ...
    (microsoft.public.windowsxp.basics)
  • Re: I have too much firewall activity
    ... It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. ... Standard Internet behaviour requires port connection attempts to be answered with a success or refusal response. ... it is good that you have a firewall. ...
    (microsoft.public.security.virus)