Re: Inaccessible Port 80 - Pentest



Derrick suggested a honeypot. One machine..probably but 10 IP's in the
same way all 403 denied? Not so sure.

Jerry: Not the admin port coz I get 403'd straight away and its not
just one IP again.

@Everyone else: Thanks...various ways to help clients access the setup
is what I got. True. But IF I find out who their clients are and get
those IP's as well, time permitting how long is it going to take to
bypass the IP restrictions? Not the best way IMO.

Hey Kevin,
My replies inline...

On Sat, Aug 9, 2008 at 7:11 AM, kevin horvath <kevin.horvath@xxxxxxxxx> wrote:
Hi Arvind,

You said the port was open so if it was a firewall filtering it by
source address then your scan would have shown a result of filtered or
closed depending on how the firewall was configured or if it was a
router acl. Regardless if it shows open and you are being denied then
you should try looking at it using a proxy such as Burp, paros, or
webscarab. When you make a GET request then you can see what error
code you get in response such as failed due to NTLM/Basic
authentication, directory listing denied, etc as most likely the
webserver or app is blocking you not a network firewall.

An ISA firewall blocked it. There were around 10 IP's which behaved
the exact same way. The ISA changed the IP each time in the error
message , each time I tried a new IP address. Error was 403 forbidden
through a browser and also through telnet to port 80(GET) and through
Burp as well. So I'm guessing I cannot access what there is on that
site.

It may even
be a web app thats root directory is not at your typical "/" but
somewhere else and there are no redirects setup for anyone requesting
the default root directory. Basically your most likely not being
blocked by a firewall but at the app layer by whatever web server is
running. So do I as I listed above and then also fingerprint the
device through various methods (telnet to port, nc to port, use
HTTPprint, etc). Once you have done this then put your results back
up here so we can give you a more educated answer.

I thought of that too. But if I keep getting a 403 on the root dir
itself, there's no hope of me trying to do a directory enumeration to
find out the actual app directory which might be:
http://2.4.5.6/APPLICATION ----------- instead of http://2.4.5.6
I even tried using DirBuster which predictably failed to go past the
root directory because it got the 403 first up. I did try telnetting,
not Netcat but got a 403 there too.

One question
though when you said below "So obviously there was some kind of IP
based restriction in place which said -- Only these IP's can connect
to whatever is running on port 80." did it actually display only these IP's x.x.x.x-x.x.x.x can connect or are you just making an educated guess?

Yeah it did. Kept changing the IP on screen. I checked every IP
manually as well.

As for why a company would want to do this there are many different
reasons. Until you know the basics such as what web platform (apache,
iis, etc) it is then at this point your just shooting in the dark. If
only port 80 is open then I hope for this companies sake its nothing
sensitive.

Thats what I want to know. A lot of guys here have responded by saying
there could be setups which certain clients want to be able to access
over the Internet/App thick clients/VPN's etc and not the whole
Internet. Is that the only reason possible? Or is there anything else.
I dont know whats running apart from guesses made by scanners.
Scanners are guessing Windows systems with IIS/Apache but thats about
it.

Lastly what else could I have tried anyway? Apart from running
Nikto/Nessus/XYZ vuln scanner.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



Relevant Pages

  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Is secedit.exe left by a hacker?
    ... > tested on port 445. ... > I have a Linksys router that I use as a firewall to my ... Secedit.exe is the name of a legitimate Windows file, ... investigate the files on your computer - antivirus with the latest updates ...
    (microsoft.public.win2000.security)