RE: Interesting challenge

["Pete Herzog" <pete () isecom org>]

Hi,

> We are doing a pen test for a client and have run into a interesting
> situation. The client has a server running IIS and Exchange we
> can get to it
> through a browser but when we try to run Nessus or Eeye Retina against it,
> neither product can find the server. The client is not running any IDS
> system has a simple firewall. A port scan revels no open port
> though port 80
> is open since the server is serving pages.

This is hard to answer because I'm not there.  While I may try a few things
while sitting there until it's figured out, I won't list them all here
because I won't think of them all right now.

1. Are you connecting to the domain or the IP?  Make sure the scope is
right. Are you testing from behind a firewall yourself or using an ADSL
connection that may be proxying port 80?  Check your own network first.
Avoid NATing your own attack server for best results.  And are your tools
returning nothing because it's scan on ping and the system isn't pingable?
In strange situations, consider your network and your tool configurations
first.

2. NMAP is good for this but verify the returned packets with either TCPDUMP
or the --packet_trace flag to verify what, if anything, is being returned.
Do this for port 80 but also about 10 other possible, likely ports
(21,22,23,25,80,110....) to see if anything comes back.  What are you
getting back?

3. What about HTTPS?  Can you connect to 443 and get served HTTPS pages?
STUNNEL and netcat may show you something.  Or you can point nessus and eeye
at 443 instead and see what jumps out.

3. Where nc is netcat and webaddress is not the IP address and IP is, watch
tcpdump for responses (mostly resets) as well and try:

echo -e "GET / HTTP/1.1\n HOST: webaddress \n\n" | nc webaddress 80
echo -e "GET / HTTP/1.1\n HOST: 127.0.0.1 \n\n" | nc webaddress 80
echo -e "GET / HTTP/1.1\n HOST: IP \n\n" | nc webaddress 80
echo -e "GET / HTTP/1.1\n HOST: webaddress \n\n" | nc IP 80
echo -e "GET / HTTP/1.1\n HOST: 127.0.0.1 \n\n" | nc IP 80
echo -e "GET / HTTP/1.1\n HOST: IP \n\n" | nc IP 80

Which responded and how?  Nothing? Something?  Repeat with OPTIONS / and
HEAD / depending on level of info returned to see what you're dealing with
and if you're being cut off on purpose.  May also want to try HTTPS with
stunnel running.

4. Try Nikto.  If there really is no active NIDS, it should start the scan
and continue.  An active NIDS may either send resets or just cut you off
shortly before the 5th directory attempted.

5. If you are only checking port 80 and no other ports, you could be seeing
a blocking of non-browser, or more likely, non IE connections.  You may
consider that when you connect with netcat, mimic the full IE send headers
and see what you get.  Like:

nc www.domain.com 80
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
1.1.4322)
Host: www.domain.com
Proxy-Connection: Keep-Alive
\n\n

Finally, it's also possible you will be going the manual route.  Load up
your favorite HTTP Proxy spy and manipulator and hold your nose because it's
time to get in and get wet.

Sincerely,
-pete.

Pete Herzog, Managing Director
Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org


---------------------------------------------------------------------------
----------------------------------------------------------------------------