Penetration Testing mailing list archives
RE: Interesting challenge
From: "Pete Herzog" <pete () isecom org>
Date: Sat, 31 Jan 2004 00:58:22 +0100
Hi,
We are doing a pen test for a client and have run into a interesting situation. The client has a server running IIS and Exchange we can get to it through a browser but when we try to run Nessus or Eeye Retina against it, neither product can find the server. The client is not running any IDS system has a simple firewall. A port scan revels no open port though port 80 is open since the server is serving pages.
This is hard to answer because I'm not there. While I may try a few things while sitting there until it's figured out, I won't list them all here because I won't think of them all right now. 1. Are you connecting to the domain or the IP? Make sure the scope is right. Are you testing from behind a firewall yourself or using an ADSL connection that may be proxying port 80? Check your own network first. Avoid NATing your own attack server for best results. And are your tools returning nothing because it's scan on ping and the system isn't pingable? In strange situations, consider your network and your tool configurations first. 2. NMAP is good for this but verify the returned packets with either TCPDUMP or the --packet_trace flag to verify what, if anything, is being returned. Do this for port 80 but also about 10 other possible, likely ports (21,22,23,25,80,110....) to see if anything comes back. What are you getting back? 3. What about HTTPS? Can you connect to 443 and get served HTTPS pages? STUNNEL and netcat may show you something. Or you can point nessus and eeye at 443 instead and see what jumps out. 3. Where nc is netcat and webaddress is not the IP address and IP is, watch tcpdump for responses (mostly resets) as well and try: echo -e "GET / HTTP/1.1\n HOST: webaddress \n\n" | nc webaddress 80 echo -e "GET / HTTP/1.1\n HOST: 127.0.0.1 \n\n" | nc webaddress 80 echo -e "GET / HTTP/1.1\n HOST: IP \n\n" | nc webaddress 80 echo -e "GET / HTTP/1.1\n HOST: webaddress \n\n" | nc IP 80 echo -e "GET / HTTP/1.1\n HOST: 127.0.0.1 \n\n" | nc IP 80 echo -e "GET / HTTP/1.1\n HOST: IP \n\n" | nc IP 80 Which responded and how? Nothing? Something? Repeat with OPTIONS / and HEAD / depending on level of info returned to see what you're dealing with and if you're being cut off on purpose. May also want to try HTTPS with stunnel running. 4. Try Nikto. If there really is no active NIDS, it should start the scan and continue. An active NIDS may either send resets or just cut you off shortly before the 5th directory attempted. 5. If you are only checking port 80 and no other ports, you could be seeing a blocking of non-browser, or more likely, non IE connections. You may consider that when you connect with netcat, mimic the full IE send headers and see what you get. Like: nc www.domain.com 80 GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Host: www.domain.com Proxy-Connection: Keep-Alive \n\n Finally, it's also possible you will be going the manual route. Load up your favorite HTTP Proxy spy and manipulator and hold your nose because it's time to get in and get wet. Sincerely, -pete. Pete Herzog, Managing Director Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Interesting challenge Sanjay K. Patel (Jan 30)
- Re: Interesting challenge Clint Bodungen (Jan 30)
- Re: Interesting challenge wjnorth (Jan 30)
- Re: Interesting challenge David Barroso (Jan 30)
- RE: Interesting challenge Serhan Sevim (Jan 30)
- RE: Interesting challenge Pete Herzog (Jan 31)
- <Possible follow-ups>
- RE: Interesting challenge Steve Goldsby (ICS) (Jan 30)
- RE: Interesting challenge Sanjay K. Patel (Jan 30)
- RE: Interesting challenge Hasnain Atique (Jan 31)
- RE: Interesting challenge Rajesh Jose (Jan 31)
- RE: Interesting challenge Stephen de Vries (Jan 31)
- RE: Interesting challenge Daniel Staal (Jan 31)