RE: Exhange 2003

["Bowden, Sean" <sean.bowden () cendian com>]

We have Exchange 2003 in our dmz and had to disable the fixup for smtp and ils.
 
no fixup protocol ils
no fixup protocol smtp
 
 

________________________________

From: Zach Forsyth [mailto:Zach.Forsyth () kiandra com]
Sent: Thu 3/4/2004 5:04 PM
To: pen-test () securityfocus com
Subject: RE: Exhange 2003



Is the PIX smtp fixup protocol enabled?
I have seen some very weird things when investigating network issue and
there is a PIX with smtp fixup somewhere in between.
If it is enabled, then do a couple of tests with it switched off.

Just a thought.

Cheers

Zach

> -----Original Message-----
> From: John Swope [mailto:johns () akorn net]
> Sent: Thursday, 4 March 2004 16:09 PM
> To: pen-test () securityfocus com
> Subject: RE: Exhange 2003
>
> All,
>
> I work for an enterprise email security company and saw
> something rather odd just the other day and this might be related.
>
> I was troubleshooting a customer's mail environment, they
> were an Exchange shop and our appliance is Unix based.  I was
> noticing a 5 second delay between when I telnetted to port 25
> and when the Exchange server actually presented it's 220 banner.
>
> Odd, hosts were connected via 100 Base-T, exchange server was
> not overloaded. No lost packets.  What gives...
>
> Ran tcpdump -X -s1600 host exchange.customer.com
>
>
> Notice, no restriction on ports or types of traffic just on host...
>
>
> I noticed the Exchange server was performing 3 NBT broadcasts
> to try to resolve the LMHOST name of my box.  Naturally it
> did not work because I'm a Unix box not running Samba.
>
> So, could the exchange server in your case be doing the same?
>  Would it explain the results?  Is the PIX allowing all
> traffic from Exchange to external network?  I realize that I
> was seeing broadcast traffic and one of the posts in the
> thread mentioned the boxes are separated by a PIX, just
> throwing this in as something worth checking...
>
> HTH,
> BJ
>
> At 05:45 AM 03/03/04, Deniz CEVIK wrote:
>
> >         Hi all,
> >
> > This host is behind the cisco pix firewall. I have scanned this host
> > using several portscan tools. These tools show that only two
> ports are
> > open. (SMTP and POP3). Strange think is, if you don't
> establish the TCP
> > connection to one of these open ports, before run the
> "nbtstat" command, you get nothing.
> > But if you open a tcp connection and after that run nbtstat command,
> > you can see the details of netbios information of machine.
> >
> > Nbtstat command is sending packets to udp 137 port of
> destination. As
> > far as I see, firewall is accepting udp packets, if there is an
> > established tcp connection from same source to same
> destination as in
> > udp connection request. I think there is a configuration
> problem in the customer firewall.
> > For further analysis I requested firewall configuration and logs.
> >
> > Thanks for your helps.
> >
> > PS: HADXM is the hostname of the machine. I have modified some
> > information in outputs before I posted the message.
> >
> > BR.
> >
> >
> > -----Original Message-----
> > From: jamesworld () intelligencia com
> > [mailto:jamesworld () intelligencia com]
> > Sent: Wednesday, March 03, 2004 4:17 AM
> > To: Deniz CEVIK
> > Cc: pen-test () securityfocus com
> > Subject: Re: Exhange 2003
> >
> > Did you try
> >
> > netstat -an
> >
> > And see what ports were listening?
> >
> > Is there a local IP filtering policy active? You mentioned
> only 2 ports
> > as being active 25 and 100.  Perhaps there is a local IP policy only
> > allowing those ports.  Perhaps the port 100 was supposed to
> be port 110
> > for POP3 mail access and they typod the entry.  Good of you to find
> > their misconfiguration for them :-)
> >
> > Did you run fport (foundstone)?  If you've never used fport,
> you should
> > add it to your arsenal.
> >
> > Hopefully HADXM is the username that you are using.  If not,
> look into
> > the host being compromised.
> >
> > If you have more, post it to us.
> >
> > Cheers,
> > -James
> >
> > At 08:29 03/02/2004, Deniz CEVIK wrote:
> > > Hi All,
> > >
> > > While we are testing our customer network, we faced with
> strange problem.
> > We
> > > are testing exchange 2003 server externally. When we
> controlled open
> > > services with port scan, I saw that only two ports (25 and
> 100) are
> > > shown
> > as
> > > open. Before I run the portscan, I have controlled the server with
> > "nbtstat"
> > > command of windows. It returned error messages as below.
> > >
> > > nbtstat -A EXCH_IP
> > >
> > > Local Area Connection:
> > > Node IpAddress: [MY_MACHINE] Scope Id: []
> > >
> > >     Host not found.
> > >
> > > After the port scan is finished, in order to see the banner
> > > information of mail server, I opened the connection to
> port 25 using
> > > telnet command
> > (telnet
> > > EXCH_IP 25). Same time when I run "nbtstat -A" command
> from another
> > > window by mistake and I saw that below output.
> > >
> > > nbtstat -A EXCH_IP
> > >
> > > Local Area Connection:
> > > Node IpAddress: [MY_MACHINE] Scope Id: []
> > >
> > >            NetBIOS Remote Machine Name Table
> > >
> > >        Name               Type         Status
> > >     ---------------------------------------------
> > >     HADXM           <1F>  UNIQUE      Registered
> > >     HADXM           <00>  UNIQUE      Registered
> > >     HADXM           <20>  UNIQUE      Registered
> > >     EXCHANGE        <00>  GROUP       Registered
> > >     EXCHANGE        <1C>  GROUP       Registered
> > >     EXCHANGE        <1B>  UNIQUE      Registered
> > >     EXCHANGE        <1E>  GROUP       Registered
> > >     HADXM           <03>  UNIQUE      Registered
> > >     ADMINISTRATOR   <03>  UNIQUE      Registered
> > >     EXCHANGE        <1D>  UNIQUE      Registered
> > >     ..__MSBROWSE__. <01>  GROUP       Registered
> > >     HADXM           <6A>  UNIQUE      Registered
> > >     HADXM           <87>  UNIQUE      Registered
> > >
> > >     MAC Address = MAC_ADDRESS_OF_EXCHANGE
> > >
> > > If there isn't any connection to open port of the server you can't
> > > see this nbtstat outputs.
> > >
> > > Has any body faced with same situations before?
> > >
> > > BR
> >
> > ---------------------------------------------------------------------
> > > ------ Free 30-day trial: firewall with virus/spam protection, URL
> > > filtering, VPN, wireless security
> > >
> > > Protect your network against hackers, viruses, spam and
> other risks
> > > with Astaro Security Linux, the comprehensive security
> solution that
> > > combines six applications in one software solution for ease of use
> > > and lower total cost
> > of
> > > ownership.
> > >
> > > Download your free trial at
> > > http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
> >
> > ---------------------------------------------------------------------
> > > ------
> > -
> >
> >
> > -------------------------------------------------------------
> ----------
> > ---- Ethical Hacking at the InfoSec Institute. Mention this
> ad and get
> > $545 off any course! All of our class sizes are guaranteed to be 10
> > students or less to facilitate one-on-one interaction with
> one of our
> > expert instructors.
> > Attend a course taught by an expert instructor with years of
> > in-the-field pen testing experience in our state of the art hacking
> > lab. Master the skills of an Ethical Hacker to better assess
> the security of your organization.
> > Visit us at:
> > http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040303
> > -------------------------------------------------------------
> ----------
> > -----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------