Re: Inaccessible Port 80 - Pentest

["kevin horvath" <kevin.horvath () gmail com>]

Hi Arvind,

You said the port was open so if it was a firewall filtering it by
source address then your scan would have shown a result of filtered or
closed depending on how the firewall was configured or if it was a
router acl.  Regardless if it shows open and you are being denied then
you should try looking at it using a proxy such as Burp, paros, or
webscarab.  When you make a GET request then you can see what error
code you get in response such as failed due to NTLM/Basic
authentication, directory listing denied, etc as most likely the
webserver or app is blocking you not a network firewall.  It may even
be a web app thats root directory is not at your typical "/" but
somewhere else and there are no redirects setup for anyone requesting
the default root directory.  Basically your most likely not being
blocked by a firewall but at the app layer by whatever web server is
running.  So do I as I listed above and then also fingerprint the
device through various methods (telnet to port, nc to port, use
HTTPprint, etc).  Once you have done this then put your results back
up here so we can give you a more educated answer.  One question
though when you said below "So obviously there was some kind of IP
> based restriction in  place which said -- Only these IP's can connect
> to whatever is running on port 80." did it actually display only these IP's x.x.x.x-x.x.x.x can connect or are you 
> just making an educated guess?

As for why a company would want to do this there are many different
reasons.  Until you know the basics such as what web platform (apache,
iis, etc) it is then at this point your just shooting in the dark.  If
only port 80 is open then I hope for this companies sake its nothing
sensitive.

On Thu, Aug 7, 2008 at 11:45 PM, arvind doraiswamy
<arvind.doraiswamy () gmail com> wrote:
> Hey Guys,
> Very recently we did a PenTest for a client where we came across a
> strange(atleast to me) situation. Had an IP block which on scanning
> revealed only port 80 open which sounded ok. Any kind of requests
> though from the external world - I tried from multiple IP's and even
> through TOR were blocked by a firewall which kept displaying its
> custom "Access denied" page. So obviously there was some kind of IP
> based restriction in  place which said -- Only these IP's can connect
> to whatever is running on port 80. No problems till here.
>
> My question is: Why would anyone want to  have a live server on the
> Internet, open one port on it and then block it from public use?
> Obvious answers that sprung to mind were:
> a) Maybe its an internal server running a web app to be accessed only internally
>           ----- So why is it public , in the DMZ then? Shouldnt it be
> on the internal network?
> b) Maybe some hosts/apps on the internal network needed to connect to
> port 80 of a DMZ server before going out?
>          ------ Then again why is it public. These servers could be
> placed on an internal segment and the traffic could be NATTEd before
> it goes out like all other Internet destined traffic. And Secondly I
> am not able to think of a situation like this --- What traffic apart
> from a proxy could behave this way --- where I have -- Internal IP
> -------> DMZIP:80 ---------> Internet ? And mind you this wasnt just 1
> IP - there were many, so I'm quite sure I've missed something.
>
> What are your thoughts?
>
> Thnx
> Arvind
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------