From: Ronen Gottlib (ronen@avnet.co.il)
Date: Fri Jun 27 2003 - 04:54:26 EDT
Hi All,
I am pen testing a windows 2000 advanced server, with some kind of
management and control software (e.g. Tivoli, Netcool). The system has
IIS 6.0 running with lockdown enabled.
When I tried to run nessus, my ip was blocked for quite a long time.
same happened with nikto.
Further more, although quite a few ports were found to be open on the
remote machine, the management and control application is blocking the
most of them while allowing access only to the following: 21, 23(ms
telnet server), 25(Microsoft ESMTP MAIL Service, Version:
6.0.2600.1106), 80 (Microsoft-IIS/6.0), 110 (Microsoft Windows POP3
Service Version 2.0), 3389.
The system is also running Hummingbird Exceed.
Does anyone have any idea? I've kind of reached a dead end.
Below is the results of an Nmap, if it helps.
Thank you very much for your help-
Ronen.
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
98/tcp open linuxconf
110/tcp open pop-3
111/tcp open sunrpc
135/tcp open loc-srv
143/tcp open imap2
161/tcp open snmp
443/tcp open https
1080/tcp open socks
1433/tcp open ms-sql-s
1494/tcp open citrix-ica
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp
3389/tcp open ms-term-serv
4000/tcp filtered remoteanything
5135/tcp open unknown
5631/tcp open pcanywheredata
5632/tcp open pcanywherestat
5900/tcp open vnc
6112/tcp open dtspc
6660/tcp filtered unknown
6661/tcp filtered unknown
6662/tcp filtered unknown
6663/tcp filtered unknown
6664/tcp filtered unknown
6665/tcp filtered unknown
6666/tcp filtered irc-serv
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered unknown
8875/tcp filtered unknown
28900/tcp filtered unknown
---------------------------------------------------------------------------
Latest attack techniques.
You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.
Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT