From: Ward, Jon (jonward@bellsouth.net)
Date: Thu Mar 04 2004 - 16:59:04 EST
Did someone say there was a firewall in the middle somewhere?
This behavior seems plausible if there's a stateful firewall in the
middle that's at first doing what it's supposed to do by not allowing
any packets to the Windows box excepting TCP/25 and TCP/100. That being
the case, then clearly, you won't get anything back from an nbtstat,
because that's the firewall's job. If this is truly the case that the
firewall isn't supposed to allow NBT traffic, then the question is "Why
does it allow it after there's a connection?". If there's a firewall,
it sounds like a problem in the stateful inspection part of the
firewall. The firewall would disallow at first, then allow a legitimate
connection, then allow an illegitimate connection because a state
already exists.
This is just brainstorming, of course, but is there a firewall in the
middle? I think I missed that part of the discussion.
Jon
-----Original Message-----
From: Meidinger Chris [mailto:chris.meidinger@badenit.de]
Sent: Thursday, March 04, 2004 06:24
To: xterrabart@comcast.net; pen-test@securityfocus.com;
deniz@edizayn.com.tr
Subject: RE: Exchange 2003
Hi all,
if this is a production server, the symptom is almost unimaginable. I
have been unable to reproduce the behavior except by shutting down the
network cards, doing an nbtstat, then restarting them and doing it
again. If I disable netbios over tcp/ip, then I get the following
excerpt:*
(* I am preceding the cmd.exe output with #, for clarity.
also, all of these tests are being done on win2k3 enterprise
server, without exchange 2003 on it. It is entirely possible
that the results would look different on an exchange server,
however, I doubt it)
# Administrator@flytrap / $ nbtstat -A 10.53.2.69
#
# Local Area Connection:
# Node IpAddress: [10.53.2.69] Scope Id: []
#
# Host Not Found
#
# Local Area Connection 2:
# Node IpAddress: [0.0.0.0] Scope Id: []
#
# Host Not Found
No matter how many connections I build, I cannot get any names in that
table. (Which makes sense, seeing as nbt is disabled)
Assuming that NetBios is not disabled, then the 'Remote Machine Name
Table' (nbtstat -c / nbtstat -A ${IP_ADDR} will show it) always includes
at least the following entries:
# Administrator@flytrap / $ nbtstat -A 10.53.2.69
#
# Local Area Connection:
# Node IpAddress: [10.53.2.69] Scope Id: []
#
# NetBIOS Remote Machine Name Table
#
# Name Type Status
# ---------------------------------------------
# FLYTRAP <00> UNIQUE Registered
# FLYTRAP <20> UNIQUE Registered
# HONEYNET <00> GROUP Registered
# HONEYNET <1E> GROUP Registered
# HONEYNET <1D> UNIQUE Registered
# ..__MSBROWSE__.<01> GROUP Registered
#
# MAC Address = 00-04-75-AF-93-7B
#
#
# Local Area Connection 2:
# Node IpAddress: [0.0.0.0] Scope Id: []
#
# Host not found.
As I mentioned yesterday, the 0x00 and 0x20 entries are from the
workstation and server services. The 0x1e and 0x1d are the
domain/workgroup. (In an NT Domain these can include 0x1b and 0x1c as
well and I think even 0x1a. Don't be alarmed if your 0x1* entries are
different.) I am not aware of any windows hardening technique (I am NOT
a windows super-guru, so it is entirely possible that such techniques
exist, or are even common practice) which shuts off the workstation AND
server services, while leaving netbios itself active.
Even if exchange is in a DMZ somewhere, and cannot talk to any other
windows system, it MUST have its own workgroup (in BR's case EXCHANGE,
as evidenced by the 0x1b, 0x1c and 0x1e entries) because it's wintendo,
so that will also not explain why the entries are missing.
Where is this all leading? I think that
1) the exchange server may have serious problems if its nbtcache
doesn't even know its own name
2) I need to see the results of nbtstat -c, nbtstat -S, nbtstat
-n and nbtstat -r to have an idea of what's b0rked
3) if this is some hardening technique I would be grateful to
anyone who can provide a link or an explanation of what's happening to
this guy
4) if this host is multihomed (say like 3 NIC's) I could imagine
that you are pulling nbtstat -A on the wrong one. Remember: nbtstat -A
is designed to see REMOTE name tables. The c, S, n and r switches are
for local stuff. It IS possible that the exchange server is somehow
unwilling to give that information out to just anyone without a
connection. I am also not sure how nbtstat behaves when called by an
unprivledged user. Another interesting question would be to know what
user you are using, if it is the true administrator (uid 500) or if it
is someone else.
So, to you BR, can you provide more information? I had been assuming
that you were local (with telnet) on the exchange, and had been running
nbtstat that way. If your last post should be interpreted to mean that
you were running nbtstat -A through the firewall, then more ports must
be open. You can't run netbios commands over smtp or pop3. I suspect
your analysis is right that a session with one port was opening the
firewall completely between those two hosts.
Questions:
1 Are you local on the box?
2 Can you give us the output of the above mentioned netbios commands,
before and after you build a telnet connection*?
3 What is the firewall config telling you, are you hitting the exchange
through the firewall, or are you local? *By 'telnet connection' do you
mean a connection to the telnet service, or a connection using telnet to
the listeners on sockets 25 and 110? 4 Do you have any idea how
exotically this exchange is configured? 5 What is the output of nbtstat
-A ${FW_IP} ?
Maybe you are hitting static port forwarding or something like that, and
it just looks like you're getting to the exchange. (Because you modified
the output, I cannot be 100% sure based on your nbtstat output what I'm
seeing)
Ok guys, I never meant to write a book here, so I'll stop now,
Cheers,
Chris
-----Original Message-----
From: xterrabart@comcast.net [mailto:xterrabart@comcast.net]
Sent: Wednesday, March 03, 2004 4:50 PM
To: pen-test@securityfocus.com
Subject: Exchange 2003
Here is my interpretation of BR's original post since there seems to be
some confusion on what the scenario is...
I believe they are explaining that they attempted to run an NBTSTAT
against one of their Exchange servers and received a Host Not Found
error, but ran it again after making a telnet connection to the Exchange
server on 25/tcp, and received the correct information. The question
was if anyone else has experienced this?
I hope this better explains their question...That is if I am correct in
my understanding of it.
------------------------------------------------------------------------
--- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040303 ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ----
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:49 EDT