Page 4 of 4 FirstFirst ... 234
Results 31 to 39 of 39

Thread: Now I'm curious.... And I need your help....

  1. #31
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Your reply kind of looks like what I see.... The ports being scanned _tend_ to be "common" ports to scan for vulnerabilites.... I need to spend more time looking at the dumps but I get the impresssion they are using a port list to speed up the scan, (makes them look good, (quick scan), finds the huge holes, thus makes them money
    Well given that the scans are Nessus and Nmap standard scans I'm not surprised that they are common ports. This isn't a unique scanning tool. Heck, GRC has more of a unique signature in his scans than these guys do. Also, their FAQ identifies that that Basic scan does 1500 ports and takes about 10 minutes (load of crap -- took a good hour on my setup).

    I suspect that if the tcpdump logs I posted were analyzed they'd probably match one or both of those tools in patterns. To me, it strikes me as a scam to take advantage of those that don't understand and to further "FUD" with those that truly don't understand. Although I have to admit as to wonder which is worse: taking advantage of those who don't understand or being one of those unwilling to investigate and not understand.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #32
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey


    3. HT: Trustix? What is it? Is it possible it shows as a WinX box? Were you in the DMZ. It never found your apache server on 31337 but it reported one on 80? Do you have Domino on that box..... Did it crash? They said "It _was_ possible".... That implies they tried it and it worked.... maybe I'm missing something but how can you determine that a box can be exploited without actually trying it, (other than version info etc. which they seem not to be able to provide).

    Trustix = Secure Linux Server Solution. I was demoing it for some servers I maintain, but as they also need to be working shells, and trustix has too much removed I determined it wasn't effective for my purpose, but as a stand alone server it takes the cake.. http://www.trustix.net

    As for showing as a Windows box, it shouldn't have. It's a Linux Distro. As for the DMZ, yes the box is on the DMZ, so Ports 12345 and 31337 should have directed to Trustix and everything else should have gone to WinXP. I suppose for that reason the fingerprint is accurate. Yet it still shocks me that it didn't find apache on port 31337. I don't have Domino on the box, so they didn't crash it.

    Here are the results of an nmap scan against the box:
    The service scan took 81 seconds to scan 4 services on 1 host.
    Interesting ports on Toronto-HSE-pppXXXXXXXX.sympatico.ca (6X.95.XX.XX):
    (The 1648 ports scanned but not shown below are in state: filtered)
    PORT STATE SERVICE VERSION
    80/tcp open http?
    113/tcp closed auth
    135/tcp closed msrpc
    137/tcp closed netbios-ns
    138/tcp closed netbios-dgm
    139/tcp closed netbios-ssn
    445/tcp closed microsoft-ds
    593/tcp closed http-rpc-epmap
    5000/tcp open upnp Microsoft Windows UPnP
    12345/tcp open ssh OpenSSH 3.8p1 (protocol 2.0)
    31337/tcp open http Apache httpd
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
    SF-Port80-TCP:V=3.50%D=4/19%Time=40845DFA%P=i686-pc-linux-gnu%r(GetRequest
    SF:,40,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConnection:\x20close\r\nX-Junk
    SF::\x20xxxxxxxxx\r\n\r\n")%r(Help,E,"\xc9y\)t>\xc8\x01f\xc0m\xa2\0G/")%r(
    SF:LPDString,E,"%\x94\xe5\xae\xf9\xd3C\x98C\xa1\+\x9fW\xdd");
    I'm honestly not real sure what is running on port 80. I'll have to check it out when I get home(currently I'm at work) -- (as well as disable UPnP which I thought I had done...)... I'm also not sure why they are open, I have zonealarm blocking them, maybe it's time to stop letting the gf play with my PC hehe... Anyways... i'll check out what's runnign on port 80 when I get home.

    Peace,
    HT

  3. #33
    Senior Member
    Join Date
    Feb 2004
    Posts
    373
    Hello,

    A manual review of your audit results has been conducted
    by SecuritySpace staff. As indicated by the current
    report on-line, we were not able to find any High or
    Medium Risk problems during the course of the audit.

    Congratulations! We have marked the report as fully
    viewable.

    We hope you found this service useful. If you have any
    recommendations on how we can improve it, or have any
    questions, please feel free to contact us by any of
    the following means:

    Email: general@securityspace.com
    Telephone: 1-800-799-4831 (North America)
    (905) 331-2260

    --
    SecuritySpace Support

    I guess I am good to go, no major problems.

  4. #34
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    Here's the last update, port 80 is open on my PC, it's being used by Skype to accept connections. One of the options is use port 60000 and some, but since I have that blocked it's using the alternative which is port 80. That's prolly why they couldn't determine what it was.


    As a side note, I highly recommend skype to people.. it's VoIP software and it's quite nice and works really well (http://www.skype.net.
    Peace,
    HT

  5. #35
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    4. Jinx: It missed 3 open ports, 7224-7226..... You sure they respond to any old connection attempt?
    Cant give you an answere to that as i don't know.

    As MsM said

    just a little lame NetGear router that seems to be less lame now)
    Although mine is firewalled. Rule is set to allow incoming connections allways service name Bittorrent. So is the router intelligent enough to no that connection attempt isn't bittorrent??

  6. #36
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ok, you have a software firewall, you have BitTorrent set to other than the default ports and the firewall set to accept connections to the process from the internet. That being the case the firewall should be recognizing the open ports as being managed by BitTorrent and allowing them in.

    Thus, the implication is, the scan didn't include your ports..... Therefore the scan is incomplete proving again that the scan is incomplete..... I suspect they do this for speed to be honest.... When they hit a firewall it seems to take about 8 times as long as it does on an open box. That's fair I suppose.... If we all went and presented them with a firewalled box at the same time we could end up DoSing them....

    Thanks.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #37
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Okay..... I took my entire logs for the day and time that the original scan was done against my Mailserver because that's the most complete set of logs in a format that I am Ohhhh so familiar with.....

    To recap the box itself:

    1. It's a standard Win2k server, SP2, all patches
    2. It is only allowed to accept connections from anywhere on ports 21, 25, 80 and 3389 due to the IP filtering I have in place.
    3. The firewall blocks all but 21 and 25 to that box from the public network.
    4. Port 80 is closed on that box at present.
    5. Port 3389 can only be accessed from a short list of machines on the trusted network, (this box is in the DMZ).
    6. Port 25 is managed by Microsoft's SMTP server under IIS 5. No effort has been made to hide this.
    7. Port 21 is managed by a proprietary FTP server, fully patched, no attempt made to obfuscate the system, (but apparently I did after further tests against a default install of the FTP server....)

    I have attached just the Snort portions of the logs available to me so that you can see what they "threw" at me. The Snort box is outside the firewall so what it reports is the unfiltered "attacks"/areas of concern. I really don't want to post the entire log for the period since it shows only too well almost the entire security stance of the gateway itself which would be a cracker's dream..... It would take me too long to properly clean it up and I'd probably still miss some important things so you'll just have to trust me....

    Points I noted with the benefit of the input got from you good folks, Ms. M's dump and my logs:

    1. The scan is far from thorough. It missed a web server on HT's box on port 31337. Funnily enough it didn't scan 31337 or 1337 on my box either. I dunno, but you would have to think that these ports should be included if only for the "joke factor", (read: skiddie). It missed Jinxy's ports 7224-7226 too. It didn't scan those on my box either. Snort's portscan preprocessor reported a total of 3753 ports scanned in three separate scanning attempts. Generously allowing for duplicates let's say it scanned 3500 unique ports - we are looking at around 5% of the total portspace... It's hardly surprising they miss some.....

    2. Mox's NTP server isn't a "real" server. When I ran the scan against my XP box with no firewall, (Mox, you were in the DMZ you said so you are unfirewalled), it also found an NTP server.... I think the box is just responding with a request for it's system time and they report that as a server - Comments anyone.

    3. They threw a lot of stuff at the box as the snort log shows. What doesn't show is a lot of the other stuff that snort doesn't pick up but that other systems did. Those systems mitigated the threat automatically in different ways that show up in my complete log. Interestingly enough some of the things that were mitigated they reported as having been successful. (Note: I take the phrase "It was possible to" to mean they succeeded). Attempted buffer overflows were clearly stripped out before reaching the server on several occasions but they reported it successful...... Hmmm.....

    4. They reported a non-existent DNS server on Ms. M's box. If Ms. M. tells me there's no DNS server running I'll trust her. She speculates that the D-Link that she used may be proxying the requests. I have used D-Link and Linksys and have found that they operate in a similar fashion. I ran a test against my Linksys to determine if it will proxy the DNS requests from the public network... It timed out even when asked for it's own IP address. I have to guess that the D-Link would do the same, (Ms. M: Try sending some DNS queries at it if you like - it probably won't respond).

    5. When they "hit" on something they aren't too bad at IDing it _if_ nothing has been done to hide it, (journy's Sendmail server), but it only takes a small deviation from the "norm" to have them befuddled..... Heck, I still can't think what I could possibly have done to the IIS Mail server that would leave them not being able to ID it unless they rely too heavily on the OS fingerprint which would cancel out the possibility of it being IIS, (they thought it was a linux box.... I'm not sure how but it does scan that way now when I ran a test).

    6. If you look through the Snort log you will see several instances where Snort reports attacks in the DoS category.... I specifically said on all the tests I ran "No DoS". Snort IDed Stacheldraht, Trin00:MastertoDaemon(defaultpassdetected!, Teardrop and ath amongst some others. It would have come as something of a shock to lose my network..... When I say don't do something to my network I really do mean don't!!!!

    6. Their reporting is a tad too "sensationalized" for my liking, but, to be fair, they are trying to make money.... They will be broke if they tell everyone "we found nothing of any importance so you have nothing to worry about"..... Personally, I could give a rats xxx whether you can tracert me or resolve my FQDN. Thats going to happen. The sensationalising comes from the fact that they assume that since they can connect to a service and "it was possible to" exploit it, (when they have no proof that the exploit was successful - heck, in many cases the service was still available after buffer overflow attempts and DoS attempts just milliseconds later thus implying that they had failed to exploit it).

    /me trying to be fair.... but having a hard time doing it....

    We have done a fairly comprehensive look at their product and, compared to some others I have seen in the past which do little more than a basic portscan against the well known ports, this "audit" is more thorough. OTOH, I would not consider this to be a useful security audit under any circumstances. Too little of the portspace is scanned - I could have a hundred instances of Sub-7 running on custom ports and still have a reasonable chance of going undetected. It certainly does it's best job against firewalled computers that have no ingress allowed - but then again it bloody well ought to be able to report that accurately. I really hate the fact that they attempted some DoS' even though they were asked not to... I consider that irresponsible - they probably figure that the small print you agree to when you start the audit covers their rear. IMO, it would be arguable in a court of law if they trashed my "mission critical" systems at a cost to me of $500,000 when I distinctly told them "no DoS" but the logs clearly show their DoS attempts.

    I am still waiting for TheHorse13 to scan this same box using any non-destructive tools he likes to determine the available services etc. on this same box. I don't expect any startling news but it will be interesting to see if he is more accurate than SecuritySpace was. I'll post any alarming differences when I get them.

    To conclude:

    I find myself being unable to recommend this service to anyone. Not even for a "quick and dirty" look at a system. There are too many holes, too many false positives and a tad too much hype thrown in with a healthy dose of irresponsibility. The only thing anyone would come away with is a false sense of security should they be given a clean bill of health. It brings home 3 good points:-

    1. You get what you pay for. A full blown security audit is in the thousands of dollars and takes a week or more. That doesn't include any "capture the flag" games - it's just a thorough scan. This service costs $49.... The difference is clear.

    2. While it might fool the home user and many of the poor people that find themselves thrust into the position of "Network Administrator" because they know how to ping someone from a command prompt, it isn't going to work with genuine admins who are knowledgable about the field..... The danger there is obvious.

    3. Lastly, and most importantly as far as I am concerned, I think we can all see that trusting someone else with your security may well be a very bad thing. There is no substitute where your security is concerned for doing it yourself - learning the tools, the threats and the mitigation techniques and applying them yourself. Yes, industry best practice says that independent security audits should take place on a regular basis but they should be used as confirmation of your own security rather than a determination of it.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #38
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    2. Mox's NTP server isn't a "real" server. When I ran the scan against my XP box with no firewall, (Mox, you were in the DMZ you said so you are unfirewalled), it also found an NTP server.... I think the box is just responding with a request for it's system time and they report that as a server - Comments anyone.
    Nope....I was on a stand alone system, on dial up and using Kerio firewall.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  9. #39
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by HTRegz
    Hey Hey,

    I got my results back.... I had 1 high, 1 medium, 6 low and 6 other.




    I find it quite humerous because they stated earlier that port 12345 was ssh and now in my port scan results they are saying that port 12345 is Netbus. I also find it odd that they never found port 31337 which is TCP and is open running an apache webserver. I'm trying to think right now if my XP box is in a DMZ and that's why it found it as the OS, but last time I checked I didn't have anything on the DMZ. Also it found SSH (and should have found Apache) both running on Trustix, that should at least make it slightly more interesting. If I hear any more from them when they do the high level security risks I'll let ya'll know..

    Peace,
    HT
    That scan looks REALLY familiar. Remember when I scanned your box the other night?
    I did a custom port/vuln scan and added 12345 and 31337 because I knew they were there.

    Compare the scan results you got from them to what I put in your webroot directory...

    You'll find that that they are almost EXACTLY alike...

    Which is what tiger is saying. They're using a custom nessus scan. Which is what I did.

    I can't believe that they are charging $50 for that crap... HT: you owe me $50.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •