Newbie Scan Challenge

[Aftiel]

If we make the assumption that the server is in fact "behind" a firewall (assuming a HW Firewall here,) then how did a fast scan provide so much information?

i.e. does it appear the firewall is set up correctly? Or is the rule set simply too loose?

opinions?

.: Aftiel

[FrameWork]

Good info there Maestr0.

[Aftiel]

Excellent reply Maestro!

I have not ( and will not) explore this particular site any further than this simple scan.

However, my guess is that the filtered ports are in fact accessible from their intranet. Those ports simply dropped my outside (and unrecognized) attempts, but would probably allow internal trusted hosts access.

For example, on my personal network, ports that allow access only to my intranet (i.e. 172.16.1.) get reported by nmap as filtered. Outside atttempts to scan them are promptly dropped. So you are dead on correct on that.

It appears they allow students to turn in homework, as well as running remote admin. The OS guess reflects some possible holes as well.

If my guess proved to be correct, then hijacking a student account, or simply getting to a terminal on campus would allow many possibilities.

My guess also is that IIS may be patched, but probably not to the current level.

The remote Admin possiblilities certainly look interesting as well.

.: Aftiel

[ViRalNeXxUs]

I think one of the most vulnerable ports would be 139 the open ss netbios port. Anyone with their printer file sharing enabled makes them an easy target for would be hackers. Well here is the dance for microsoft.http://www.ebaumsworld.com/microsoftdance.html

[omalakai]

I will take a stab at this.

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

First, NMAP is now on version 3.48, so running this older version could impact the OS detection. Version 3.00 has a datestamp of July 28, 2002. So, right there, I do not trust the nmap-os-fingerprints file used in the scan. Old data is not that realiable as newer data.

Ports 135, 139, 445 and 1433 are all running. Only 1 is filtered, the rest are just plain open. This really says to me this is a Windows machine, probably a Windows Server, due to the port 1433, which is MS SQL Server port. So, I am already guessing NT4/Win2K/Win2k3.

With port 80 and 443 running, it has a web server. I would connect to this server on port 80 (through an anonymous proxy server) and look at the web server header info to see if it is IIS running the web page (probably, with the port 1027 being open). If it is IIS, you will get the exact Windows OS version. IIS 4.0 is NT4; IIS 5.0 is Win2K; IIS 5.1 is XP; IIS 6.0 is Win2k3. Instead of IIS, it could be Apache running as the web server, but I just doubt it. Call it a gut instinct.

Yes, you could connect to the FTP service it is running and see similar results as the web server headers, if the FTP headers have not been turned off (difficult to do in IIS though without the IISLockdown tool).

I do not see port 389 or the port Windows Active Directory uses for the Global Catalogue (I forget what port that is right now), so this is probably NOT a Win2k/Win2k3 AD server. Don't laugh. I have seen AD servers in port scans come up before!

So, a stand-alone server (or it could be a NT4 PDC/BDC, but I feel that that is of a lower chance; gotta look at the web server header info) or a domain member server.

2000/tcp open callbook
2001/tcp open dc

From what I found, those might be trojan programs running on those open ports. So, this server could very well be compromised. With the NetBIOS ports open, I wouldn't doubt this. And yes, I see that Netbus is running filtered. Hmmm.

This is probably a warez server by this time, or a zombie, or both most likely. Whoever ownes it should take it offline and see if it has been 0wned!

As for the remaining ports, I would guess that at least some are coming from the firewall that is in front of the web server. I really think it is being screened by a firewall. Another gut feeling. It is just not screened very well!

Just my thoughts.
Thanks for the quiz.