RE: Interesting challenge

From: Stephen de Vries (stephen@twisteddelight.org)
Date: Sat Jan 31 2004 - 11:54:08 EST

• Next message: Daniel Staal: "RE: Interesting challenge"
• Previous message: Vladimir Parkhaev: "Re: TCP Header manipulation of the protocol field"
• In reply to: Sanjay K. Patel: "RE: Interesting challenge"
• Next in thread: Daniel Staal: "RE: Interesting challenge"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You mentioned that they were using a "simple" firewall. Perhaps the
scanning tools are initiating too many connections too quickly, flooding
the state tables of the firewall, or if it's a proxying firewall, perhaps
launching to many proxy processes. Since the firewall is so busy dealing
with all these requests on filtered ports, perhaps it can't service
requests to open ports.? You could try slowing down the scanning tools,
if you're using nmap try the paranoid timing option (and watch a good film
while you're waitiing for it to complete ;) )

Stephen

> almost everyone who replied pointed towards icmp. We have tried running
> the
> test with icmp disabled. We still do not get a reply on those ports.
>
> -SKP
>
> -----Original Message-----
> From: Clement Dupuis [mailto:cdupuis@cccure.org]
> Sent: Friday, January 30, 2004 3:06 PM
> To: 'Sanjay K. Patel'
> Subject: RE: Interesting challenge
>
> Have you carefully looked at some of the buried down setting under your
> scanners. It might simply be that it is expecting a reply from a ping
> request before doing the scanning.
>
> Clement
>
>
>>> -----Original Message-----
>>> From: Sanjay K. Patel [mailto:sanjay.patel@rexwire.com]
>>> Sent: Friday, January 30, 2004 11:43 AM
>>> To: pen-test@securityfocus.com
>>> Subject: Interesting challenge
>>>
>>>
>>>
>>>
>>> We are doing a pen test for a client and have run into a interesting
>>> situation. The client has a server running IIS and Exchange we can
> get to
>>> it
>>> through a browser but when we try to run Nessus or Eeye Retina
> against
>>> it,
>>> neither product can find the server. The client is not running any
> IDS
>>> system has a simple firewall. A port scan revels no open port though
> port
>>> 80
>>> is open since the server is serving pages.
>>>
>>>
>>> SKP
>>>
>>>
>>>
>>>
> ------------------------------------------------------------------------
> -
>>> --
>>>
> ------------------------------------------------------------------------
> -
>>> ---
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Daniel Staal: "RE: Interesting challenge"
• Previous message: Vladimir Parkhaev: "Re: TCP Header manipulation of the protocol field"
• In reply to: Sanjay K. Patel: "RE: Interesting challenge"
• Next in thread: Daniel Staal: "RE: Interesting challenge"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:47 EDT