From: Zach Forsyth (Zach.Forsyth@kiandra.com)
Date: Thu Mar 04 2004 - 17:04:07 EST
Is the PIX smtp fixup protocol enabled?
I have seen some very weird things when investigating network issue and
there is a PIX with smtp fixup somewhere in between.
If it is enabled, then do a couple of tests with it switched off.
Just a thought.
Cheers
Zach
> -----Original Message-----
> From: John Swope [mailto:johns@akorn.net]
> Sent: Thursday, 4 March 2004 16:09 PM
> To: pen-test@securityfocus.com
> Subject: RE: Exhange 2003
>
> All,
>
> I work for an enterprise email security company and saw
> something rather odd just the other day and this might be related.
>
> I was troubleshooting a customer's mail environment, they
> were an Exchange shop and our appliance is Unix based. I was
> noticing a 5 second delay between when I telnetted to port 25
> and when the Exchange server actually presented it's 220 banner.
>
> Odd, hosts were connected via 100 Base-T, exchange server was
> not overloaded. No lost packets. What gives...
>
> Ran tcpdump -X -s1600 host exchange.customer.com
>
>
> Notice, no restriction on ports or types of traffic just on host...
>
>
> I noticed the Exchange server was performing 3 NBT broadcasts
> to try to resolve the LMHOST name of my box. Naturally it
> did not work because I'm a Unix box not running Samba.
>
> So, could the exchange server in your case be doing the same?
> Would it explain the results? Is the PIX allowing all
> traffic from Exchange to external network? I realize that I
> was seeing broadcast traffic and one of the posts in the
> thread mentioned the boxes are separated by a PIX, just
> throwing this in as something worth checking...
>
> HTH,
> BJ
>
> At 05:45 AM 03/03/04, Deniz CEVIK wrote:
>
> > Hi all,
> >
> >This host is behind the cisco pix firewall. I have scanned this host
> >using several portscan tools. These tools show that only two
> ports are
> >open. (SMTP and POP3). Strange think is, if you don't
> establish the TCP
> >connection to one of these open ports, before run the
> "nbtstat" command, you get nothing.
> >But if you open a tcp connection and after that run nbtstat command,
> >you can see the details of netbios information of machine.
> >
> >Nbtstat command is sending packets to udp 137 port of
> destination. As
> >far as I see, firewall is accepting udp packets, if there is an
> >established tcp connection from same source to same
> destination as in
> >udp connection request. I think there is a configuration
> problem in the customer firewall.
> >For further analysis I requested firewall configuration and logs.
> >
> >Thanks for your helps.
> >
> >PS: HADXM is the hostname of the machine. I have modified some
> >information in outputs before I posted the message.
> >
> >BR.
> >
> >
> >-----Original Message-----
> >From: jamesworld@intelligencia.com
> >[mailto:jamesworld@intelligencia.com]
> >Sent: Wednesday, March 03, 2004 4:17 AM
> >To: Deniz CEVIK
> >Cc: pen-test@securityfocus.com
> >Subject: Re: Exhange 2003
> >
> >Did you try
> >
> >netstat -an
> >
> >And see what ports were listening?
> >
> >Is there a local IP filtering policy active? You mentioned
> only 2 ports
> >as being active 25 and 100. Perhaps there is a local IP policy only
> >allowing those ports. Perhaps the port 100 was supposed to
> be port 110
> >for POP3 mail access and they typod the entry. Good of you to find
> >their misconfiguration for them :-)
> >
> >Did you run fport (foundstone)? If you've never used fport,
> you should
> >add it to your arsenal.
> >
> >Hopefully HADXM is the username that you are using. If not,
> look into
> >the host being compromised.
> >
> >If you have more, post it to us.
> >
> >Cheers,
> >-James
> >
> >At 08:29 03/02/2004, Deniz CEVIK wrote:
> > >Hi All,
> > >
> > >While we are testing our customer network, we faced with
> strange problem.
> >We
> > >are testing exchange 2003 server externally. When we
> controlled open
> > >services with port scan, I saw that only two ports (25 and
> 100) are
> > >shown
> >as
> > >open. Before I run the portscan, I have controlled the server with
> >"nbtstat"
> > >command of windows. It returned error messages as below.
> > >
> > >nbtstat -A EXCH_IP
> > >
> > >Local Area Connection:
> > >Node IpAddress: [MY_MACHINE] Scope Id: []
> > >
> > > Host not found.
> > >
> > >After the port scan is finished, in order to see the banner
> > >information of mail server, I opened the connection to
> port 25 using
> > >telnet command
> >(telnet
> > >EXCH_IP 25). Same time when I run "nbtstat -A" command
> from another
> > >window by mistake and I saw that below output.
> > >
> > >nbtstat -A EXCH_IP
> > >
> > >Local Area Connection:
> > >Node IpAddress: [MY_MACHINE] Scope Id: []
> > >
> > > NetBIOS Remote Machine Name Table
> > >
> > > Name Type Status
> > > ---------------------------------------------
> > > HADXM <1F> UNIQUE Registered
> > > HADXM <00> UNIQUE Registered
> > > HADXM <20> UNIQUE Registered
> > > EXCHANGE <00> GROUP Registered
> > > EXCHANGE <1C> GROUP Registered
> > > EXCHANGE <1B> UNIQUE Registered
> > > EXCHANGE <1E> GROUP Registered
> > > HADXM <03> UNIQUE Registered
> > > ADMINISTRATOR <03> UNIQUE Registered
> > > EXCHANGE <1D> UNIQUE Registered
> > > ..__MSBROWSE__. <01> GROUP Registered
> > > HADXM <6A> UNIQUE Registered
> > > HADXM <87> UNIQUE Registered
> > >
> > > MAC Address = MAC_ADDRESS_OF_EXCHANGE
> > >
> > >If there isn't any connection to open port of the server you can't
> > >see this nbtstat outputs.
> > >
> > >Has any body faced with same situations before?
> > >
> > >BR
> > >
> > >
> >
> >---------------------------------------------------------------------
> > >------ Free 30-day trial: firewall with virus/spam protection, URL
> > >filtering, VPN, wireless security
> > >
> > >Protect your network against hackers, viruses, spam and
> other risks
> > >with Astaro Security Linux, the comprehensive security
> solution that
> > >combines six applications in one software solution for ease of use
> > >and lower total cost
> >of
> > >ownership.
> > >
> > >Download your free trial at
> > >http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
> >
> >---------------------------------------------------------------------
> > >------
> >-
> >
> >
> >-------------------------------------------------------------
> ----------
> >---- Ethical Hacking at the InfoSec Institute. Mention this
> ad and get
> >$545 off any course! All of our class sizes are guaranteed to be 10
> >students or less to facilitate one-on-one interaction with
> one of our
> >expert instructors.
> >Attend a course taught by an expert instructor with years of
> >in-the-field pen testing experience in our state of the art hacking
> >lab. Master the skills of an Ethical Hacker to better assess
> the security of your organization.
> >Visit us at:
> >http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040303
> >-------------------------------------------------------------
> ----------
> >-----
>
>
>
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:49 EDT