NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Pen-test> 2009-03

Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?

From: Marco Ivaldi (raptormediaservice.net)
Date: Fri Mar 13 2009 - 06:05:17 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 12 Mar 2009, Richard Miles wrote:

> Hi Marco,
>
> Nice to see your reply.

;)

> Yes, it say OPEN|FILTERED as all other ports at this host.

Weird. What I meant in my previous email is that you should try something
along the lines of:

rootshaolin:~# nmap -n --packet-trace --reason 10.0.0.220 -p 440-445

Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-13 11:46 CET
SENT (0.0780s) ARP who-has 10.0.0.220 tell 10.0.0.144
RCVD (0.0790s) ARP reply 10.0.0.220 is-at 00:0C:29:19:94:EF
SENT (0.1070s) TCP 10.0.0.144:53535 > 10.0.0.220:443 S ttl=41 id=4691
iplen=44 seq=2996612997 win=2048 <mss 1460>
SENT (0.1070s) TCP 10.0.0.144:53535 > 10.0.0.220:441 S ttl=39 id=33943
iplen=44 seq=2996612997 win=4096 <mss 1460>
SENT (0.1070s) TCP 10.0.0.144:53535 > 10.0.0.220:445 S ttl=38 id=25659
iplen=44 seq=2996612997 win=3072 <mss 1460>
SENT (0.1070s) TCP 10.0.0.144:53535 > 10.0.0.220:442 S ttl=56 id=2974
iplen=44 seq=2996612997 win=1024 <mss 1460>
SENT (0.1070s) TCP 10.0.0.144:53535 > 10.0.0.220:440 S ttl=57 id=4341
iplen=44 seq=2996612997 win=2048 <mss 1460>
SENT (0.1070s) TCP 10.0.0.144:53535 > 10.0.0.220:444 S ttl=55 id=57289
iplen=44 seq=2996612997 win=4096 <mss 1460>
RCVD (0.1070s) TCP 10.0.0.220:443 > 10.0.0.144:53535 SA ttl=128 id=44500
iplen=44 seq=4269415853 win=64240 ack=2996612998 <mss 1460>
RCVD (0.1070s) TCP 10.0.0.220:441 > 10.0.0.144:53535 RA ttl=128 id=44501
iplen=40 seq=0 win=0 ack=2996612998
RCVD (0.1070s) TCP 10.0.0.220:445 > 10.0.0.144:53535 SA ttl=128 id=44502
iplen=44 seq=3878712938 win=64240 ack=2996612998 <mss 1460>
RCVD (0.1080s) TCP 10.0.0.220:442 > 10.0.0.144:53535 RA ttl=128 id=44503
iplen=40 seq=0 win=0 ack=2996612998
RCVD (0.1080s) TCP 10.0.0.220:440 > 10.0.0.144:53535 RA ttl=128 id=44504
iplen=40 seq=0 win=0 ack=2996612998
RCVD (0.1080s) TCP 10.0.0.220:444 > 10.0.0.144:53535 RA ttl=128 id=44505
iplen=40 seq=0 win=0 ack=2996612998
Interesting ports on 10.0.0.220:
PORT STATE SERVICE REASON
440/tcp closed sgcp reset
441/tcp closed decvms-sysmgt reset
442/tcp closed cvc_hostd reset
443/tcp open https syn-ack
444/tcp closed snpp reset
445/tcp open microsoft-ds syn-ack
MAC Address: 00:0C:29:19:94:EF (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

The "REASON" field and the packet trace should give you the information
you need to understand why Nmap reports open|filtered on all TCP ports?!

--
Marco Ivaldi, OPST
Lead Security Analyst Data Security Division
Mediaservice.net Srl http://mediaservice.net/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]