I did an nmap -sS on my employer's site, and this is what got returned. Seems like there's a lot of things open on there that shouldn't be. Should dhcpserver be visible from the Internet (even if it's 'filtered')?

>>> BEGIN PASTE <<<

# nmap -sS ############.###

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-20 08:56 EST
Interesting ports on ###.###.###.###:
(The 1650 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
67/tcp filtered dhcpserver
80/tcp open http
99/tcp open metagram
111/tcp open rpcbind
112/tcp open mcidas
443/tcp open https
5432/tcp open postgres

Nmap run completed -- 1 IP address (1 host up) scanned in 119.151 seconds

>>> END PASTE <<<

Any takers?

-E

Hya there,


#1.. Suppose i'm your employer, why in the world would you do a scan on MY network, and would if not authorized, why in the world would you post it in public...hmm ....nevermind..i don't really care, you must have had your reasons i reacon..lolz

#2.. What makes you think behind port 68 runs dhcpd? Do ya know the layout of your employer's network? It can be a decoy as well. The fact that you see port 68 filtered doesn't necessarly mean that a dhcp server sits behind. In fact all of them can be decoys. Even worse than that.


Have phun.

Ah, I get it. I look like I'm trying to hack them.

Okay.

Nevermind then.

My employer undervalues me, so I'm trying to be more valueable. I would like to be proactive regarding security for their site which is administrated by someone who knows even less than I do, unfortunately.

I didn't release the business's name or IP, so it's not like posting the port scan publicly could do any harm. Right?

But, thank you for the information regarding open ports and what may or may not be running behind them.

-E

Erm.. Firstly I have no idea what you mean by 'decoys'. Perhaps you mean tarpits.. I've never heard of nmap being tricked like that, nmap doesn't just look at the port number it examines the actual service. Second, who cares if he posted an nmap output, it's not like he named the company gave the ip address or anything, what he is doing is completely legit.

if the port is filtered that means the firewall is blocking all connections so you have nothing to worry about. The ports marked closed are less secure than those which are marked filtered fyi. As for whether or not it should be visible on the internet, all ports are visible on the internet, the ones you don't see nmap didn't bother putting down because they are closed so it makes it more readable. Maybe you mean 'stealthing' in which icmp pings are dropped so it appears the host is down. But even that is useless anyway because nmap has an option to discard the drops and persistantly scan (-P0).

Considering that your employers site is probably port scanned on a regular basis, I wouldn't worry about it too much. Though normally if you plan on doing security auditing or pen testing, you should get permission first.

In most cases, services are usually run on default port numbers. So if a port scan shows port 22 open, it's usually going to be sshd. If you wish to be rigorous, use the version detection option (see the nmap man page under -sV or -A).

Based on the above port scan results:
1. Running telnet at all is stupid. Some places will still run it because MS includes a default telnet client but not an ssh client. I can see that arguement, but it still doesn't make it any less stupid to transmit passwords in plain-text.
2. rpcbind. If you have NFS shares, then you'll need this, but this should be filtered to only allow traffic with required systems, not wide open to the public.
3. PostgreSQL. In most circumstances this should be on the backend and not openly accessible to the general internet. It wasn't designed to be a security-hardened service and it does have a security history, so having this open is playing with fire.
4. It's interesting that port 67 is filtered while the other 1650 ports are in the "closed" state. This could mean a number of things though...

1.) Don't ever do this (without permission, any way). You are much more likely to get fired than thanked.

2.) It matters a lot whether this was scanned from inside the network, or outside. It seems from your comments that this scan was done from outside, in which case there are some significant problems.

21/tcp open ftp
Is it necessary to open this up to the world? Kiddies often exploit FTP servers and use them to store illegal content. If file transfers with clients are required, they should be done over VPN, or at least configure the firewall to only allow known business partners to connect.

23/tcp open telnet
Pointless, unless of course they're trying to give away all their passwords.

67/tcp filtered dhcpserver
At least it's filtered.

80/tcp open http
I guess this is for the corporate website? Hopefully it's been hardened against cross site scripting, SQL injections, authentication bypasses, etc... Given the rest of the configuration, I doubt it.

99/tcp open metagram
No idea. I couldn't find any information about it on Google, which means it's probably not a common service. That raises the possibility that it's a trojan backdoor.

111/tcp open rpcbind
RPC should never, never be allowed from the Internet. Whether it's SunRPC or MS-RPC, it doesn't matter. Neither of them were designed for use on hostile networks.

112/tcp open mcidas
Seems to be some kind of meteorological data exchange protocol? If information is being shared between sites, the firewall should restrict access to only those sites and filter out the Internet at large.

443/tcp open https
Hopefully the SSL libraries are up to date, because there have been several devestating vulnerabilities with both IIS SSL and OpenSSL.

5432/tcp open postgres
Database protocols should never be open to the Internet. This is how the SQL Slammer worm nuked so many sites and it was very avoidable. Databases shouldn't be directly linked across the Internet, ever.

Thank you, chort. That's exactly what I wanted to know.

I could tell that it was a bad scene, but couldn't find specific references to define why on the 'net. I knew telnet was no good, for obvious reasons. They're running anonymous ftp, too, and as far as I can tell they don't use it. If that's the case, then that needs to be eliminated as well.

Can anyone point me to a place where I can learn about rpcbind? The man pages are too specific for me to grasp the 'function' rpcbind fulfills.

Hya there,


For the sake of clarity, i should post one more reply.
Sh1ft ... I meant honeypots. We've successfully managed not long ago ,to achieve solutions involving redirecting connections from dedicated&targeted ports 2 a cluster of honeypots miming all "obvious" open ports(services) .
Now, it depends of course on the value/bugdet/purpose , whether such x-treme solutions will be applied. My point is that it can be done. With ease. Some honeypots, such as Honeyd, can not only emulate services, but emulate actual operating systems. In other words, Honeydaemon can appear to the attacker to be a Cisco router, WinXP webserver, or even ( haha ) a dhcpserver. Honeynets are,in addiction 2 that, an entire network of computers designed to attacked. The idea is to have an architecture that creates a highly controlled network, one where all activity is controlled and captured. Within this network we place our intended victims, real computers running real applications. However, no matter how good the emulation is, a skilled attacker can eventually detect their presence. On the other hand, some sophisticated honeypots take this emulation one step farther (as Honeyd does). Not only do they emulate at the service level, but at the IP stack level. If someone uses active fingerprinting measures to determine the OS type of your honeypot most honeypots respond with the IP stack of whatever OS the honeypot is installed on. Honeyd spoof the replies, making not only the emulated services, but emulated IP stacks behave as the operating systems would. The level of emulation and sophistication depends on what honeypot technology you chose to use.
Now, once again , this all depends on the value of a certain target, but if so needed, it can throw
even an sophisticated port scanner such as nmap in deception, at least in my experience
.
One more thing would be...given the fact the nmap can endeed manage to indentify services,
how would nmap be able to indentify a service behind a filtered port, given the fact that it needs some feedback from that port? It's true that nmap uses tcp-stack fingerprinting 2 point OS'es ( that can be facked as well ) , but i never heard of nmap being able to identify services behind ports which drop everything, because this is in fact a filtered port, isn't it?

nice 2 debate,
have phun,

Hya there,


Try this :

http://www.cs.cf.ac.uk/Dave/C/node33.html


Have phun,

chort: all google will show is a bunch of port database sites saying : metagram relay ...... but no info on what the service does, or were to get it ... but it is common enough to get on pretty much every list

http://www.iana.org/assignments/port-numbers

still.... its a shame to see so many sites no of it, but non say what it does .... so the question is why would that be running on there network?(well... seeing if there running meteor...somthing then who knows what else they could have?) (or maybe its for distributing files .... (to put it nicely)... or Scrabble words? )

anyways, since it appears they are running a linux OS, it would appears there firewall to be non existent ( and if you can find a way to tell your base without getting fired (like ask to scan the network, go eat a donut, and come back with all the answers), then perhaps you can be the new sys admin)

also nmap isn't really good at saying what is running on the ports ... it declared port 631 of my machine "ipp" ... don't know why, when its the port CUPS uses for configure stuff ... .. it also say it doesnt know what OS i use \when i do a OS scan, but in its output it says "i386-pc-linux-gnu" (thats not the whole line ,..) .... point: don't rely on nmap because it appears to be easily tricked

CUPS uses the Internet Printing Protocol (IPP) along with several other protocols, so nmap is probably correct. It also looked like it guessed your OS as well (you are running linux, correct?). And the default kernel installed is usually a i386 version. I'm not arguing that nmap is 100% accurate, but it is reasonably accurate unless you are intentionally disguising the system with something like IPPersonality or have your firewall configured to prevent info leakage (ie if you drop all unsolicited packets, no TCP stack/OS fingerprinting can be done).

Actually, believe it or not, they are running the whole site off of some Windows ME boxes. Four boxes. Two main (http and ftp) and a backup machine for each one of those. The guy said he tried Windows XP, but that "there were too many hackers after it." His solution was to go back to Windows ME so they wouldn't be such a target. Hahahaha.

-E

But they have another box infront of it that is running iptables to forward the traffic, right?

If you want to be more proactive, do a version grabbing scan so you know what are the application that are running and their versions then you can cross referance it with bugtraq or some other vunerability database and get a much clearer picture of the security situation.

If they are running a IDS they will see all your activity. So just drop a casual question about it to be on the safe side.

Remember that if you get caught it is your own fault.

Holy crap, WinME? That is widly regarded as the worst OS ever! Microsoft yanked it from the market so quickly you could have blinked and missed it. WinME suffers from most of the same vulnerabilities as Win98 and a lot of the vulnerabilities from WinXP, worse yet it hardly has any attention paid to security patches since there are so few boxes out there actually running WinME. You might as well set the Telnet and FTP banners to "hack me, I'm vulnerable".

At least WinXP (Pro) has a lot of enterprise level tools to lock down the configuration. WinME is a desktop OS that was never designed as a server or for hostile environments. Running Win2K would even be better than running WinME, because it gets a lot of attention for patches by Microsoft since it's very widely deployed.

By the way, if you're using a recent version of NMAP you can use the -V option to get a more accurate reading on what services are actually running (nmap -sSV).

I just glanced at your output and you need to pass nmap with more options than that if you want a full analysis for that site. For one rpcbind should be filtered or anyone can map the program numbers with rpcinfo over the net. And telnet should be disabled as well, use ssh instead. You should look into the other services as well that are open and see if they actually need them.