APD Toronto
asked on
Server Vulneriability
Hello Experts,
My cliend hired an IT auditor, and just by knowing the domain name he was able to state that the server is quite exposed.
How can I run such a test.
here are the results that he sent me:
My cliend hired an IT auditor, and just by knowing the domain name he was able to state that the server is quite exposed.
How can I run such a test.
here are the results that he sent me:
Initiating OS detection (try #1) against cp10-100.hostingmetro.com (12.34.567.100)
Nmap scan report for cp10-100.hostingmetro.com (12.34.567.100)
Host is up (0.072s latency).
Not shown: 981 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
25/tcp filtered smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp filtered netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp filtered microsoft-ds
990/tcp open ftps
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3306/tcp open mysql
3389/tcp open ms-wbt-server
8080/tcp open http-proxy
Device type: general purpose
Running: Microsoft Windows 2003|XP
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_xp::sp2
OS details: Microsoft Windows Server 2003 SP1 or SP2, Microsoft Windows XP SP2 or Windows Server 2003 SP1 or SP2
Network Distance: 9 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
ASKER
Is there a non-download web util?
Basically, he used a port scanner (nmap) with reference to provided result. The result shows the ports which are open and therefor the running services related to each port. Then he use these information to identify which version of related application installed to exploit related vulnerabilities. This is standard practice when a client asks for black box penetration testing.
ASKER
I got nmap and run the test for my site and others, like workopolis.ca. I also did some research and know that certain ports are needed for certain services, like 1433 for mssql and 3306 for mysql.
When you do a nmap scan for workopolis.ca, you only see 443 and 80, both of which I believe are http ports. However, workopolis.ca is big job site, and no doubt they have some type of database. We do not see nor 1433 nor 3306.
Am I correct to assume that in workopolis.ca's case they only expose the mandatory ports, but the ports for database are only exposed to IPs that need them. For example, if you have a separate web server and a separate database server, port 1433 for both servers is seen only by the server itself and each other.
If my understanding is correct?
If yes, I understand how this is more secure, but if needed ports are exposed widely (like my initial post above), is it very dangerous?
Thank you
When you do a nmap scan for workopolis.ca, you only see 443 and 80, both of which I believe are http ports. However, workopolis.ca is big job site, and no doubt they have some type of database. We do not see nor 1433 nor 3306.
Am I correct to assume that in workopolis.ca's case they only expose the mandatory ports, but the ports for database are only exposed to IPs that need them. For example, if you have a separate web server and a separate database server, port 1433 for both servers is seen only by the server itself and each other.
If my understanding is correct?
If yes, I understand how this is more secure, but if needed ports are exposed widely (like my initial post above), is it very dangerous?
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can search for "free vulnerability scanner" on Google to get links to a number of free tools, used for assessment such as Nessus
http://sectools.org/tag/vuln-scanners/