Penetration Test
results (interpreting results) Open-Filtered Ports
Recently we had a penetration test
done. I am not going to mention company names here, I’ll write just about the
results.
I asked them to check out Public IPs
and all services which face the Internet, I also asked them to check our WIFI
and finally our internal office Windows domain.
I knew there were many problems and
potentially many holes. I have inherited this network and I don’t think things
were set with security in mind. But something also important to note is; if the
any company is not willing to participate and embrace security there is very
little which can be done, directories and all managers at the top need to
accept security as an important step. Security is not for preventing anyone
from working, but to give companies a degree of digital/online stability.
Knowing where the holes are surely is better than not knowing; at least you won’t
be caught by surprises.
The test took around three days and literally
the only information I provided was the public IP addresses.
Port
445 Open-Filtered
One thing in specific I want to talk
about is; our office firewall has been diagnosed with port 445 (SMB)
Open-Filtered.
I asked the security team which did
the pen test and they said; “if the port is filtered, it does mean it is open.
Maybe nothing is listening but the port is definitively opened”.
This is a serious discovery and it
needs a full investigation. My boss and Operations pushed me to dig this out
and get it sorted.
Action
Plan
Review the firewall configuration
thoroughly and check any references to port 445.
Disabled all unnecessary rules and
checked open ports once again with nmap. Once again, this time I could verify
myself, the result was Port 445 Open-Filtered. I could not believe it.
I could not find anywhere in the
firewall a rule which explicitly opened, forward, or NATTED port 445.
I downloaded a program called Nipper
see: https://www.titania-security.com/,
exported the configuration from the firewall, parsed the config and I did not
find any indication port 445 was actually opened.
Block
Port 445
I decided to explicitly create a rule
to block port 445. Rule in place, once again I used nmap to check for open
ports and, once again for my surprise, nmap showed port 445 Open-Filtered.
There is no way port 445 was open! I
decided to Google and I vaguely remember this, something to do with ISPs
filtering port 445.
In 2004 there was an outbreak of a
virus which propagated itself through exploiting port 445 (SMB). This is how
Microsoft Windows for communicate with each other on a network and access
shares.
Because of this outbreak Firewall
vendors decided it was a good approach to just filter this port, instead of
blocking it. This is because by blocking it the firewall has to use more CPU
and memory.
So finally I got to the bottom and I
understand the real result. Port 445 was actually being filtered at a higher
level by our ISP, which is good.
So if you come across ports being Open-filtered,
I would recommend the following:
1.
Review
your firewall configuration
2.
Check
with your ISP
3.
Get
in touch with your Firewall vendor and ask them to clarify it for you
Some links for you to research
By Renato Oliveira
No comments:
Post a Comment