Is It Unsafe for a Government Website to Have IIS 6.5 ?

It's hard to say. You can run some vulnerability scans against it and find out.

Anyway, the ports are probably closed.

There must be either port 80 or 443 open for you to access the site, so some ports are open.

Random thought: About 121 exploits for IE6. Last one found was 2 weeks ago with 9.3 out of 10 in not goodness.

We just had a guy with a similar post about his port 80 from india. Some light digging found he was being port forwarded to some random high ports above 1000 by his ISP. (Don't ask me how I know.)

Like he said run a scan against it if you would like to be certain.

What kind of scanners should we be using?

Nikto, Nmap, Burp?

There are many web application scanners. nmap won't help. It's used to determine the ports, OS and services that are running.

Nikto or Wikto are both good and free. There are many commercial web app vulnerability scanners that will give you a free trial license like Qualys, Acunetix, Nexpose and many others. Usually these free trials are full featured and good for 7-30 days.

This is my Nikto scan result : (Fast scan)

Server: Microsoft-IIS/6.0
Retrieved x-powered-by header: ASP.NET
robots.txt contains 3 entries which should be manually viewed.
Microsoft-IIS/6.0 appears to be outdated (4.0 for NT 4, 5.0 for Win2k, current is at least 7.5)
OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://xxx.xx.xx.x/images/ ".
ETag header found on server, fields: 0x80e131193d6fcd1:5776

VM-HoneyPot

eth1 Link encap:Ethernet HWaddr 00:0D:60:xx:xx:xx
inet addr:xxx.xx.xx.x Bcast:xxx.xx.xx.xxx Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2679782 errors:0 dropped:0 overruns:0 frame:0
TX packets:46733 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:497213909 (474.1 Mb) TX bytes:2991455 (2.8 Mb)
Interrupt:17

wut

Exactly..

BTW that is from a public recon run against the pot. Always follow the right path and do recon on the target before you scan anything.

Brilliant demonstration.

i see, it's a trap...

How did you figure out it was a honeypot?

yup. care to explain how you figured it was a honeypot ? Thx

Greetings, allow me to explain. The nikito scan hinted, well screamed at my conclusion.

The target IP was not scanned or visited once during this process.

Protocol dictates that actionable Intel is needed before any force of action is taken. You don't close your eyes then pull out a gun and fire wildly, do you?

Total Time: About 3 mins
Scripts : 0
Technique: GOOGLE DORK

0.5 First clue was out of date Gov website. : They have checklists for any and all devices to be set up to SPEC.

His Nikto scan 1 line screamed VM-HoneyPot. (Orig edited out now.)

ARIN LOOKUP

The IP range the target : is a special range not used by .GOV anything.
Arin search against target confirms #2 "Net Type IANA Special Use - Registration Date 1994-03-15" http://whois.arin.net/can't show the rest

3.1 clue maybe http://datatracker.ietf.org/doc/rfc1918/

3.5 Domain Records shows something like a game site or Data Center?? ~NOT A GOV SITE as we thought! WTF is it???

Let's Dork it!

Google Dork of target IP: Shows public record trail leading to pot.

4.05 "ADMIN: Mxxxx Szxxxx"
TITLE: Systems Admin/Engineer
DEPT: Enterprise Web Services
COMPANY: Cxxxx TECHxxxxxx
ADDRESS: Level xx, xxxx Ann Street, BRISBANE QLD 4000
PHONE: +61 x xxxx 7151"

4.1 Dork results also gave network topology,IP's in use, Ports, iwconfig tails and hostnames.
*Far too much EASY info for legit server found. Yeah right!*

5.0 Admin made various forum posts about pot ARP poison issue.
5.1 Other INTEL supports 2 other pots reside on the same network
5.2 Hostnames LVS:a & LVS:b - (L)INUX (V)IRTUAL (S)ERVER

WHT TIME LINE :

Nikito scan results posted.
I replied "VM-Honeypot" minutes after.
*Thought about it then moved to Passive DORKing to confirm.
5 mins later I replied with iwconfig from target box obtained from dorking.
He replies "wut"
Antagonize mode starts and I reply: "Exactly" because he is obviously in the wrong end of the pool.
WHT Admins edit the IP's out of posts. Probably thinking WTF is that about??

I retort with "BTW that is from a public recon run against the pot. Always follow the right path and do recon on the target before you scan anything."

crickets
<End Transmiss0n>

P.S. Really annoying I had to re write this 3 times because the st00pid editor keeps giving me ajax error........

Excellent work, CyberHitchiker!

Now, this is information gathering! Amazing!

21 Responses

Share Your Thoughts