SecSite - 302 Mystery

[Okeymaker]

Target: A website that offers security services. I know from a source that one of the persons who works there is a real hacker with who once hacked a gov site so maybe they are proffessional.

STORY: When I was using Havij to find the admin page to a website, it gave me 302 responses on every try. Ofc they were all false and when I tried them in a browser I got 402 as pageresult. I wonder how this could be?

CLUES: I know that they uses MysQl on port 3306 - That is the only clue I have. They dont have any ports open except 21 an 80. But they do use 443 for https. Nmap aggressive OS guesses that they use OpenBSD 4."X" and says that 996 ports are filtered. I dont know how to interpret that?

[LoGiCaL__]

It's unclear to me what your end game is here. Without jumping the gun, if you're asking for help to hack a website then you should know no one here will be able to help you out. About your nmap question. The filtered ports are probably behind a firewall and that's why nmap is showing them as filtered.

[limdis]

Right, kinda vague. Just going to take a stab in the dark here cause yes not really sure if you want someone to figure this out or explain it. Being you are getting both 302 and 402 it is possible that you have found what you want to find, but their .htaccess file only allows their specific range of IPs, thus resulting in those errors. Just my thoughts given your description.

[Okeymaker]

I dont wanna hack the page, I just wanna know wehere they put admin page.

Right, kinda vague. Just going to take a stab in the dark here cause yes not really sure if you want someone to figure this out or explain it. Being you are getting both 302 and 402 it is possible that you have found what you want to find, but their .htaccess file only allows their specific range of IPs, thus resulting in those errors. Just my thoughts given your description.

Impossible. The reason why I posted this here its because its so strange. Havij simply test all common logon adresses. It got over 50 matches. But they result in 402 error when browsing them. So I thought that maybe the sceurity site is supermega awesome skilled and can fool programs like that just to mess with the hackers. But how? Maybe through letting ASP tell MySql when ha bot/program strikes and generate lots of fake pages? I dunno.

LOGICAL: Zenmap use to say WHICH ports are filtered, but it didnt in this case. A bit strange, because what website uses exactly 1000 ports?

[tremor77]

First you say " Nmap aggressive OS guesses that they use OpenBSD 4."X" and says that 996 ports are filtered. I dont know how to interpret that?"

And then you mention ASP.

So my guess is that you are dealing with an IIS website running a .NET CMS, perhaps Umbraco or Sitefinity. These are pretty strong systems. It's likely the site responds to any page request... have you been able to actual get a real 404? The Nmap result is probably returning the OS of a hardware firewall... perhaps a Watchguard Firebox Edge series - I believe they run OpenBSD but don't quote me on that. If you ask wtfpancake? Why would someone be running an IIS Server behind a Firebox? Reason - it may be also an Exchange or AD server. Or even more likely - it's a nice big HoneyPot and you're being trolled.

[Okeymaker]

trempr77: That was the best reply I ever got on this site. Thanx!
I will do a closer check on it. Someday. And again: Im not so stupid that Im gonna attack this site. I dont know how to hack something so dont worry.

[wzrd1985]

I may not be an expert, but have you taken into consideration ModSecurity? It has the ability to differentiate between requests, act as a honeypot, and provide header and OS disimulations as you said, even disimulate the platform.