Hi again guys.

I'm doing a pentest (for edu purposes) on a single company server, and I'm stuck...
After doing my research using nmap, amap, nessus, nikto2 etc i've found this:

OS: Windows Server 2003

22: SSH(2) Not sure which sshd.
25: SMTP (xxxx.domain.local)
53: DNS
80: HTTP (IIS6-SP1, SSL2, Not hosting any websites that i know of)
113(Closed): IDENT  
389: LDAP (Nothing found mining...)
443: HTTPS (SSL from digicert.com)
444: SNPP (Found Fortinet/Fortigate firewall)
3389: MS-TERM (v4)

Internal IP found: 10.10.147.11

I found no exploits for the services (Im sure they exist...).  The only thing i can think of atm is bruteforcing or fuzzing the SSH server.

Trojans, on-site (wlan), socialEng etc is out of the question.  Just direct targeting remotely.  Any thoughts on how to proceed, except bruteforcing which is kinda loud...

ps: All testing is done with "safe-checks" as they wouldnt be so happy if any services went down...

Thx guys.

Yeah, i usually setup VMware environments, but then i know everything about it. The reason im doing this "live" is because i don't have any knowledge about the system.  And yes, im allowed to test on this server.  They have multiple servers, but im restricted to this IP only. Which kinda sux a little bit because there is no proper FTP or WEB service running on this one. =)

If the services is down i can restart them (i have remote access, logmein), but its still a live server so im guessing its not that popular anyways... 

I'd appreciate some concrete "actions" here instead of doubting my intensions =)

might try telneting to the ports and seeing if you get any banner information from them. Might help in finding out what programs are running the open services.

This might be a dumb question, but are you testing this internally or externally?  I am assuming externally since you said you found an internal IP address.

Thx for the feedback everybody.. I'll look at it ASAP.   Dengar13, externally.  If i wasnt at school (in another country) i would jump in the car cracking the wep encryption they are still using, and then its pretty straight forward =)

I found the internal IP due to a flaw in .asp.  Make that misconf...

Yeah.  Just noticed. SSH port OS guess was 97% Fortigate100-A...  (Which i know is true...) Seems like I'm hitting the firewall..  

Edit: Bamed: That SMTP enumeration, will it fuck anything up?  Looking at the python script it looks like regular string input, but now, im not an expert.

For starters, you state go to school but your pentesting a server for a company in another country. So how would you even know what type of wireless encryption they're using? Sounds pretty fishy if you ask me. Hey if you can get the work more power to you but I can't think of a reputable company that would allow a student to fiddle with production servers.

Secondly, your writing leads me to believe you're very inexperienced. A pentest - remotely - is usually an indication of a grey hat / black hat test most likely a blackhat since you have no idea what you're targeting (is it Windows or is it Fortinet).

With that said, a blackhat is a blackhat is a blackhat. Brute forcing would be optimal way to go on THAT machine. There are alternative mechanisms to allow for non-noisy brute forcing with timing variables. Chances are (I would hope), whomever configured the Fortinet, configured it to solely allow trusted sites to SSH in so unless you can even ATTEMPT ONCE to log in, your SOL.

In that case I would... Not go further into telling you what I would do because as stated, some things in your initial post just don't add up.

Me, I believe you jonas.

But if you start reading the other threads, you will see that many newcomers are trying to get help on how to do bad stuff and no one here wants to be part of that...

That being said, have fun and brute force these services!