Penetration Testing mailing list archives
Re: [PEN-TEST] PIX Firewall Question
From: Eduardo_Campos.CREDOMATIC () CREDOMATIC COM
Date: Mon, 4 Dec 2000 08:44:02 -0600
I guess you were scanning the outside interface so telnet should not be open. Or maybe it was another address so telnet was open ? The policy on the PIX config is that all is denied except by the explicit open sentences of static/conduits which enable the open ports. So, the admin could have open all those ports. Weird ports to be open anyway. The PIX (by default) randoms the sequence number, as nmap described, so it could give you a good guess. Although, I know many FW do the same. Greetings Anubis The Godfather of Soul To: PEN-TEST () SECURITYFOCUS COM <chrome () VELVET NET cc: > Subject: Re: [PEN-TEST] PIX Firewall Question Sent by: Penetration Testers <PEN-TEST@SECURITY FOCUS.COM> 01-12-00 10:27 AM Please respond to Penetration Testers On Thu, 30 Nov 2000, Jon Vandiveer wrote:
PixOS was "acquired" by Cisco. It is becoming more IOS'ish (PixOS 5.2),
but
is a proprietary OS.
Hrm, ok thank you. {learning more by the day here}
I will scan our firewall and let you know if there are any "proprietary" ports open, but as Dom said it is pretty dependant on the config. I would think nMap could profile it.
Yeah, we're basically looking for some king of "standard" footprint this little guy might leave so we'll know we've actually located it. The IP we were curious about was this one: Interesting ports on (xx.xx.xxx.xxx): (The 65526 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 68/tcp filtered bootpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 2129/tcp open unknown 4129/tcp open unknown 6129/tcp open unknown 9129/tcp open unknown TCP Sequence Prediction: Class=random positive increments Difficulty=2911 (Medium) Sequence numbers: 36E54D70 36E94F06 36ED6C69 36F18A5F 36F5AA62 36F9C64F Remote operating system guess: Cisco IOS 11.3 - 12.0(11) ---- As you can see nmap shows it as IOS.. Feedback I've recieved so far says that this probably isn't the PIX. Opinions?
Current thread:
- [PEN-TEST] PIX Firewall Question Anubis The Godfather of Soul (Dec 01)
- Re: [PEN-TEST] PIX Firewall Question Dom De Vitto (Dec 01)
- Re: [PEN-TEST] PIX Firewall Question Jon Vandiveer (Dec 01)
- Re: [PEN-TEST] PIX Firewall Question Anubis The Godfather of Soul (Dec 02)
- Re: [PEN-TEST] PIX Firewall Question Jon Vandiveer (Dec 01)
- Re: [PEN-TEST] PIX Firewall Question Bill Bradd (Dec 02)
- Re: [PEN-TEST] PIX Firewall Question NetW3.COM Consulting (Dec 02)
- <Possible follow-ups>
- Re: [PEN-TEST] PIX Firewall Question Christopher Reining (Dec 02)
- Re: [PEN-TEST] PIX Firewall Question Randall, Mark (ISSCalifornia) (Dec 04)
- Re: [PEN-TEST] PIX Firewall Question Eduardo_Campos . CREDOMATIC (Dec 05)
- Re: [PEN-TEST] PIX Firewall Question Dom De Vitto (Dec 01)