Penetration Testing mailing list archives

Re: [PEN-TEST] PIX Firewall Question

From: Eduardo_Campos.CREDOMATIC () CREDOMATIC COM
Date: Mon, 4 Dec 2000 08:44:02 -0600

I guess you were scanning the outside interface so telnet should not be
open. Or maybe it was another address so telnet was open ?
The policy on the PIX config is that all is denied except by the explicit
open sentences of static/conduits which enable the open ports. So, the
admin could have open all those ports. Weird ports to be open anyway.
The PIX (by default) randoms the sequence number, as nmap described, so it
could give you a good guess. Although, I know many FW do the same.

Greetings



                    Anubis The
                    Godfather of Soul         To:     PEN-TEST () SECURITYFOCUS COM
                    <chrome () VELVET NET        cc:
                    >                         Subject:     Re: [PEN-TEST] PIX Firewall Question
                    Sent by:
                    Penetration
                    Testers
                    <PEN-TEST@SECURITY
                    FOCUS.COM>


                    01-12-00 10:27 AM
                    Please respond to
                    Penetration
                    Testers






On Thu, 30 Nov 2000, Jon Vandiveer wrote:

PixOS was "acquired" by Cisco. It is becoming more IOS'ish (PixOS 5.2),

but

is a proprietary OS.


Hrm, ok thank you. {learning more by the day here}

I will scan our firewall and let you know if there are any "proprietary"
ports open, but as Dom said it is pretty dependant on the config.
I would think nMap could profile it.


Yeah, we're basically looking for some king of "standard" footprint this
little guy might leave so we'll know we've actually located it.

The IP we were curious about was this one:

Interesting ports on  (xx.xx.xxx.xxx):
(The 65526 ports scanned but not shown below are in state: closed)
Port       State       Service
23/tcp     open        telnet
68/tcp     filtered    bootpc
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
2129/tcp   open        unknown
4129/tcp   open        unknown
6129/tcp   open        unknown
9129/tcp   open        unknown

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=2911 (Medium)

Sequence numbers: 36E54D70 36E94F06 36ED6C69 36F18A5F 36F5AA62 36F9C64F
Remote operating system guess: Cisco IOS 11.3 - 12.0(11)


----

As you can see nmap shows it as IOS..

Feedback I've recieved so far says that this probably isn't the PIX.
Opinions?

Current thread:

[PEN-TEST] PIX Firewall Question Anubis The Godfather of Soul (Dec 01)
- Re: [PEN-TEST] PIX Firewall Question Dom De Vitto (Dec 01)
  - Re: [PEN-TEST] PIX Firewall Question Jon Vandiveer (Dec 01)
    - Re: [PEN-TEST] PIX Firewall Question Anubis The Godfather of Soul (Dec 02)
- Re: [PEN-TEST] PIX Firewall Question Bill Bradd (Dec 02)
- Re: [PEN-TEST] PIX Firewall Question NetW3.COM Consulting (Dec 02)
- <Possible follow-ups>
- Re: [PEN-TEST] PIX Firewall Question Christopher Reining (Dec 02)
- Re: [PEN-TEST] PIX Firewall Question Randall, Mark (ISSCalifornia) (Dec 04)
- Re: [PEN-TEST] PIX Firewall Question Eduardo_Campos . CREDOMATIC (Dec 05)