Penetration Testing mailing list archives
Looks like a Borderware firewall (was Re: Device fingerprinting)
From: Javier Fernández-Sanguino Peña <jfernandez () germinus com>
Date: Wed, 21 Aug 2002 12:58:13 +0200
1) The presence of the cvc_hostd (442) port on the two interfaces of the unknown device... anyone could comment?
Searching google I find this: http://216.239.39.100/search?q=cache:NX2-uzZSPmkC:www.cert.lu/cert-web/security/Firewall/FW_Mail/970415_BW_1+port+442+firewall&hl=es&ie=UTF-8 and this: http://216.239.39.100/search?q=cache:YzQ-AMVyzFEC:www.macroint.com/nsg/border/4-1keys.pdf+port+442+firewall+borderware&hl=es&ie=UTF-8 Maybe you have a Borderware firewall there (BTW, it's pretty uncommon). It seems to be an application-level (proxy) firewall so it fits with some of the things you have found. More info at http://www.borderware.com/products/fw/fwserver.html It seems that it runs on hardened OS (based on BSD 4.4) on Intel so it does fit your fingerprinting. You might want to read the Security Target, it's certified EAL4 and EAL5 so it might be a tough one :) http://www.cesg.gov.uk/assurance/iacs/itsec/cpl/media/sectarg/borderware6_5.pdf
4) The majority of the ports open on the unknown device are forwards to open ports on the Webserver EXCEPT port 53. I tried to nslookup -class=chaos -type=txt version.bind [the device] and it returns unknown domain so I evaluate that the chances for it to be bind are fairly low.
Bordeware provides a name server. Which adds greater confidence on my guess :) Also, it doesn't seem to be ISC's bind. Also, due to proxying I'd gather that the OS fingerprinting done to the webserver and mailserver are in fact results realted to the firewall.
5) The telnet port on the internal interface of the device seems to be broken, no daemon listens to it even it the port is open.
Probably because it's a proxy (transparent?) and will not work. Try to do *outbound* connections.
Anyone sees any telltale signs of a particular OS/device here? In my opinion it could be a cisco or maybe a freebsd box but I'm really unsure. Some help/comments would be appreciated.
My guess (after some Google research): you have a Borderware firewall. It does not matter much since you pierced the perimeter and now (since you are running stuff in the webserver) you can make it completely transparent. Try testing the firewall in order to determine which rules are allowed for outbound (from the webserver or mailserver) connections. BTW, you did not say so but my guess is that the mailserver is an Outlook Web Access. Am I right? Unicode or ISAPI? Regards Javi ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Device fingerprinting TB (Aug 19)
- RE: Device fingerprinting Fernando Cardoso (Aug 20)
- Looks like a Borderware firewall (was Re: Device fingerprinting) Javier Fernández-Sanguino Peña (Aug 21)
- <Possible follow-ups>
- Re: Device fingerprinting The Blueberry (Aug 20)