Penetration Testing mailing list archives

Raptor Firewall 6.5 Config

From: Josh <josh () sway org>
Date: 8 Jan 2002 02:37:37 -0000



Hello,

I am conducting a blind penetration test for a client 
and have identified the firewall to be Raptor 6.5. It 
appears to be loosely configured as the Raptor HTTP 
proxy server vulnerability
(http://www.securityfocus.com/bid/2517) exists, and I 
can reach internal addresses, etc.

The port scan on the network revealed that many 
TCP ports were open on the firewall and on the hosts 
behind it. What seems strange to me is that the 
results of the nmap scan show the same ports open 
for every "active" host identified behind the Raptor.

Is it possible that Raptor is talking to nmap and 
opening ports based on a single ruleset for any host 
behind the firewall? I can confirm that the hosts are 
separate machines using other techniques. For 
example, I don't see why the Raptor has port 
1433/TCP open for the Solaris machine I can see in 
addition to several NT 4.0 hosts that might be running 
MS SQL Server.

The nmap scan shows the following ports open for 
ANY host that I can ping or confirm as being alive and 
behind the Raptor:

Port       State       Service (RPC)
21/tcp     open        ftp
23/tcp     open        telnet
25/tcp     open        smtp  
70/tcp     open        gopher
80/tcp     open        http 
110/tcp    open        pop-3   
119/tcp    open        nntp   
139/tcp    open        netbios-ssn   
443/tcp    open        https  
444/tcp    open        snpp
445/tcp    open        microsoft-ds
512/tcp    open        exec
513/tcp    open        login
514/tcp    open        shell
554/tcp    open        rtsp
1433/tcp   open        ms-sql-s
1720/tcp   open        unknown
5631/tcp   open        pcanywheredata
7070/tcp   open        unknown
8080/tcp   open        http-proxy
8181/tcp   open        unknown

Can anyone with Raptor 6.5 experience speak to 
this? Does this match up to some default 
configuration for 6.5?

It seems to me that the firewall is misconfigured. For 
example, a developer could put a vanilla install of IIS 4 
on one of my client's NT machines and unknowlingly 
open up the whole network to attack since port 80 is 
opened by Raptor for the host even though it isn't 
currently running an HTTP service.

Josh <josh () sway org>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Raptor Firewall 6.5 Config Josh (Jan 08)
- Re: Raptor Firewall 6.5 Config Mike Shaw (Jan 08)
  - Re: Raptor Firewall 6.5 Config Derrick (Jan 09)
- <Possible follow-ups>
- Re: Raptor Firewall 6.5 Config Johann van Duyn (Jan 09)
- RE: Raptor Firewall 6.5 Config Slighter, Tim (Jan 09)