Penetration Testing mailing list archives
RE: Raptor firewall 6.1 port 80
From: "Darren Webb" <spyder007 () charter net>
Date: Mon, 5 Jul 2004 22:10:06 -0500
Good evening, The Raptor (Symantec Enterprise) firewall, by default, runs several standard proxies (FTP, Telnet, HTTP, NNTP, SMTP, DNS, etc) that will return an open state to a scanner (these can be disabled by the admin but usually aren't). Add user defined GSP's to the mix and you can have hundreds of "open" ports. The trick is unless a rule has been setup to allow you to utilize the port/proxy to reach a server behind the firewall or in the DMZ, you really can't do much of anything with it. There have been a couple of DDoS attacks against the telnet and DNS proxies that I know of that have been patched. The SEF (Raptor) has two common ways of administration. The RCU (only on UNIX and depreciated in versions 7 and 8) and the RMC (from a Microsoft plug-in). Both can connect remotely via port 418 and both are encrypted. Rempass must also be run to enable these communications. The firewall admin will need to specify a FQDN or IP address and a passphrase specific to each workstation that they wish to be able to connect from. If your going to try to attack the servers behind the firewall, be sure to make everything RFC compliant as the Raptor is very strict when it comes to this (unless the admin selected "Disable application data scanning" when he created the rule). Darren -----Original Message----- From: Jerry Shenk [mailto:jshenk () decommunications com] Sent: Sunday, July 04, 2004 7:02 PM To: pen-test () securityfocus com Subject: RE: Raptor firewall 6.1 port 80 One feature with a Raptor firewall is that they seems to respond affirmatively to tons of stuff. For example, a portscan on pen-tests that I've done have shown lots of ports being open that really weren't. I haven't seen specifically what you're talking about with an admin login 'cuz I haven't gotten a login on any of them but I get ports showing up as open that I have verified are not actually open. -----Original Message----- From: Martin S [mailto:shurbanm () vuser vu union edu] Sent: Thursday, July 01, 2004 12:04 PM To: pen-test () securityfocus com Subject: Raptor firewall 6.1 port 80 I am testing a couple of Raptor firewalls (6.1 apparently). And I ran Brutus on port 80 just to see what's going to happen using Forms authentication. It does pick up 2 successful authentications using (admin and backup as logins). However, this cannot be right as first of all it picks up different passwords (like aaa or academia on different runs) and secondly a web browser session on port 80 comes back with: " Service Unavailable The proxy is currently unable to handle the request due to a (possibly) temporary error. Extended error information is: If this situation persists, please contact your firewall administrator. " Any ideas?
Current thread:
- Raptor firewall 6.1 port 80 Martin S (Jul 04)
- RE: Raptor firewall 6.1 port 80 Jerry Shenk (Jul 05)
- RE: Raptor firewall 6.1 port 80 Darren Webb (Jul 06)
- Re: Raptor firewall 6.1 port 80 Oliver () greyhat de (Jul 22)
- Re: Raptor firewall 6.1 port 80 Michael Richardson (Jul 07)
- RE: Raptor firewall 6.1 port 80 Darren Webb (Jul 06)
- Re: Raptor firewall 6.1 port 80 Kroma Pierre (Jul 17)
- RE: Raptor firewall 6.1 port 80 Jerry Shenk (Jul 05)