Penetration Testing mailing list archives
Re: Raptor firewall 6.1 port 80
From: "Oliver () greyhat de" <Oliver () greyhat de>
Date: Thu, 22 Jul 2004 12:15:02 +0200
Darren Webb wrote:
you can disable the proxy services, but most are in use by your firewall-rules (like DNS, http, ftp mail ). If you want these ports to be shown only to certain ip-adresses, you have to set a filter on the interface.Good evening, The Raptor (Symantec Enterprise) firewall, by default, runs several standard proxies (FTP, Telnet, HTTP, NNTP, SMTP, DNS, etc) that will return an open state to a scanner (these can be disabled by the admin but usually aren't).
yupp.... if you have no rules applied, you cant connect (3way-handshake) to the "open" ports, but portscan will show state open. if you have a rule applied, even if the destination does not exist, you can fully connect to the port.Add user defined GSP's to the mix and you can have hundreds of "open" ports. The trick is unless a rule has been setup to allow you to utilize the port/proxy to reach a server behind the firewall or in the DMZ, you really can't do much of anything with it. There have been a couple of DDoS attacks against the telnet and DNS proxies that I know of that have been patched.
SEF 8 and the symantec appliance SGS 2 have a javabased webinterface, running on Port 2456/tcp. In Addition you can brute force some passwords via the Out-Of-Band-Daemon, which is running on port 888/tcp by default. The worse thing is, that by default the admin-interface is available on each interface :(The SEF (Raptor) has two common ways of administration. The RCU (only on UNIX and depreciated in versions 7 and 8) and the RMC (from a Microsoft plug-in). Both can connect remotely via port 418 and both are encrypted. Rempass must also be run to enable these communications. The firewall admin will need to specify a FQDN or IP address and a passphrase specific to eachworkstation that they wish to be able to connect from.
Thats realy true..... and they dont tell you what RFC-compliance for the SEF realy means ;)If your going to try to attack the servers behind the firewall, be sure to make everything RFC compliant as the Raptor is very strict when it comes to this (unless the admin selected "Disable application data scanning" when he created the rule).
/Oliver
Darren -----Original Message-----From: Jerry Shenk [mailto:jshenk () decommunications com] Sent: Sunday, July 04, 2004 7:02 PMTo: pen-test () securityfocus com Subject: RE: Raptor firewall 6.1 port 80 One feature with a Raptor firewall is that they seems to respond affirmatively to tons of stuff. For example, a portscan on pen-tests that I've done have shown lots of ports being open that really weren't. I haven't seen specifically what you're talking about with an admin login 'cuz I haven't gotten a login on any of them but I get ports showing up as open that I have verified are not actually open. -----Original Message-----From: Martin S [mailto:shurbanm () vuser vu union edu] Sent: Thursday, July 01, 2004 12:04 PMTo: pen-test () securityfocus com Subject: Raptor firewall 6.1 port 80 I am testing a couple of Raptor firewalls (6.1 apparently). And I ran Brutus on port 80 just to see what's going to happen using Forms authentication. It does pick up 2 successful authentications using (admin and backup as logins). However, this cannot be right as first of all it picks up different passwords (like aaa or academia on different runs) and secondly a web browser session on port 80 comes back with: " Service Unavailable The proxy is currently unable to handle the request due to a (possibly) temporary error. Extended error information is: If this situation persists, please contact your firewall administrator. " Any ideas?
Current thread:
- Raptor firewall 6.1 port 80 Martin S (Jul 04)
- RE: Raptor firewall 6.1 port 80 Jerry Shenk (Jul 05)
- RE: Raptor firewall 6.1 port 80 Darren Webb (Jul 06)
- Re: Raptor firewall 6.1 port 80 Oliver () greyhat de (Jul 22)
- Re: Raptor firewall 6.1 port 80 Michael Richardson (Jul 07)
- RE: Raptor firewall 6.1 port 80 Darren Webb (Jul 06)
- Re: Raptor firewall 6.1 port 80 Kroma Pierre (Jul 17)
- RE: Raptor firewall 6.1 port 80 Jerry Shenk (Jul 05)