Penetration Testing mailing list archives
Re: PacketShaper
From: Stephen Bernard <sbernard () gmu edu>
Date: Tue, 04 May 2004 14:35:13 -0400
GRUPOHEMAC.- juan davila wrote:
Upgrade the software to version 6 and configure only access on interfaces inbound for management .Hemac Teleinformatica Ing. Juan Carlos Davila Ortiz Ingenieria Chapultepec # 710 Col. Moderna 3616-3824 Guadalajara, Jal. jdavila () grupohemac com mx ---------- Original Message ----------- From: "Brewis, Mark" <mark.brewis () eds com> To: "'Filipe A.'" <incognito () patria ath cx>, pen-test () securityfocus comSent: Mon, 3 May 2004 20:56:11 +0100 Subject: RE: PacketShaperFilipe, I had a look at one of these about three years ago; I sent out a similar request and didn't get anything back. I didn't find anything in itsdeployed state, although you appear to have more ports available than I remember seeing. What is it using echo for?Obviously, a lot of things have moved on in that time with regard toapplication testing. Can you get anything out of the webserver at all? Is it an apache, tomcat or lynx derivative, or is it proprietary? If you haven't already, try using attacks against those as a starting place if it is proprietary, and then fuzz on those. It may be one of those things that you feel ought to break,but never does. No idea about the algorithm, I'm afraid. Good luck, Mark Mark Brewis Security Consultant EDS UK Information Assurance Group Wavendon Tower Milton Keynes Buckinghamshire MK17 8LX. Tel: +44 (0)1908 28 4013 Mbl: +44 (0)7989 291 648 Fax: +44 (0)1908 28 4393 E@: mark.brewis () eds com This email is confidential and intended solely for the use of theindividual(s) to whom it is addressed. Any views or opinions presented are solely those of the author. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this mail is strictly prohibited.Precautions have been taken to minimise the risk of transmitting softwareviruses, but you must carry out your own virus checks on any attachment to this message. No liability can be accepted for any loss or damage caused by software viruses.-----Original Message----- From: Filipe A. [mailto:incognito () patria ath cx] Sent: 28 April 2004 10:48 To: pen-test () securityfocus com Subject: PacketShaper Hello. I'm in the middle of a pentest. On my client's network sits a PacketShaper (v5.3.0) from Packeteer [1]. This seems to be a commom device for traffic shaping yet I can't find any published vulnerabilities for it. Open ports are 7, 21, 23 and 80. Both web and telnet interfaces require only a password for authentication, no username needed. Default pwds were no good. I can code a brute forcer but was wondering if anyone here has audited one of these boxes and can share some info. SNMP read community is also available but I don't find any sensitiveinformation there, apart from traffic statistics. One last fact, I found this quote in Packeteer's site regarding password recovery: "[...] contact Customer Support. After you provide them with your serial number, they will generate a default password you can use to access yourunit via the command-line or browser interface." If I understand correctly there's an algorithm somewhere that will generate a default pwd for each box according to it's serial number. Any ideas? (social engeneering is out of scope for this audit) Thanks in advance. [1] http://www.packeteer.com/prod-sol/products/packetshaper_topologies.cfm -------------------------------------------------------------- ----------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization.Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------- -----------------------------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html------------------------------------------------------------------------------- ------- End of Original Message ------- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
I have managed PacketShapers for several years. The boxes run a modified FreeBSD codebase and act as transparent bridges, with the exception of the management interface. There have been a several vulnerabilities resulting from issues with OpenSSH, OpenSSL, Apache, etc. but nothing that I would blame on Packeteer. Depending on how the box is configured and implemented, it is possible to circumvent some of its control capabilities, and also to DoS the box. If you could root the box there are obviously a lot of "fun" things that could be done to the traffic passing through it. Crashing the box could be fruitful/interesting as they fail open, but obviously without any bandwidth/traffic controls running. This is also the case if power to the device is disrupted.
Steve ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: PacketShaper Brewis, Mark (May 03)
- RE: PacketShaper GRUPOHEMAC.- juan davila (May 04)
- Re: PacketShaper Stephen Bernard (May 04)
- RE: PacketShaper Filipe A. (May 04)
- <Possible follow-ups>
- RE: PacketShaper Steve Goldsby (ICS) (May 04)
- RE: PacketShaper GRUPOHEMAC.- juan davila (May 04)