RE: PacketShaper

["Brewis, Mark" <mark.brewis () eds com>]

Filipe,

I had a look at one of these about three years ago; I sent out a similar
request and didn't get anything back.  I didn't find anything in its
deployed state, although you appear to have more ports available than I
remember seeing.  What is it using echo for?  

Obviously, a lot of things have moved on in that time with regard to
application testing.  Can you get anything out of the webserver at all?  Is
it an apache, tomcat or lynx derivative, or is it proprietary?  If you
haven't already, try using attacks against those as a starting place if it
is proprietary, and then fuzz on those.  It may be one of those things that
you feel ought to break, but never does.

No idea about the algorithm, I'm afraid.

Good luck,

Mark

Mark Brewis

Security Consultant
EDS
UK Information Assurance Group
Wavendon Tower
Milton Keynes
Buckinghamshire
MK17 8LX.

Tel:    +44 (0)1908 28 4013
Mbl:  +44 (0)7989 291 648
Fax:    +44 (0)1908 28 4393
E@:     mark.brewis () eds com

This email is confidential and intended solely for the use of the
individual(s) to whom it is addressed. Any views or opinions presented are
solely those of the author.  If you are not the intended recipient, be
advised that you have received this email in error and that any use,
dissemination, forwarding, printing, or copying of this mail is strictly
prohibited.

Precautions have been taken to minimise the risk of transmitting software
viruses, but you must carry out your own virus checks on any attachment to
this message. No liability can be accepted for any loss or damage caused by
software viruses.
 

> > -----Original Message-----
> > From: Filipe A. [mailto:incognito () patria ath cx]
> > Sent: 28 April 2004 10:48
> > To: pen-test () securityfocus com
> > Subject: PacketShaper
> >
> >
> >
> >  Hello. I'm in the middle of a pentest. On my client's network sits
> > a PacketShaper (v5.3.0) from Packeteer [1]. This seems to be a
> > commom device for traffic shaping yet I can't find any published
> > vulnerabilities for it. Open ports are 7, 21, 23 and 80. Both web and
> > telnet interfaces require only a password for authentication, no
> > username needed. Default pwds were no good. I can code a brute
> > forcer but was wondering if anyone here has audited one of these boxes
> > and can share some info.
> > SNMP read community is also available but I don't find any sensitive
> > information there, apart from traffic statistics. One last 
> > fact, I found
> > this quote in Packeteer's site regarding password recovery: 
> > "[...] contact Customer Support. After you provide them with 
> > your serial
> > number, they will generate a default password you can use to 
> > access your
> > unit via the command-line or browser interface." If I understand
> > correctly there's an algorithm somewhere that will generate a default
> > pwd for each box according to it's serial number. Any ideas? (social
> > engeneering is out of scope for this audit)
> >
> > Thanks in advance.
> >
> >
> > [1]
> > http://www.packeteer.com/prod-sol/products/packetshaper_topologies.cfm
> >
> >
> >
> >
> > --------------------------------------------------------------
> > ----------------
> > Ethical Hacking at the InfoSec Institute. Mention this ad and 
> > get $545 off
> > any course! All of our class sizes are guaranteed to be 10 
> > students or less
> > to facilitate one-on-one interaction with one of our expert 
> > instructors.
> > Attend a course taught by an expert instructor with years of 
> > in-the-field
> > pen testing experience in our state of the art hacking lab. 
> > Master the skills
> > of an Ethical Hacker to better assess the security of your 
> > organization.
> > Visit us at:
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > --------------------------------------------------------------
> > -----------------

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------