Penetration Testing mailing list archives
Pentesting Old unsupported Firewall Appliances
From: Harold Castro <b0ydaem0n () yahoo com>
Date: Mon, 11 Jun 2007 01:56:00 -0700 (PDT)
Hi, I'm new in pen testing. Recently, I came across this firewall appliance running Apache/1.3.26 (Unix) mod_dtcl mod_ssl/2.8.10 OpenSSL/0.9.7 during an external pentest. The nmap output on OS fingerprinting and service detection looks like: Running (JUST GUESSING) : Nokia IPSO (98%), Checkpoint IPSO (90%) OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Nokia IP650 firewall appliance (runs IPSO 4.0 and CheckPoint Firewall-1/VPN-1 software) (98%), Nokia IPSO 4.1Build19 firewall (94%), Checkpoint VPN-1 running IPSO 4.1 (90%) According to nessus and nikto scans, the apache and mod_ssl running on this particular host has several high risk vulnerabilities. Now the next thing on my mind is to find out if those applications are really exploitable. The problem is, I'm not sure how to go about it. Here's what's on my mind. 1. First, find out what is the firmware version of that machine. 2. Then find out if the apache version on that particular firmware really had a security issues confirmed by the manufacturer and if there were any patches provided to address such issues. For this, I have to obtain the CHANGES logs, patches documentations etc. But the problem is this is not like an open source thing where you have access to everything. This creates a problem. How do you go about it?? Should I just mention in the report that, "this particular host contains several high risk vulnerabilities and poses a significant risk. However, if you have applied the patches or did a firmware upgrade then you don't have to worry anymore." And one more thing, if their appliance is no longer supported by the manufacturer, do you give a replacement suggestion in your report? Since I'm doing an external black box pentest, I have to rely on some tools for OS fingerprinting. Nmap guesses it to be either Nokia IPSO 4.0 or 4.1Build19. Now I tried googling for that particular appliance (IP650) and I found out that the appliance is too old as its existence dates back as early as 1999. I'm having a hard time trying to find anything that can be useful for this If all else fails, do you tell the customer that it is safe to ignore those warnings and vulnerabilities because you, on a hacker's perspective, was not able to penetrate the network by making use of those vulnerabilities found, that the hacker might have a hard time as well and eventually opt for another target? That's all for now. Thanks. --------------------------------- Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. --0-999917851-1181551773=:31164 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi,<br><br>I'm new in pen testing.<br>Recently, I came across this firewall appliance running Apache/1.3.26 (Unix) mod_dtcl mod_ssl/2.8.10 OpenSSL/0.9.7 during an external pentest.<br><br>The nmap output on OS fingerprinting and service detection looks like:<br><br>Running (JUST GUESSING) : Nokia IPSO (98%), Checkpoint IPSO (90%)<br>OS fingerprint not ideal because: Missing a closed TCP port so results incomplete<br>Aggressive OS guesses: Nokia IP650 firewall appliance (runs IPSO 4.0 and CheckPoint Firewall-1/VPN-1 software) (98%), Nokia IPSO 4.1Build19 firewall (94%), Checkpoint VPN-1 running IPSO 4.1 (90%)<br><br>According to nessus and nikto scans, the apache and mod_ssl running on this particular host has several high risk vulnerabilities. <br><br>Now the next thing on my mind is to find out if those applications are really exploitable. The problem is, I'm not sure how to go about it.<br><br>Here's what's on my mind.<br><br>1. First, find out what is the firmware version of that machine.<br>2. Then find out if the apache version on that particular firmware really had a security issues confirmed by the manufacturer and if there were any patches provided to address such issues. For this, I have to obtain the CHANGES logs, patches documentations etc. But the problem is this is not like an open source thing where you have access to everything. <br><br>This creates a problem. How do you go about it?? Should I just mention in the report that, "this particular host contains several high risk vulnerabilities and poses a significant risk. However, if you have applied the patches or did a firmware upgrade then you don't have to worry anymore." <br><br>And one more thing, if their appliance is no longer supported by the manufacturer, do you give a replacement suggestion in your report?<br><br>Since I'm doing an external black box pentest, I have to rely on some tools for OS fingerprinting. Nmap guesses it to be either Nokia IPSO 4.0 or 4.1Build19. Now I tried googling for that particular appliance (IP650) and I found out that the appliance is too old as its existence dates back as early as 1999. I'm having a hard time trying to find anything that can be useful for this<br><br>If all else fails, do you just select another target? What if this is the only host that has security holes and warnings as seen by nessus or any other vulnerability scanning tool? Do you tell the customer that it is safe to ignore those warnings because you, on a hacker's perspective, was not able to penetrate the network by making use of those vulnerabilities found, that the hacker might have a hard time as well. That's all for now. Thanks ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Pentesting Old unsupported Firewall Appliances Harold Castro (Jun 11)
- Re: Pentesting Old unsupported Firewall Appliances Jamie Riden (Jun 15)
- RE: Pentesting Old unsupported Firewall Appliances Clemens, Dan (Jun 15)
- Re: Pentesting Old unsupported Firewall Appliances Tiago Batista (Jun 15)
- Firewall Leak Testing Was Re: Pentesting Old unsupported Firewall Appliances mOses (Jun 15)
- Re: Firewall Leak Testing Was Re: Pentesting Old unsupported Firewall Appliances Michael Painter (Jun 21)
- Firewall Leak Testing Was Re: Pentesting Old unsupported Firewall Appliances mOses (Jun 15)
- Re: Pentesting Old unsupported Firewall Appliances Security Guy (Jun 15)
- Re: Pentesting Old unsupported Firewall Appliances vtlists (Jun 15)
- <Possible follow-ups>
- RE: Pentesting Old unsupported Firewall Appliances Michael Scheidell (Jun 15)
- Re: Pentesting Old unsupported Firewall Appliances Jamie Riden (Jun 15)