Pentesting Old unsupported Firewall Appliances

[Harold Castro <b0ydaem0n () yahoo com>]

Hi,

I'm new in pen testing.
Recently, I came across this firewall appliance
running Apache/1.3.26 
(Unix) mod_dtcl mod_ssl/2.8.10 OpenSSL/0.9.7 during an
external pentest.

The nmap output on OS fingerprinting and service
detection looks like:

Running (JUST GUESSING) : Nokia IPSO (98%), Checkpoint
IPSO (90%) OS fingerprint not ideal because: Missing a
closed TCP port so results incomplete Aggressive OS
guesses: Nokia IP650 firewall appliance (runs IPSO 4.0

and CheckPoint Firewall-1/VPN-1 software) (98%), Nokia
IPSO 4.1Build19 firewall (94%), Checkpoint VPN-1
running IPSO 4.1 (90%)

According to nessus and nikto scans, the apache and
mod_ssl running on this particular host has several
high risk vulnerabilities. 

Now the next thing on my mind is to find out if those
applications are really exploitable. The problem is,
I'm not sure how to go about it.

Here's what's on my mind.

1. First, find out what is the firmware version of
that machine.
2. Then find out if the apache version on that
particular firmware really had a security issues
confirmed by the manufacturer and if there 
were any patches provided to address such issues. For
this, I have to obtain the CHANGES logs, patches
documentations etc. But the problem is 
this is not like an open source thing where you have
access to everything. 

This creates a problem. How do you go about it??
Should I just mention in the report that, "this
particular host contains several high risk
vulnerabilities and poses a significant risk. However,
if you have applied the patches or did a firmware
upgrade then you don't have to worry anymore." 

And one more thing, if their appliance is no longer
supported by the manufacturer, do you give a
replacement suggestion in your report?

Since I'm doing an external black box pentest, I have
to rely on some tools for OS fingerprinting. Nmap
guesses it to be either Nokia IPSO 4.0 or 4.1Build19.
Now I tried googling for that particular appliance
(IP650) and I found out that the appliance is too old
as its existence dates back as early as 1999. I'm
having a hard time trying to find anything 
that can be useful for this

If all else fails, do you tell the customer that it is
safe to ignore those warnings and vulnerabilities
because you, on a hacker's perspective, was not able
to penetrate the network by making use of those
vulnerabilities found, that the hacker might have a
hard time as well and eventually opt for another
target?

That's all for now.
Thanks.










       
---------------------------------
Take the Internet to Go: Yahoo!Go puts the Internet in
your pocket: 
mail, news, photos & more. 
--0-999917851-1181551773=:31164
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi,<br><br>I'm new in pen testing.<br>Recently, I came
across this 
firewall appliance running Apache/1.3.26 (Unix)
mod_dtcl mod_ssl/2.8.10 
OpenSSL/0.9.7 during an external pentest.<br><br>The
nmap output on OS 
fingerprinting and service detection looks
like:<br><br>Running (JUST 
GUESSING) : Nokia IPSO (98%), Checkpoint IPSO
(90%)<br>OS fingerprint not 
ideal because: Missing a closed TCP port so results 
incomplete<br>Aggressive OS guesses: Nokia IP650
firewall appliance (runs IPSO 4.0 and 
CheckPoint Firewall-1/VPN-1 software) (98%), Nokia
IPSO 4.1Build19 firewall 
(94%), Checkpoint VPN-1 running IPSO 4.1
(90%)<br><br>According to 
nessus and nikto scans, the apache and mod_ssl running
on this particular 
host has several high risk vulnerabilities.
<br><br>Now the next thing 
on my mind is to find out if those applications are
really exploitable. 
The problem is, I'm not sure how to go about
it.<br><br>Here's what's 
on my mind.<br><br>1. First, find out what is the
firmware
 version of that machine.<br>2. Then find out if the
apache version on 
that particular firmware really had a security issues
confirmed by the 
manufacturer and if there were any patches provided to
address such 
issues. For this, I have to obtain the CHANGES logs,
patches 
documentations etc. But the problem is this is not
like an open source thing where 
you have access to everything. <br><br>This creates a
problem. How do 
you go about it?? Should I just mention in the report
that, "this 
particular host contains several high risk
vulnerabilities and poses a 
significant risk. However, if you have applied the
patches or did a firmware 
upgrade then you don't have to worry anymore."
<br><br>And one more 
thing, if their appliance is no longer supported by
the manufacturer, do 
you give a replacement suggestion in your
report?<br><br>Since I'm doing 
an external black box pentest, I have to rely on some
tools for OS 
fingerprinting. Nmap guesses it to be either Nokia
IPSO 4.0 or
 4.1Build19. Now I tried googling for that particular
appliance (IP650) 
and I found out that the appliance is too old as its
existence dates 
back as early as 1999. I'm having a hard time trying
to find anything 
that can be useful for this<br><br>If all else fails,
do you just select 
another target? What if this is the only host that has
security holes 
and warnings as seen by nessus or any other
vulnerability scanning tool? 
Do you tell the customer that it is safe to ignore
those warnings 
because you, on a hacker's perspective, was not able
to penetrate the 
network by making use of those vulnerabilities found,
that the hacker might 
have a hard time as well.

That's all for now.
Thanks


       
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.
http://smallbusiness.yahoo.com/webhosting 

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------