RE: Raptor firewall 6.1 port 80

From: Darren Webb (spyder007@charter.net)
Date: Mon Jul 05 2004 - 23:10:06 EDT


Good evening,

The Raptor (Symantec Enterprise) firewall, by default, runs several standard
proxies (FTP, Telnet, HTTP, NNTP, SMTP, DNS, etc) that will return an open
state to a scanner (these can be disabled by the admin but usually aren't).
Add user defined GSP's to the mix and you can have hundreds of "open" ports.
The trick is unless a rule has been setup to allow you to utilize the
port/proxy to reach a server behind the firewall or in the DMZ, you really
can't do much of anything with it. There have been a couple of DDoS attacks
against the telnet and DNS proxies that I know of that have been patched.

The SEF (Raptor) has two common ways of administration. The RCU (only on
UNIX and depreciated in versions 7 and 8) and the RMC (from a Microsoft
plug-in). Both can connect remotely via port 418 and both are encrypted.
Rempass must also be run to enable these communications. The firewall admin
will need to specify a FQDN or IP address and a passphrase specific to each
workstation that they wish to be able to connect from.

If your going to try to attack the servers behind the firewall, be sure to
make everything RFC compliant as the Raptor is very strict when it comes to
this (unless the admin selected "Disable application data scanning" when he
created the rule).

Darren

-----Original Message-----
From: Jerry Shenk [mailto:jshenk@decommunications.com]
Sent: Sunday, July 04, 2004 7:02 PM
To: pen-test@securityfocus.com
Subject: RE: Raptor firewall 6.1 port 80

One feature with a Raptor firewall is that they seems to respond
affirmatively to tons of stuff. For example, a portscan on pen-tests that
I've done have shown lots of ports being open that really weren't. I haven't
seen specifically what you're talking about with an admin login 'cuz I
haven't gotten a login on any of them but I get ports showing up as open
that I have verified are not actually open.

-----Original Message-----
From: Martin S [mailto:shurbanm@vuser.vu.union.edu]
Sent: Thursday, July 01, 2004 12:04 PM
To: pen-test@securityfocus.com
Subject: Raptor firewall 6.1 port 80

I am testing a couple of Raptor firewalls (6.1 apparently). And I ran Brutus
on port 80 just to see what's going to happen using Forms authentication. It
does pick up 2 successful authentications using (admin and backup as
logins). However, this cannot be right as first of all it picks up different
passwords (like aaa or academia on different runs) and secondly a web
browser session on port 80 comes back with: " Service Unavailable The proxy
is currently unable to handle the request due to a (possibly) temporary
error. Extended error information is:

If this situation persists, please contact your firewall administrator. "

Any ideas?



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:57 EDT