From: Oliver@greyhat.de
Date: Thu Jul 22 2004 - 06:15:02 EDT
Darren Webb wrote:
>Good evening,
>
>The Raptor (Symantec Enterprise) firewall, by default, runs several standard
>proxies (FTP, Telnet, HTTP, NNTP, SMTP, DNS, etc) that will return an open
>state to a scanner (these can be disabled by the admin but usually aren't).
>
>
you can disable the proxy services, but most are in use by your
firewall-rules (like DNS, http, ftp mail ).
If you want these ports to be shown only to certain ip-adresses, you
have to set a filter on the interface.
>Add user defined GSP's to the mix and you can have hundreds of "open" ports. The trick is unless a rule has been setup to allow you to utilize the
>port/proxy to reach a server behind the firewall or in the DMZ, you really
>can't do much of anything with it. There have been a couple of DDoS attacks
>against the telnet and DNS proxies that I know of that have been patched.
>
>
yupp.... if you have no rules applied, you cant connect (3way-handshake)
to the "open" ports, but portscan will show
state open. if you have a rule applied, even if the destination does not
exist, you can fully connect to the port.
>The SEF (Raptor) has two common ways of administration. The RCU (only on
>UNIX and depreciated in versions 7 and 8) and the RMC (from a Microsoft
>plug-in). Both can connect remotely via port 418 and both are encrypted.
>Rempass must also be run to enable these communications. The firewall admin
>will need to specify a FQDN or IP address and a passphrase specific to each
>workstation that they wish to be able to connect from.
>
>
SEF 8 and the symantec appliance SGS 2 have a javabased webinterface,
running on Port 2456/tcp.
In Addition you can brute force some passwords via the
Out-Of-Band-Daemon, which is running on port 888/tcp
by default. The worse thing is, that by default the admin-interface is
available on each interface :(
>If your going to try to attack the servers behind the firewall, be sure to
>make everything RFC compliant as the Raptor is very strict when it comes to
>this (unless the admin selected "Disable application data scanning" when he
>created the rule).
>
>
Thats realy true..... and they dont tell you what RFC-compliance for the
SEF realy means ;)
/Oliver
>Darren
>
>-----Original Message-----
>From: Jerry Shenk [mailto:jshenk@decommunications.com]
>Sent: Sunday, July 04, 2004 7:02 PM
>To: pen-test@securityfocus.com
>Subject: RE: Raptor firewall 6.1 port 80
>
>
>One feature with a Raptor firewall is that they seems to respond
>affirmatively to tons of stuff. For example, a portscan on pen-tests that
>I've done have shown lots of ports being open that really weren't. I haven't
>seen specifically what you're talking about with an admin login 'cuz I
>haven't gotten a login on any of them but I get ports showing up as open
>that I have verified are not actually open.
>
>-----Original Message-----
>From: Martin S [mailto:shurbanm@vuser.vu.union.edu]
>Sent: Thursday, July 01, 2004 12:04 PM
>To: pen-test@securityfocus.com
>Subject: Raptor firewall 6.1 port 80
>
>
>I am testing a couple of Raptor firewalls (6.1 apparently). And I ran Brutus
>on port 80 just to see what's going to happen using Forms authentication. It
>does pick up 2 successful authentications using (admin and backup as
>logins). However, this cannot be right as first of all it picks up different
>passwords (like aaa or academia on different runs) and secondly a web
>browser session on port 80 comes back with: " Service Unavailable The proxy
>is currently unable to handle the request due to a (possibly) temporary
>error. Extended error information is:
>
>If this situation persists, please contact your firewall administrator. "
>
>Any ideas?
>
>
>
>
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT