Penetration Testing: Re: Looks like a Borderware firewall

[Alif The Terrible <measl () mfn org>]

I believe the encryption algorithm was published on cypherpunks about 2 years
ago: google is your friend.

On Thu, 22 Aug 2002, The Blueberry wrote:

> Date: Thu, 22 Aug 2002 18:52:35 +0000
> From: The Blueberry <acr872k () hotmail com>
> To: jfernandez () germinus com
> Cc: pen-test () securityfocus com
> Subject: Looks like a Borderware firewall
>
> > > But as we are on the subject, does anyone knows what is used as 
> > > credentials for the Checkpoint? Are there default passwords? I did not 
> > > found them in my default password lists...
> > Not that I know of. Which Checkpoint? You didn't talk of any.
> LOL! Looks like I was *a bit* tired at that point.. anyway.. I tried the 
> BWClient utility and realized that it sent POSTs requests while 
> communicating with the firewall.. I think I will brute force the password 
> but for this I must reproduce the behavior of BWClient. I know that he sends 
> out the password ("password" in this case, but for the same password it 
> changes each time) in this format:
>
> QOs_9OGelB05RYaW8fo70TsO7ZH5r5uHZuKdAml3BlLU1ps4Cp0g6SFV.pGLVqEN
>
> Anyone recognizes the hashing algorithm used? I searched the borderware site 
> to no avail.. They only say that the entire session can be encrypted through 
> ssl on port 442.. Even BWClient.exe's disassembly gave no (apparent) clues.
>
> --TB
>
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
-- 
Yours, 
J.A. Terranson
sysadmin () mfn org

If Governments really want us to behave like civilized human beings, they
should give serious consideration towards setting a better example:
Ruling by force, rather than consensus; the unrestrained application of
unjust laws (which the victim-populations were never allowed input on in
the first place); the State policy of justice only for the rich and 
elected; the intentional abuse and occassionally destruction of entire
populations merely to distract an already apathetic and numb electorate...
This type of demogoguery must surely wipe out the fascist United States
as surely as it wiped out the fascist Union of Soviet Socialist Republics.

The views expressed here are mine, and NOT those of my employers,
associates, or others.  Besides, if it *were* the opinion of all of
those people, I doubt there would be a problem to bitch about in the
first place...
--------------------------------------------------------------------



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/