Penetration Testing: Re: Raptor firewall 6.1 port 80

["Oliver () greyhat de" <Oliver () greyhat de>]

Darren Webb wrote:

> Good evening,
>
> The Raptor (Symantec Enterprise) firewall, by default, runs several standard
> proxies (FTP, Telnet, HTTP, NNTP, SMTP, DNS, etc) that will return an open
> state to a scanner (these can be disabled by the admin but usually aren't).
>  
you can disable the proxy services, but most are in use by your 
firewall-rules (like DNS, http, ftp mail ).
If you want these ports to be shown only to certain ip-adresses, you 
have to set a filter on the interface.
> Add user defined GSP's to the mix and you can have hundreds of "open" ports. The trick is unless a rule has been setup 
> to allow you to utilize the
> port/proxy to reach a server behind the firewall or in the DMZ, you really
> can't do much of anything with it.  There have been a couple of DDoS attacks
> against the telnet and DNS proxies that I know of that have been patched.
>  
yupp.... if you have no rules applied, you cant connect (3way-handshake) 
to the "open" ports, but portscan will show
state open. if you have a rule applied, even if the destination does not 
exist, you can fully connect to the port.
> The SEF (Raptor) has two common ways of administration.  The RCU (only on
> UNIX and depreciated in versions 7 and 8) and the RMC (from a Microsoft
> plug-in).  Both can connect remotely via port 418 and both are encrypted.
> Rempass must also be run to enable these communications.  The firewall admin
> will need to specify a FQDN or IP address and a passphrase specific to each
> workstation that they wish to be able to connect from.  
>  
SEF 8 and the symantec appliance SGS 2 have a javabased webinterface, 
running on Port 2456/tcp.
In Addition you can brute force some passwords via the 
Out-Of-Band-Daemon, which is running on port 888/tcp
by default. The worse thing is, that by default the admin-interface is 
available on each interface :(
> If your going to try to attack the servers behind the firewall, be sure to
> make everything RFC compliant as the Raptor is very strict when it comes to
> this (unless the admin selected "Disable application data scanning" when he
> created the rule).
>  
Thats realy true..... and they dont tell you what RFC-compliance for the 
SEF realy means ;)
/Oliver

> Darren
>
> -----Original Message-----
> From: Jerry Shenk [mailto:jshenk () decommunications com] 
> Sent: Sunday, July 04, 2004 7:02 PM
> To: pen-test () securityfocus com
> Subject: RE: Raptor firewall 6.1 port 80
>
>
> One feature with a Raptor firewall is that they seems to respond
> affirmatively to tons of stuff.  For example, a portscan on pen-tests that
> I've done have shown lots of ports being open that really weren't. I haven't
> seen specifically what you're talking about with an admin login 'cuz I
> haven't gotten a login on any of them but I get ports showing up as open
> that I have verified are not actually open.
>
> -----Original Message-----
> From: Martin S [mailto:shurbanm () vuser vu union edu] 
> Sent: Thursday, July 01, 2004 12:04 PM
> To: pen-test () securityfocus com
> Subject: Raptor firewall 6.1 port 80
>
>
> I am testing a couple of Raptor firewalls (6.1 apparently). And I ran Brutus
> on port 80 just to see what's going to happen using Forms authentication. It
> does pick up 2 successful authentications using (admin and backup as
> logins). However, this cannot be right as first of all it picks up different
> passwords (like aaa or academia on different runs) and secondly a web
> browser session on port 80 comes back with: " Service Unavailable The proxy
> is currently unable to handle the request due to a (possibly) temporary
> error. Extended error information is:
>
> If this situation persists, please contact your firewall administrator. "
>
> Any ideas?
>
>
>
>