Penetration Testing mailing list archives
Re: Raptor Firewall 6.5 Config
From: "Johann van Duyn" <Johann_van_Duyn () bat com>
Date: Wed, 9 Jan 2002 10:07:03 +0200
Amen to Mike's response. A pen-tester normally smiles very broadly when first portscanning a network protected by a Raptor box, but often ends up pulling his/her hair out when they are unable to actually do anything with the results from the scans... I used to look after a site that sat behind a Raptor box, and would get calls from security companies wanting our business and offering to do a free 'light test' of our network, basically rattling our doors. They would often claim that they found numerous ports open, but when I challenged them to do something with those ports, they went away. I loved it. :-) Sloppy patching procedures do not necessarily reflect on the quality of the ruleset. If the Raptor ruleset is any good, you'll have your work cut out actually exploiting anything on the inside of the network you're testing, outside of what the unpatched HTTP proxy server vulnerability lets you do. Cheers ----------------------------------------- Johann van Duyn, CISSP E:mail: johann_van_duyn () bat com ----------------------------------------- "We see things as we are, not as they are." -- Leon Rosten |------------------------+------------------------> | | Mike Shaw | | | <mshaw () wwisp com> | | | | | | 2002/01/08 19:12 | | | | |------------------------+------------------------> >------------------------| | | | To: | | Josh <josh () sway org>,| | pen-test@securityfocu| | s.com | | cc: | | (bcc: Johann van | | Duyn/Stellenbosch/ZA/| | BATCo) | | Subject: | | Re: Raptor Firewall | | 6.5 Config | >------------------------| [IMAGE] I worked with raptor for several years, and what you are observing are the infamous "Raptor false positives". It's been few months since I worked with a Raptor box, but my understanding is this. Once raptor has a standard proxy or GSP enabled, it 'opens' that port on all interfaces. It allows you to make the connection to the outside interface, and then uses the rules to allow or deny the subsequent proxied connection. Thus, you can 'connect' to all those ports, but you won't actually connect to the host unless there is a rule allowing it. So the only real danger is if they have misconfigured their rules. If they put an "http universe - universe" rule in there, then yes--you'll be able to hit any box on the inside. However, if they have a well designed ruleset you will only be able to hit the boxes they've explicitly allowed. And if they've done it *right*, you will only be able to initiate connections from the outside (thereby eliminating any shoveled prompts, mailed pwdump output, etc). However, the fact that they have not patched the firewall indicates a high probability of over-permissive rules. Another thing to watch out for. If they used a GSP (generic proxy) on those high ports (7070, 8080, etc) instead of the regular HTTP proxies, then you can do things that the normal HTTP proxy would have blocked. I *think* this is true for FTP too if they used a redirection instead of the normal proxy method (normal being log in to the outside interface then use username@hostname to be forwarded). It's no fun for an auditor/pen-tester, because a plain ol' port scan won't give you the intelligence you're looking for. Instead, you have to look through manually or do some creative scripting. On the other hand, you can instantly tell certain things, since an open port other than the default list means a rule from 'somewhere to somewhere' which probably wouldn't be there unless it's in use. For instance, you know they are using PCAnywhere and MSSQL. That's something you may or may not have known before. Remember too that they can do port redirection, so even if you do see a particular service running on all hosts, that could mean that they've redirected several or all IP:ports to a single internal box. -Mike At 02:37 AM 1/8/2002 +0000, Josh wrote:
Hello, I am conducting a blind penetration test for a client and have identified the firewall to be Raptor 6.5. It appears to be loosely configured as the Raptor HTTP proxy server vulnerability (http://www.securityfocus.com/bid/2517) exists, and I can reach internal addresses, etc. The port scan on the network revealed that many TCP ports were open on the firewall and on the hosts behind it. What seems strange to me is that the results of the nmap scan show the same ports open for every "active" host identified behind the Raptor. Is it possible that Raptor is talking to nmap and opening ports based on a single ruleset for any host behind the firewall? I can confirm that the hosts are separate machines using other techniques. For example, I don't see why the Raptor has port 1433/TCP open for the Solaris machine I can see in addition to several NT 4.0 hosts that might be running MS SQL Server. The nmap scan shows the following ports open for ANY host that I can ping or confirm as being alive and behind the Raptor: Port State Service (RPC) 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 70/tcp open gopher 80/tcp open http 110/tcp open pop-3 119/tcp open nntp 139/tcp open netbios-ssn 443/tcp open https 444/tcp open snpp 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 554/tcp open rtsp 1433/tcp open ms-sql-s 1720/tcp open unknown 5631/tcp open pcanywheredata 7070/tcp open unknown 8080/tcp open http-proxy 8181/tcp open unknown Can anyone with Raptor 6.5 experience speak to this? Does this match up to some default configuration for 6.5? It seems to me that the firewall is misconfigured. For example, a developer could put a vanilla install of IIS 4 on one of my client's NT machines and unknowlingly open up the whole network to attack since port 80 is opened by Raptor for the host even though it isn't currently running an HTTP service. Josh <josh () sway org> --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
--------------------------------------------------------------------------- - This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ (Embedded image moved to file: pic21877.pcx) Confidentiality Notice: The information in this document and attachments is confidential and may also be legally privileged. It is intended only for the use of the named recipient. Internet communications are not secure and therefore British American Tobacco does not accept legal responsibility for the contents of this message. If you are not the intended recipient,please notify us immediately and then delete this document. Do not disclose the contents of this document to any other person, nor take any copies. Violation of this notice may be unlawful.
Attachment:
pic21877.pcx
Description:
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Raptor Firewall 6.5 Config Josh (Jan 08)
- Re: Raptor Firewall 6.5 Config Mike Shaw (Jan 08)
- Re: Raptor Firewall 6.5 Config Derrick (Jan 09)
- <Possible follow-ups>
- Re: Raptor Firewall 6.5 Config Johann van Duyn (Jan 09)
- RE: Raptor Firewall 6.5 Config Slighter, Tim (Jan 09)
- Re: Raptor Firewall 6.5 Config Mike Shaw (Jan 08)