Re: Raptor firewall 6.1 port 80

Oliver_at_greyhat.de
Date: 07/22/04

  • Next message: Liberty.Anthony_at_Datacraft-Asia.com: "RE: Find out the subnetting of a company" 
    Date: Thu, 22 Jul 2004 12:15:02 +0200
To: Darren Webb <spyder007@charter.net>

    Darren Webb wrote:

    >Good evening,
    >
    >The Raptor (Symantec Enterprise) firewall, by default, runs several standard
    >proxies (FTP, Telnet, HTTP, NNTP, SMTP, DNS, etc) that will return an open
    >state to a scanner (these can be disabled by the admin but usually aren't).
    >
    >
    you can disable the proxy services, but most are in use by your
    firewall-rules (like DNS, http, ftp mail ).
    If you want these ports to be shown only to certain ip-adresses, you
    have to set a filter on the interface.

    >Add user defined GSP's to the mix and you can have hundreds of "open" ports. The trick is unless a rule has been setup to allow you to utilize the
    >port/proxy to reach a server behind the firewall or in the DMZ, you really
    >can't do much of anything with it. There have been a couple of DDoS attacks
    >against the telnet and DNS proxies that I know of that have been patched.
    >
    >
    yupp.... if you have no rules applied, you cant connect (3way-handshake)
    to the "open" ports, but portscan will show
    state open. if you have a rule applied, even if the destination does not
    exist, you can fully connect to the port.

    >The SEF (Raptor) has two common ways of administration. The RCU (only on
    >UNIX and depreciated in versions 7 and 8) and the RMC (from a Microsoft
    >plug-in). Both can connect remotely via port 418 and both are encrypted.
    >Rempass must also be run to enable these communications. The firewall admin
    >will need to specify a FQDN or IP address and a passphrase specific to each
    >workstation that they wish to be able to connect from.
    >
    >
    SEF 8 and the symantec appliance SGS 2 have a javabased webinterface,
    running on Port 2456/tcp.
    In Addition you can brute force some passwords via the
    Out-Of-Band-Daemon, which is running on port 888/tcp
    by default. The worse thing is, that by default the admin-interface is
    available on each interface :(

    >If your going to try to attack the servers behind the firewall, be sure to
    >make everything RFC compliant as the Raptor is very strict when it comes to
    >this (unless the admin selected "Disable application data scanning" when he
    >created the rule).
    >
    >
    Thats realy true..... and they dont tell you what RFC-compliance for the
    SEF realy means ;)

    /Oliver

    >Darren
    >
    >-----Original Message-----
    >From: Jerry Shenk [mailto:jshenk@decommunications.com]
    >Sent: Sunday, July 04, 2004 7:02 PM
    >To: pen-test@securityfocus.com
    >Subject: RE: Raptor firewall 6.1 port 80
    >
    >
    >One feature with a Raptor firewall is that they seems to respond
    >affirmatively to tons of stuff. For example, a portscan on pen-tests that
    >I've done have shown lots of ports being open that really weren't. I haven't
    >seen specifically what you're talking about with an admin login 'cuz I
    >haven't gotten a login on any of them but I get ports showing up as open
    >that I have verified are not actually open.
    >
    >-----Original Message-----
    >From: Martin S [mailto:shurbanm@vuser.vu.union.edu]
    >Sent: Thursday, July 01, 2004 12:04 PM
    >To: pen-test@securityfocus.com
    >Subject: Raptor firewall 6.1 port 80
    >
    >
    >I am testing a couple of Raptor firewalls (6.1 apparently). And I ran Brutus
    >on port 80 just to see what's going to happen using Forms authentication. It
    >does pick up 2 successful authentications using (admin and backup as
    >logins). However, this cannot be right as first of all it picks up different
    >passwords (like aaa or academia on different runs) and secondly a web
    >browser session on port 80 comes back with: " Service Unavailable The proxy
    >is currently unable to handle the request due to a (possibly) temporary
    >error. Extended error information is:
    >
    >If this situation persists, please contact your firewall administrator. "
    >
    >Any ideas?
    >
    >
    >
    >
    >

  • Next message: Liberty.Anthony_at_Datacraft-Asia.com: "RE: Find out the subnetting of a company"

    Relevant Pages

    • Website setup questions.
      ... Create firewall rule to direct HTTP port 80 to the SBS External NIC ... Create firewall rule to point DNS port 53 to the SBS External NIC ... NICS to get this request to not timeout or be refused. ...
      (microsoft.public.windows.server.sbs)
    • RE: strange traffic on UDP port 53
      ... Replies to DNS queries should be coming FROM port 53, ... > found a similar problem with packets being stopped by our firewall. ... The destination IP is our mail server (not ...
      (Incidents)
    • Re: port 53, please help!
      ... >> port 53 as blocked. ... >to folks with a Win98 connected thru a firewall to internet. ... find out the IP addresses of all your DNS servers. ...
      (comp.security.firewalls)
    • Re: router security
      ... Is it a stateless firewall, or does it do "Stateful Packet Inspection" ... Or does it just build a general network address translation? ... For example, if you had a DNS server running on your Debian machine, ... approach of using UDP port 53 as the source port for the outgoing ...
      (comp.security.misc)
    • Re: Public DNS names for SBS 2K3 - Question
      ... In what document did you find these recommendations for DNS names. ... > you're using, if you are using standard ports, the port is ... >>firewall and routed them to the same port on the SBS ... > document it recommends ...
      (microsoft.public.windows.server.sbs)