('binary' encoding is not supported, stored as-is) Hello, I am conducting a blind penetration test for a client and have identified the firewall to be Raptor 6.5. It appears to be loosely configured as the Raptor HTTP proxy server vulnerability (http://www.securityfocus.com/bid/2517) exists, and I can reach internal addresses, etc. The port scan on the network revealed that many TCP ports were open on the firewall and on the hosts behind it. What seems strange to me is that the results of the nmap scan show the same ports open for every "active" host identified behind the Raptor. Is it possible that Raptor is talking to nmap and opening ports based on a single ruleset for any host behind the firewall? I can confirm that the hosts are separate machines using other techniques. For example, I don't see why the Raptor has port 1433/TCP open for the Solaris machine I can see in addition to several NT 4.0 hosts that might be running MS SQL Server. The nmap scan shows the following ports open for ANY host that I can ping or confirm as being alive and behind the Raptor: Port State Service (RPC) 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 70/tcp open gopher 80/tcp open http 110/tcp open pop-3 119/tcp open nntp 139/tcp open netbios-ssn 443/tcp open https 444/tcp open snpp 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 554/tcp open rtsp 1433/tcp open ms-sql-s 1720/tcp open unknown 5631/tcp open pcanywheredata 7070/tcp open unknown 8080/tcp open http-proxy 8181/tcp open unknown Can anyone with Raptor 6.5 experience speak to this? Does this match up to some default configuration for 6.5? It seems to me that the firewall is misconfigured. For example, a developer could put a vanilla install of IIS 4 on one of my client's NT machines and unknowlingly open up the whole network to attack since port 80 is opened by Raptor for the host even though it isn't currently running an HTTP service. Josh <joshat_private> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 08:41:08 PST