Skip to main content

Cisco PIX firewall

More
18 years 1 month ago #17811 by Worker
Cisco PIX firewall was created by Worker
Hi!

I have to make some work and testing for my University. Testing must include PIX 501 firewall. First idea was to make a LAN configuration with that firewall and then test to find if there are any holes and vulnerabilities and to break through firewall. I am not sure if that is possible because that is one of the best firewalls. So, does anybody have any idea about that? Or does anybody know what other interesting testing could be done with that firewall?

Thanks!
More
18 years 1 month ago #17812 by Smurf
Replied by Smurf on topic Re: Cisco PIX firewall
I think you will struggle to break the Pix firewall from external. Its pretty secure unless its miss-configured. What you could do for your project is prove that regardless of the firewall, if your internal applications are weak then you can still penetrate the network.

What i would do if this project was good enough for your University course is; setup the firewall onto a test network as you suggested. Configure the Pix with an external IP Address to simulate the Internet (just give it some sort of external address range). Configure the inside address with an internal address range, setup your NAT (static to publish a server on the Internal address range). Then if you install Windows 2000 without any patching and setup IIS 5, there are several vulnerability scanners out there that can hack the IIS Server, giving full access to the server.

Might be a good project to say that it doesn't really matter just about a firewall, you need to ensure all the internal servers that are accessed over the network are also hardened.

Just an idea :)

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #17820 by Worker
Replied by Worker on topic Re: Cisco PIX firewall
Very good, thanks!
Tell me, can I do the same thing but with Windows XP and a similar server? And are there other applications that are vulnerable to that sort of hacking?
More
18 years 1 month ago #17830 by Smurf
Replied by Smurf on topic Re: Cisco PIX firewall
Hi there,

Unfortunatley with Windows XP and Windows 2003 Microsoft have been pretty much on the ball with security. Microsoft are doing loads of new stuff to help secure their operating systems as part of the "MIcrosoft Trust Worthy Computing" scheme. Basically, they are getting all their code, proof checked for Buffer Underuns and the like by other developers in other teams within MS in order to ensure that its as secure as possible (there are always going to be programming mistakes).

The reason i suggested Windows 2000 is that their is a tool that can attack a unpatched Windows 2000 IIS 5 server. I came across this in the Ethical Hacking course that i did (cannot for the life of me remember what its called, i will look it up if you want more details) and it was very good.

It maybe also worth trying Windows NT unpatched because you can do a Ping of Death on that OS which, if you enabled Ping through the firewall will preform a sort of DoS attack (although usually you block Pings, but its a good proof of concept for your University work)

Cheers

Wayne

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #17858 by Smurf
Replied by Smurf on topic Re: Cisco PIX firewall
Sorry for the delay in replying to your PM. I thought i would post the request here incase any other members are interested...

I have looked through my stuff and their are issues with Windows 2000 (Pre service pack 3) with IIS 5 which allow directory traversal attacks. There are several exploits that you will be able to find over the Internet including;

1) IPP Vulnerability (IIS5 Printer Overflow Vulnerability)

packetstormsecurity.org/0111-exploits/ called IIS5-koei.exe written by eSDee.

2) There is also the Lsass vulnerability. If exploited this will shut down the remote IIS Server. A file for this is called ms04-007-dos.exe

Take a look here archives.neohapsis.com/archives/fulldisc...re/2004-02/0786.html

3) Finally, an Unicode vulnerabilty which gives you access to the file system. This can be done using something called iisxploit.exe

These tools should be able to help you with your university project if you tutor will allow you to do this.

Cheers and good look in your project

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #18083 by Smurf
Replied by Smurf on topic Re: Cisco PIX firewall
Hi Worker,

Thought i would answer ya PM here incase anyone else is following this thread.

Your test network of 2 PC's and 1 Pix Firewall is quite right. You need a machine on the outside of the firewall, this will simulate the Internet so its probably best to give it a public ip space (something like 15.15.15.0/24) and you will need a Windows 2000 unpatched server on the Inside of the firewall which will simulate your internal network (something like 10.10.10.0/24).

You will need to configure your firewall with something like the following IP Addresses (going off the addresses above);

Inside IP 10.10.10.254
Subnet 255.255.255.0
Outside IP 15.15.15.254
Subnet 255.255.255.0

Your Machines will be configured something like this;

Windows 2003 Server;

IP 10.10.10.100
Subnet 255.255.255.0
Default Gateway 10.10.10.254 (Same as the Pix Inside IP)

Outside Machine (Windows XP ?)

IP 15.15.15.1
Subnet 255.255.255.0
Doesn't really matter about the default gateway as you will probably be natting everything through the Pix.

Next you need to configure the Pix Firewall to NAT the inside traffic to the outside and create a static translation from outside to inside to publish the webserver.

You can setup the translation for something like 15.15.15.100 --> 10.10.10.100. Setup some access-lists to allow the traffic to flow from outside to the inside network (i.e. just port 80 and nothing else, no point in showing this if you have left the firewall wide open anyhow)

Once all this is done and the Windows 2000 Server has IIS configured, you should be able to access it from the outside by accessing the 15.15.15.100 address which will translate to the inside server.

Now please remember that this is just a testing environment. Some of the tools i listed before will be flagged as trojan software with AV Software because of what they do so please use testing machines and then when you have finished completely wipe them again.

You shouldn't need to bother with DNS or anything since you can just publish the one website as there is no need to mess about with Host Headers on IIS.

Hope i get an A+ for this project :wink:

Anyhow, i will read up on the three utilities hopefully tomorrow and post how to use them (if i can find my notes and remember how on earth i did it). In the meantime, if other members of the forum know how to use them utilities please add to this thread.

Cheers

Wayne

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.132 seconds