okay.. here goes. I've been asked to help test out our pix firewall for security. I have never played with a pix, and in this case still do not have access to the pix for my edification. However, I have started down those basic steps of info gathering, sploit reviewing, etc.

Any suggestions as to how I might take this thing on? Anyone with pix experience? I would like to find something exploitable to seal (my personal goal), but have limited resources to work with.

This is what I would do:

- Grab phillips head screw driver.
- Unscrew case.
- Remove hard disk, cdrom or other storage device.
- Replace with my own.
- Screw back together.


Ok I know this doesn't help but anyway ;)

they are as tight as I've read I take it? hmm...

Actually...if you have physical access you don't need a screwdriver. There are two thumbscrews on the front of the PIX. Pull off that plate and there is a floppy drive. Insert floppy and go to town.

unfortunately physical access isn't available, to me or others

I'm sure you found this already, but if not here is a pretty good place to start:

http://www.vnunet.com/News/601083

I have a couple PIX 515's that I thought about taking to the con. I'd put their IP addresses on the case and a note that said "Hack me if you can."

Seriously, they are very very secure...BUT...if you have access to the console port you can overwrite the admin password and their pix will become your pix.

The slightest system modification to the pix takes a couple of master's degrees. I ditched them for Watchguard which I can tweak in real time. The Pix's just sit in a hot shed, burning up under the hot California sun.

d00d? would you sell em off? I need something to play with, cause I'm not making any progress without physical access, or experience with it to begin with...

We sold the pair for $1900, with software, but the guy has yet to come pick them up!

wow... they don't go on ebay for less than 2k each. and 3k is more of an average

Well the guy called today wanting to know where his pixes were. Hey he never sent a SASE so I wasn't worried. It would have been nice to have them at the con.

Oh, and yes the pixes ARE as secure as you have heard, however the word impenetrable can work both ways. Anytime we needed to tweak the box, we'd have to pay through the nose to get the CCIE off his rear end. And of course tax dollars won't send me to CCNA because then I'd be "overqualified" and leave.

Guess it's back to the Watchguard.

Now I don't know what PIX you have. I have many clients that have either the 501 or 506. The only way I have been able to break into one and change the config (becuase I had to try, I mean if I can do it, then. . .) is if the guy who set it up was dumb and left Telnet open on it.

If you can telnet to it, there is the possibility of a brute forcing the password . Not exactly the cool way, but it can work. As far as I recall there is no perminent password lockout, just tedious because you have to reconnect after 3 tries.

And you can learn all about how to change the config on a PIX from Cisco's site. It's not as bad as some have made it sound, if the config is there, you pretty much just type that exact line back in or put a "no" and then type it in to remove that code, change the IP or port and viola!

I can't speak for the 515's, as I have never used them personally.

Of Course, I could be wrong.

It is a 515, I learned early on that directly trying to syn/ack the thing was futile. It can be echo pinged, but I believe telnet has been disabled, save for console access...

is is more important to hack the box itself? Or just get around the box?

Pix are not very secure. They are a glorified packet filtering router. not even stateful inspection happening there so you can pretty much send what you want through one.

The pix is a 515, we actually used two. I can ask the guy oif we can keep them a little longer, maybe bring some watchguards as well and offer them up as hacking fodder. Of course I'd want to log the attempts to break in, and that machine would need to be safe. Anyone think they can set up a Pix 515?

I have to agree with GackMan. Maybe I didn't understand the question.

What is the actual objective of what you are trying to do?
Are you trying to Hack the PIX?
Are you trying to get something malicous (sp?) from the outside to the inside?
Are you trying to get something from the inside to the outside?

I feel pretty stupid for not asking that earlier, I'm sorry about that.

And I could probably program the 515 if you can give me an hour or so with it. I don't think the config of a 515 is much different from a 506.

But Of Course, I could be wrong.

I am trying to find a way to attack the pix itself, not really dos, but more of a config/access standpoint.... getting data past is a whole other playground

I think it would be awesome if you could bring one out to the con, but if the guy wants em right off, then that's cool too

Well, the issue of dropping a PIX is that it is not that easy. There are some known holes that can make the PIX lock or allow "root" access to it.

Check Cisco's site and you will find refs to SMTP, and SNMP holes in the boxes. Now these are in some older versions of the IOS software, but some companies have lazy admins and they don't update anywhere near as often as they should.

If you can find a PIX with an older IOS, then you have a shot at taking it down. If I recall the SMTP hole revolves around a set of malformed data packets, but you will have to do the research to be sure.

Of Course, I could be wrong...

That's the first thing I mentioned to the admin, that I had found a bunch of vulnerabilities from the past, but that cisco is pretty good at stomping them out if he kept updated... which he has already... so old sk tricks will not get me anywhere

Dang now I really hope I can get the Pix. Is there a way that we can log the hack attempts to it? I think i can keep it longer and the buyer would let me use it if I can take him a log of the hack attempts and results.

Sorry I'm late to the party, but I can help a little here. I have 3 PIX 525 (at work, 2 PIX 10000 at home). As for the differences between the models, it is mostly in the processor speed, # of interfaces and available feature sets. If you can configure one, you can configure any of them.

As for logging attacks, if you set logging at debug, he'll tell you just about anything you want to know.

And Astcell, if you do plan on bringing the PIX, I can help configure 'em. If fact, it would be easy to have 'em configured before you leave for the con.

Well they have the IOS in them, plus the configs we did for our network. If I blow away those configs and go back to default, what would I need now before getting to the con? It's still up in th air about beringing them, but every day that goes by without being asked for them is one more beter odds to bring it. I figure to bring just one. I can't believe we sold them both for $1900 total.

I guess I should respond to the first post also. If it's to late to help c0nv3r9, then it's in the name of knoledge transfer. Since it established that we want to go after the PIX it's self, your best bet is to go after any management access. There are several ways to access/manage a PIX:

a) plain old Telnet (I hope there not that stupid)
b) TFTP (really stupid)
c) HTTPS (only if they're lazy and using PDM (Pix device Manager))
d) HTTP
e) Telnet over SSH
f) Telnet through a VPN
g) SNMP (and yes, the default communities are public/private)

I think I'm missing one, if I think of it I'll add another post.

Things to consider; when you enable any of the above, you specify which interface they are accessable through. So try and gain access to every network that is connected to teh PIX. Also, you can specify which hosts can access the various services, so you may need to spoof you source address.

astcell, first we'd want to put the 6.x of the IOS on it (if it doesn't already have it). We can get better logging that way. Also, I'd start with a default config and make some changes from there. As far as what we would need to know, nothing really other then what addressing scheme is used on the network and are we going to put any hosts behind it. I'm guessing you just want to throw the PIX on the wire and let every have at it.

even without any hosts behind it, it would be interesting to enable some management facities so they have something interesting to go after (of course, they would be secured).

I also can't beleive you sold BOTH for $1900. Of course the number of connections it is licensed for plays a factor also.

Ya, a little too late for that specific instance, but still great stuff.. I will be trying to get ahold of a cheap one to play on once I get some money saved up for toys again. Anyone with knowledge, keep the posts coming. I look forward to checking out the pix at dc

I did not know that the PIX IOS was limited to a certain number of connections or users. I knw we had over 10,000 users going through it if that helps. I think we paid close to ten grand each for them less than a year ago.

What killed us was the management of them. No one wanted to pay to send me to training because then I would know too much and move on, so they thought.

Selling them was not my idea, that is just part of how things go in the public sector. Sigh.

After a little research, I must correct myself on the licensing on the 515. Unlike the 525, which licensing is connection based, the licensing on the 515 is based on the number of interfaces. The 'restricted' license on the 515 allows for up to 3 interfaces. The unrestricted allows for 6 interfaces. Big price difference, 4,495.00/restricted, 8,995.00/unrestricted. guess you have the UR licensing.

Sucks they would send you to training on 'em for that reason. Once you learn 'em, they are great boxes (IMHO). I wouldn't trade mine for anything. In fact, once you learn then, It's no worse then learning router IOS, just different

Thr trouble was thast changes could not be made as fast as we needed. I can logon to a WatchGuard anywhere in the world and make the changes and they are immediately effective. The PIX 515s took a little research to figure out just what we wanted to do.

Thank heavens we do not need to worry about router configs being changed on a moment's notice.

Pix firewalls are pretty secure. It does not run on top of any OS so simply "hacking the box" is not as easy as some would think. They may have been glorified filtering routers at one time, but like most things have evolved. And for the record Pix firewalls are stateful packet filters. I know cuz I've configured many for my job and I see all kinds of attacks against them, I've yet to see anyone get past one.

They are however not completely hack proof. They, just like most networking devices, are vulnerable to SNMP hacks (among other things) depending on the version of code they're running.

Here's a link for starters:
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-non-ios-pub.shtml

Your best bet is to do your own research before listening to free advice.

I don't think anyone on this thread was saying that a PIX was hack proof. It doesn't matter how strong a box is, all it takes is one small configuration mistake to make it (or the resources it's protecting) vulnerable.

Would you say there is any difference in hacking PIX over Watchguard, or are they the same?

To me, it depends. If I can determin what the box is, I go after know weaknesses. If I don't know what the box is, I have to try everything I know on it and hope I stumble on to something. So, I guess it depends on if the Watchguard has more know holes (and again, that's assuming the sys admin did a good job of configuring it).

I will probably not be bringing my PIXs, I already have enough stuff to travel with, and most of it is expendable in case the luggage gets lost, but not the PIX!