pix firewalls

**Monshroud** · June 21, 2002, 10:54

maybe I don't understand the question?

I have to agree with GackMan. Maybe I didn't understand the question.

What is the actual objective of what you are trying to do?
Are you trying to Hack the PIX?
Are you trying to get something malicous (sp?) from the outside to the inside?
Are you trying to get something from the inside to the outside?

I feel pretty stupid for not asking that earlier, I'm sorry about that.

And I could probably program the 515 if you can give me an hour or so with it. I don't think the config of a 515 is much different from a 506.

But Of Course, I could be wrong.

**converge** · June 21, 2002, 12:01

I am trying to find a way to attack the pix itself, not really dos, but more of a config/access standpoint.... getting data past is a whole other playground

I think it would be awesome if you could bring one out to the con, but if the guy wants em right off, then that's cool too

**Monshroud** · July 3, 2002, 13:46

Getting around the PIX

Well, the issue of dropping a PIX is that it is not that easy. There are some known holes that can make the PIX lock or allow "root" access to it.

Check Cisco's site and you will find refs to SMTP, and SNMP holes in the boxes. Now these are in some older versions of the IOS software, but some companies have lazy admins and they don't update anywhere near as often as they should.

If you can find a PIX with an older IOS, then you have a shot at taking it down. If I recall the SMTP hole revolves around a set of malformed data packets, but you will have to do the research to be sure.

Of Course, I could be wrong...

**converge** · July 3, 2002, 21:10

That's the first thing I mentioned to the admin, that I had found a bunch of vulnerabilities from the past, but that cisco is pretty good at stomping them out if he kept updated... which he has already... so old sk tricks will not get me anywhere

**astcell** · July 4, 2002, 21:07

Dang now I really hope I can get the Pix. Is there a way that we can log the hack attempts to it? I think i can keep it longer and the buyer would let me use it if I can take him a log of the hack attempts and results.

**secboy** · July 13, 2002, 07:59

Sorry I'm late to the party, but I can help a little here. I have 3 PIX 525 (at work, 2 PIX 10000 at home). As for the differences between the models, it is mostly in the processor speed, # of interfaces and available feature sets. If you can configure one, you can configure any of them.

As for logging attacks, if you set logging at debug, he'll tell you just about anything you want to know.

And Astcell, if you do plan on bringing the PIX, I can help configure 'em. If fact, it would be easy to have 'em configured before you leave for the con.

**astcell** · July 13, 2002, 08:29

Well they have the IOS in them, plus the configs we did for our network. If I blow away those configs and go back to default, what would I need now before getting to the con? It's still up in th air about beringing them, but every day that goes by without being asked for them is one more beter odds to bring it. I figure to bring just one. I can't believe we sold them both for $1900 total.

**secboy** · July 13, 2002, 09:48

I guess I should respond to the first post also. If it's to late to help c0nv3r9, then it's in the name of knoledge transfer. Since it established that we want to go after the PIX it's self, your best bet is to go after any management access. There are several ways to access/manage a PIX:

a) plain old Telnet (I hope there not that stupid)
b) TFTP (really stupid)
c) HTTPS (only if they're lazy and using PDM (Pix device Manager))
d) HTTP
e) Telnet over SSH
f) Telnet through a VPN
g) SNMP (and yes, the default communities are public/private)

I think I'm missing one, if I think of it I'll add another post.

Things to consider; when you enable any of the above, you specify which interface they are accessable through. So try and gain access to every network that is connected to teh PIX. Also, you can specify which hosts can access the various services, so you may need to spoof you source address.

**secboy** · July 13, 2002, 09:56

astcell, first we'd want to put the 6.x of the IOS on it (if it doesn't already have it). We can get better logging that way. Also, I'd start with a default config and make some changes from there. As far as what we would need to know, nothing really other then what addressing scheme is used on the network and are we going to put any hosts behind it. I'm guessing you just want to throw the PIX on the wire and let every have at it.

even without any hosts behind it, it would be interesting to enable some management facities so they have something interesting to go after (of course, they would be secured).

I also can't beleive you sold BOTH for $1900. Of course the number of connections it is licensed for plays a factor also.

**converge** · July 13, 2002, 11:07

Ya, a little too late for that specific instance, but still great stuff.. I will be trying to get ahold of a cheap one to play on once I get some money saved up for toys again. Anyone with knowledge, keep the posts coming. I look forward to checking out the pix at dc

**astcell** · July 13, 2002, 16:19

I did not know that the PIX IOS was limited to a certain number of connections or users. I knw we had over 10,000 users going through it if that helps. I think we paid close to ten grand each for them less than a year ago.

What killed us was the management of them. No one wanted to pay to send me to training because then I would know too much and move on, so they thought.

Selling them was not my idea, that is just part of how things go in the public sector. Sigh.

**secboy** · July 14, 2002, 09:33

After a little research, I must correct myself on the licensing on the 515. Unlike the 525, which licensing is connection based, the licensing on the 515 is based on the number of interfaces. The 'restricted' license on the 515 allows for up to 3 interfaces. The unrestricted allows for 6 interfaces. Big price difference, 4,495.00/restricted, 8,995.00/unrestricted. guess you have the UR licensing.

Sucks they would send you to training on 'em for that reason. Once you learn 'em, they are great boxes (IMHO). I wouldn't trade mine for anything. In fact, once you learn then, It's no worse then learning router IOS, just different

**astcell** · July 21, 2002, 08:39

Thr trouble was thast changes could not be made as fast as we needed. I can logon to a WatchGuard anywhere in the world and make the changes and they are immediately effective. The PIX 515s took a little research to figure out just what we wanted to do.

Thank heavens we do not need to worry about router configs being changed on a moment's notice.

**sikdogg** · July 21, 2002, 15:26

Pix firewalls are pretty secure. It does not run on top of any OS so simply "hacking the box" is not as easy as some would think. They may have been glorified filtering routers at one time, but like most things have evolved. And for the record Pix firewalls are stateful packet filters. I know cuz I've configured many for my job and I see all kinds of attacks against them, I've yet to see anyone get past one.

They are however not completely hack proof. They, just like most networking devices, are vulnerable to SNMP hacks (among other things) depending on the version of code they're running.

Here's a link for starters:
http://www.cisco.com/warp/public/707...-ios-pub.shtml

Your best bet is to do your own research before listening to free advice.

**secboy** · July 23, 2002, 15:06

I don't think anyone on this thread was saying that a PIX was hack proof. It doesn't matter how strong a box is, all it takes is one small configuration mistake to make it (or the resources it's protecting) vulnerable.

pix firewalls

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment