Reverse Connection Shell

Problem :
Unreachable Server Behind Firewall (Simulation of Reverse Shell)
Solution:
A solution to this problem is to have the server(victim) reach out and connect to the client. In such a case, the client(attacker) will listen on a port, say, port 80, and the server will then attempt to connect every 5 seconds. If the client is not up, the server waits 5 seconds and then tries again. If a client is up, it will then establish a connection and gives a shell to the client. The client will then be able to send commands, and they will execute on the server side. This technology is called Reverse Connection Shell.

Download from the link below

Download ReverseShell Tools by Cagdas Ulucan

Bypass none L7 Firewall/Proxy systems (SSH Tunnelling)

By tunneling technics it's possible to penetrate none L7 firewalls as they don't inspect the content of the packet.
as usually port 80 and 443 is allowed for internal users and also SSH protocol supports socks proxy, this can be used to connect remote ssh servers that runs from port:443, you may place your own or find public ssh servers on net

here is the screenshot doing it via putty


 
 

some other ways of penetration may be using proxy softwares like ultrasurf, making vpn to outside,using remote connection softwares like teamviewer (reverse connection), note that all of these techniques uses port 443


I wanted to draw your attention to importance of inspecting SSL traffic as it can be used for several illegal connections that can cause data leakage in your network

Thx
Cagdas

How to Convert victim switch to a HUB

First way
ARP Poisoning (arpspoof)
Attack is based on weakness of ARP protocol, its so old and limited to local network segments but still one of the biggest threat on L2 networks
Enable routing on the attacker so that it can route the traffic back to victim, its required if you dont want to make DOS, to silently listen the traffic.
"echo 1 > /proc/sys/net/ipv4/ip_forward" # enable IP forwarding in the Linux kernel.
to test whats going on at the victim machine type arp -a and check the mac of the victims gw once started to poison it will change the value to attackers mac address

Lets start
first SSH
# arpspoof -t victimip gwip
Second SSH
# arpspoof -t gwip victimip

Protection from ARP Poisoning
Open Dynamic ARP Inspection on the related switch,

If you have a dhcp server
Cisco(config)# IP dhcp snooping vlan
Cisco(config)# IP arp inspection vlan
Cisco(config)# interface GigabitEthernet 1/11
Cisco(config-if)# IP dhcp snooping trust
Cisco(config-if)# IP arp inspection trust

If not, you have to manually set static ip-mac addresses
Cisco(config)# IP arp inspection vlan
Cisco(config)# IP source binding vlan interface Gi1/1
Cisco(config)# arp access-list
Cisco(config-arp-acl)# permit IP host mac host
Cisco(config)# IP arp inspection filter vlan

Second way
Mac Flooding is to attack with lots of bogus ARP packets on a switch network, thus overloading the switch CAM tables and making it acting like a hub.
A typical switch can handle few thousands of ARP records and can be overloaded.
Once its overloaded you may start sniffing..

you may use the tool macof
#macof -i eth0

Protection of this attack is simply enabling Port Security

DOS on Wireless Networks (wlan jammer)

Deauthentication attack on wireless networks
As a result everyone from your attacked network will be kicked out from it,we may say that Its simply a DoS

The connection between the Mesh clients and Mesh APs has been be established by the exchange of various frames.After that the exchange of the series of management frames like authentication and association request frame takes place.As these frames are unprotected and sent in clear. So these frames has been spoofed by the attacker. The attacker then sends deauthentication requests with the client’s address set as the source. Then the mesh AP responds by sending the deauthentication response to the client. Thus the communication between the client and the AP has been halted. As deauthentication requests are notifications, so cannot be ignored and the AP responds instantly to these requests . The attacker can periodically scan all the channels and send these spoofed messages to valid clients thus terminating their connection.

During the attack the client has been deauthenticated and thus may probe other networks and connect to any other mesh AP available in the range with good signal strength.Second stage of this DOS can be Rogue AP Attack.

# airmon-ng  (shows your wlan interfaces)
# airmon-ng start wlan0 (enable monitoring mode on wlan0)
# airodump-ng mon0  (Get the related info of victim AP)
# airodump-ng -c 11 -b 1C:65:9D:B5:D8:C1 mon0   (go inside the related AP, define channel and MAC)
# aireplay-ng --deauth 100 -c FF:FF:FF:FF:FF:FF -a 1C:65:9D:B5:D8:C1 mon0  (start sending deauthentication packets,Open a separate ssh session)

I also decided to write other than Checkpoint,
more pentest related notes will be on this site.

Thx
Cagdas

Checkpoint DDOS Protector

Today, I had a chance to deal with new Checkpoint DDoS Protector device.

Here is a short video that shows some attack vectors and response of ddos appliance

There was a DDoS_8412 and R75.45 FW  between the hacker pc and test victim.

Interface rx-drp on Checkpoint firewalls

If your eth-driver is bnx2 apply the related driver upgrade at sk80640
I also know that there are driver upgrades for e1000 search it from support
to see the driver # ethtool -i eth0

Also note to check the buffer size on related eth
# ethtool -g eth0
The related sk is sk42181

# netstat -i will show you the drop counts on interfaces.

Error: Page cannot be displayed. An error occurred while processing the request.

I have encountered a strange error on Mobile Access Blade, In my case this was related to IPS, Try this;uncheck IPS and mobile access on firewall properties, install policy, then recheck them and reinstall the security policy.

How to upgrade the software and migrate a distributed SmartCenter to a Full HA Cluster

This procedure is my solution method...

Take an upgrade_export file from the source SMC and import it to your vm machine with the same name and upgrade it to the version u want.
This is a MNG so you cant export and import it to a standalone firewall machine,
lets fake the system that its also a firewall with the command
# cpprod_util FwSetFirewallModule 1
check it via # cpprod_util FwIsFireWallModule
close SmartDashboard and relogin, you will see the firewall tab.
take a new upgrade_export for the utm box
You have to install the appliance as full HA primary cluster member and then,
# cp_conf fullha disable   disable its cluster membership...
import the config reboot and
# cp_conf fullha enable  to set it back to fullhacluster

Thats it, Goodluck
Cagdas

DDOS Tuning for Checkpoint IPS Blade

These are the main things to check against ddos related attacks on checkpoint,
but of course not enough for sophisticated layer 7 attack techniques, checkout new radware based checkpoint ddos appliance; ddos protector.

Aggressive aging: protection against connection-consuming attacks
Lower Stateful Inspection timers: defense against slow attack
Geo protection: Rules to block by country and direction of traffic
Network quota: limit number of connections by source IP
Worm catcher signature: block known worms (HTTP and CIFS)
TCP window size enforcement: small TCP window and flood
SYN flood protection: cookie-based validation
HTTP flooding / UDP Flooding: rate-based blocking
non-TCP Flooding: restrict non-TCP traffic from occupying more than a given percentage of an enforcement point State table

Checkpoint Port Based Routing in ISP Redundancy

Its possible that certain outgoing connections be routed specifically through the first ISP link at ISP Redundancy Load Sharing Mode
edit the $FWDIR/lib/table.def as follows
By changing it to: no_misp_services_ports = { <500, 17>, <259, 17>, <80,6>};, (where <25,6> stands for SMTP (port 25), TCP (IP protocol 6)), all outgoing SMTP traffic would go through the first ISP link.


Also some tips
Show the currently defined ISP links
#cpstat fw
Test ISP Redundancy by administratively bringing down/up thelink
# fw isp_link ISP-1 down
# fw isp_link ISP-1 up

more advanced commands will be on next release of SmartSPLAT