This tool enables you to upload the files securely to Check Point using your user center credentials.
I have developed a GUI for cp_uploader.exe
Enjoy it!
Click to download Smart Uploader
The Simplest and Best Way to Manage Checkpoint Secure Platform http://www.smartsplat.com
Monday, November 26, 2012
Smart Uploader (GUI for cp_uploader.exe)
As you know CheckPoint released a new upload tool called Check Point Uploader utility ( sk84000 )
This tool enables you to upload the files securely to Check Point using your user center credentials.
I have developed a GUI for cp_uploader.exe
Enjoy it!
Click to download Smart Uploader
This tool enables you to upload the files securely to Check Point using your user center credentials.
I have developed a GUI for cp_uploader.exe
Enjoy it!
Click to download Smart Uploader
Wednesday, November 14, 2012
How to Enable SNMP on Checkpoint
# snmp service disable
# snmp service enable
# snmp user show
You should delete the community named public
# snmp user del public
# snmp user add noauthuser CommunityName
# snmp service stat
You should see
SNMP service enabled and listening on port 161.
enable snmp extensions
# cp_conf snmp get
Currently SNMP Extension is active
# cp_conf snmp activate
Check the ports, both 260 and 161 should be listening..
Lets do some SNMP Walk
Total RAM on System
# snmpwalk -v1 -c CommunityName firewallipaddress .1.3.6.1.4.1.2021.4.5.0
do a fw tab -t connections -s and count connections
# snmpwalk -v1 -c testcom 192.168.1.112 .1.3.6.1.4.1.2620.1.1.25.3.0
Snmp version should be 5.3.1.0-2
checkout with the command #rpm –qa | grep net-snmp
Some Checkpoint SNMP OIDS
CPU Usage .1.3.6.1.4.1.2620.1.6.7.2.4.0
CPU System .1.3.6.1.4.1.2620.1.6.7.2.2.0
CPU User .1.3.6.1.4.1.2620.1.6.7.2.1.0
Number of Connections .1.3.6.1.4.1.2620.1.1.25.3.0
Peak Number of Connections .1.3.6.1.4.1.2620.1.1.25.4.0
Memory Total .1.3.6.1.4.1.2620.1.6.7.4.3.0
Memory Used .1.3.6.1.4.1.2620.1.6.7.4.4.0
Memory Free 1.3.6.1.4.1.2620.1.6.7.1.5.0
Memory Buffered .1.3.6.1.4.1.2021.4.14.0
Memory cached .1.3.6.1.4.1.2021.4.15.0
Swap error .1.3.6.1.4.1.2021.4.100.0
CPU FAN Speed 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.1.0
Chassis FAN Speed 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.2.0
Core Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.1.0
VCC+Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.2.0
1.8 Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.3.0
5V Power Supply In 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.4.0
5V Standby Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.5.0
Battery Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.6.0
CPU temperature 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.1.0
M/B Temperature 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.2.0
# snmp service enable
# snmp user show
You should delete the community named public
# snmp user del public
# snmp user add noauthuser CommunityName
# snmp service stat
You should see
SNMP service enabled and listening on port 161.
enable snmp extensions
# cp_conf snmp get
Currently SNMP Extension is active
# cp_conf snmp activate
Check the ports, both 260 and 161 should be listening..
Lets do some SNMP Walk
Total RAM on System
# snmpwalk -v1 -c CommunityName firewallipaddress .1.3.6.1.4.1.2021.4.5.0
do a fw tab -t connections -s and count connections
# snmpwalk -v1 -c testcom 192.168.1.112 .1.3.6.1.4.1.2620.1.1.25.3.0
Snmp version should be 5.3.1.0-2
checkout with the command #rpm –qa | grep net-snmp
Some Checkpoint SNMP OIDS
CPU Usage .1.3.6.1.4.1.2620.1.6.7.2.4.0
CPU System .1.3.6.1.4.1.2620.1.6.7.2.2.0
CPU User .1.3.6.1.4.1.2620.1.6.7.2.1.0
Number of Connections .1.3.6.1.4.1.2620.1.1.25.3.0
Peak Number of Connections .1.3.6.1.4.1.2620.1.1.25.4.0
Memory Total .1.3.6.1.4.1.2620.1.6.7.4.3.0
Memory Used .1.3.6.1.4.1.2620.1.6.7.4.4.0
Memory Free 1.3.6.1.4.1.2620.1.6.7.1.5.0
Memory Buffered .1.3.6.1.4.1.2021.4.14.0
Memory cached .1.3.6.1.4.1.2021.4.15.0
Swap error .1.3.6.1.4.1.2021.4.100.0
CPU FAN Speed 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.1.0
Chassis FAN Speed 1.3.6.1.4.1.2620.1.6.7.8.2.1.3.2.0
Core Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.1.0
VCC+Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.2.0
1.8 Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.3.0
5V Power Supply In 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.4.0
5V Standby Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.5.0
Battery Voltage 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.6.0
CPU temperature 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.1.0
M/B Temperature 1.3.6.1.4.1.2620.1.6.7.8.1.1.3.2.0
DDoS Seminar in Ankara
Last friday Checkpoint and InfoNet have prepared a DDoS seminar in Ankara,
I had created a lab similar to http://www.youtube.com/watch?v=5rhw7zsiarQ&feature=plcp that I have posted earlier.
After showing some attack vectors the main subject was to try to explain the reason of why we need a DDoS mitigation device other than getting this as a service from ISP and explained why its a network design problem and how to deal with it on every hop count
Saturday, November 10, 2012
Recently Published Posts in Journals
BTHaber
No:908 February 2013
http://www.bthaber.com/merhaba-mobilite/
http://www.bthaber.com/her-yerde-guvenlik/
IT PRO
No:139 November 2012
BTHaber
No:888 September 2012
Friday, October 19, 2012
Reverse Connection Shell
Problem :
Unreachable Server Behind Firewall (Simulation of Reverse Shell)
Solution:
A solution to this problem is to have the server(victim) reach out and connect to the client. In such a case, the client(attacker) will listen on a port, say, port 80, and the server will then attempt to connect every 5 seconds. If the client is not up, the server waits 5 seconds and then tries again. If a client is up, it will then establish a connection and gives a shell to the client. The client will then be able to send commands, and they will execute on the server side. This technology is called Reverse Connection Shell.
Download from the link below
Download ReverseShell Tools by Cagdas Ulucan
Monday, October 15, 2012
Bypass none L7 Firewall/Proxy systems (SSH Tunnelling)
By tunneling technics it's possible to penetrate none L7 firewalls as they don't inspect the content of the packet.
as usually port 80 and 443 is allowed for internal users and also SSH protocol supports socks proxy, this can be used to connect remote ssh servers that runs from port:443, you may place your own or find public ssh servers on net
here is the screenshot doing it via putty
some other ways of penetration may be using proxy softwares like ultrasurf, making vpn to outside,using remote connection softwares like teamviewer (reverse connection), note that all of these techniques uses port 443
I wanted to draw your attention to importance of inspecting SSL traffic as it can be used for several illegal connections that can cause data leakage in your network
Thx
Cagdas
as usually port 80 and 443 is allowed for internal users and also SSH protocol supports socks proxy, this can be used to connect remote ssh servers that runs from port:443, you may place your own or find public ssh servers on net
here is the screenshot doing it via putty
some other ways of penetration may be using proxy softwares like ultrasurf, making vpn to outside,using remote connection softwares like teamviewer (reverse connection), note that all of these techniques uses port 443
I wanted to draw your attention to importance of inspecting SSL traffic as it can be used for several illegal connections that can cause data leakage in your network
Thx
Cagdas
Tuesday, October 9, 2012
How to Convert victim switch to a HUB
First way
ARP Poisoning (arpspoof)
Attack is based on weakness of ARP protocol, its so old and limited to local network segments but still one of the biggest threat on L2 networks
Enable routing on the attacker so that it can route the traffic back to victim, its required if you dont want to make DOS, to silently listen the traffic.
"echo 1 > /proc/sys/net/ipv4/ip_forward" # enable IP forwarding in the Linux kernel.
to test whats going on at the victim machine type arp -a and check the mac of the victims gw once started to poison it will change the value to attackers mac address
Lets start
first SSH
# arpspoof -t victimip gwip
Second SSH
# arpspoof -t gwip victimip
Protection from ARP Poisoning
Open Dynamic ARP Inspection on the related switch,
If you have a dhcp server
Cisco(config)# IP dhcp snooping vlan
Cisco(config)# IP arp inspection vlan
Cisco(config)# interface GigabitEthernet 1/11
Cisco(config-if)# IP dhcp snooping trust
Cisco(config-if)# IP arp inspection trust
If not, you have to manually set static ip-mac addresses
Cisco(config)# IP arp inspection vlan
Cisco(config)# IP source binding vlan interface Gi1/1
Cisco(config)# arp access-list
Cisco(config-arp-acl)# permit IP host mac host
Cisco(config)# IP arp inspection filter vlan
Second way
Mac Flooding is to attack with lots of bogus ARP packets on a switch network, thus overloading the switch CAM tables and making it acting like a hub.
A typical switch can handle few thousands of ARP records and can be overloaded.
Once its overloaded you may start sniffing..
you may use the tool macof
#macof -i eth0
Protection of this attack is simply enabling Port Security
ARP Poisoning (arpspoof)
Attack is based on weakness of ARP protocol, its so old and limited to local network segments but still one of the biggest threat on L2 networks
Enable routing on the attacker so that it can route the traffic back to victim, its required if you dont want to make DOS, to silently listen the traffic.
"echo 1 > /proc/sys/net/ipv4/ip_forward" # enable IP forwarding in the Linux kernel.
to test whats going on at the victim machine type arp -a and check the mac of the victims gw once started to poison it will change the value to attackers mac address
Lets start
first SSH
# arpspoof -t victimip gwip
Second SSH
# arpspoof -t gwip victimip
Protection from ARP Poisoning
Open Dynamic ARP Inspection on the related switch,
If you have a dhcp server
Cisco(config)# IP dhcp snooping vlan
Cisco(config)# IP arp inspection vlan
Cisco(config)# interface GigabitEthernet 1/11
Cisco(config-if)# IP dhcp snooping trust
Cisco(config-if)# IP arp inspection trust
If not, you have to manually set static ip-mac addresses
Cisco(config)# IP arp inspection vlan
Cisco(config)# IP source binding vlan interface Gi1/1
Cisco(config)# arp access-list
Cisco(config-arp-acl)# permit IP host mac host
Cisco(config)# IP arp inspection filter vlan
Second way
Mac Flooding is to attack with lots of bogus ARP packets on a switch network, thus overloading the switch CAM tables and making it acting like a hub.
A typical switch can handle few thousands of ARP records and can be overloaded.
Once its overloaded you may start sniffing..
you may use the tool macof
#macof -i eth0
Protection of this attack is simply enabling Port Security
Thursday, October 4, 2012
DOS on Wireless Networks (wlan jammer)
Deauthentication attack on wireless networks
As a result everyone from your attacked network will be kicked out from it,we may say that Its simply a DoS
The connection between the Mesh clients and Mesh APs has been be established by the exchange of various frames.After that the exchange of the series of management frames like authentication and association request frame takes place.As these frames are unprotected and sent in clear. So these frames has been spoofed by the attacker. The attacker then sends deauthentication requests with the client’s address set as the source. Then the mesh AP responds by sending the deauthentication response to the client. Thus the communication between the client and the AP has been halted. As deauthentication requests are notifications, so cannot be ignored and the AP responds instantly to these requests . The attacker can periodically scan all the channels and send these spoofed messages to valid clients thus terminating their connection.
During the attack the client has been deauthenticated and thus may probe other networks and connect to any other mesh AP available in the range with good signal strength.Second stage of this DOS can be Rogue AP Attack.
# airmon-ng (shows your wlan interfaces)
# airmon-ng start wlan0 (enable monitoring mode on wlan0)
# airodump-ng mon0 (Get the related info of victim AP)
# airodump-ng -c 11 -b 1C:65:9D:B5:D8:C1 mon0 (go inside the related AP, define channel and MAC)
# aireplay-ng --deauth 100 -c FF:FF:FF:FF:FF:FF -a 1C:65:9D:B5:D8:C1 mon0 (start sending deauthentication packets,Open a separate ssh session)
I also decided to write other than Checkpoint,
more pentest related notes will be on this site.
Thx
Cagdas
As a result everyone from your attacked network will be kicked out from it,we may say that Its simply a DoS
The connection between the Mesh clients and Mesh APs has been be established by the exchange of various frames.After that the exchange of the series of management frames like authentication and association request frame takes place.As these frames are unprotected and sent in clear. So these frames has been spoofed by the attacker. The attacker then sends deauthentication requests with the client’s address set as the source. Then the mesh AP responds by sending the deauthentication response to the client. Thus the communication between the client and the AP has been halted. As deauthentication requests are notifications, so cannot be ignored and the AP responds instantly to these requests . The attacker can periodically scan all the channels and send these spoofed messages to valid clients thus terminating their connection.
During the attack the client has been deauthenticated and thus may probe other networks and connect to any other mesh AP available in the range with good signal strength.Second stage of this DOS can be Rogue AP Attack.
# airmon-ng (shows your wlan interfaces)
# airmon-ng start wlan0 (enable monitoring mode on wlan0)
# airodump-ng mon0 (Get the related info of victim AP)
# airodump-ng -c 11 -b 1C:65:9D:B5:D8:C1 mon0 (go inside the related AP, define channel and MAC)
# aireplay-ng --deauth 100 -c FF:FF:FF:FF:FF:FF -a 1C:65:9D:B5:D8:C1 mon0 (start sending deauthentication packets,Open a separate ssh session)
I also decided to write other than Checkpoint,
more pentest related notes will be on this site.
Thx
Cagdas
Friday, September 14, 2012
Checkpoint DDOS Protector
Today, I had a chance to deal with new Checkpoint DDoS Protector device.
Here is a short video that shows some attack vectors and response of ddos appliance
There was a DDoS_8412 and R75.45 FW between the hacker pc and test victim.
Friday, August 31, 2012
Interface rx-drp on Checkpoint firewalls
If your eth-driver is bnx2 apply the related driver upgrade at sk80640
I also know that there are driver upgrades for e1000 search it from support
to see the driver # ethtool -i eth0
Also note to check the buffer size on related eth
# ethtool -g eth0
The related sk is sk42181
# netstat -i will show you the drop counts on interfaces.
I also know that there are driver upgrades for e1000 search it from support
to see the driver # ethtool -i eth0
Also note to check the buffer size on related eth
# ethtool -g eth0
The related sk is sk42181
# netstat -i will show you the drop counts on interfaces.
Subscribe to:
Posts (Atom)