Saturday 26 November 2011

CheckPoint: How to Export a list of VPN Users for Auditors

Hi Everyone,

Apologies for not uploading anything interesting as of late. My time has been almost entirely consumed with learning Juniper, which I may create a separate page for sometime in the future to detail those experiences.

Anyways, I've had a few requests for an easy way to supply auditors a list of VPN user details without having to resort to manually grep'ing through $FWDIR/conf/fwauth.NDB to generate a usable report.

While it's not as easy as say, Cisco's 'show run | i users', it's pretty close:


[Expert@R75-A]# fwm dbexport -f /tmp/users_dump.xls

You'll notice that the results you need are formatted *terribly* in the initial output. Each user will look something like this:
[Expert@R75-A]# cat /tmp/users_dump.xls
Milton;    black;    {Awesome_Employees};    {Any};    {Any};    Internal Password;    00:00;    23:59;    31-dec-2030;    {MON,TUE,WED,THU,FRI,SAT,SUN};    Auth;    YIH14pBTDJvJ6;    ;    ;    ;    ;    ;    Any;    {};    {,,None};    ;    ESP;    SHA1;    3DES;    ;    {DES,3DES};    {MD5,SHA1};    {signatures};    ;    Any;    ;    false;    ;   
However, if you import this file into Excel/Libre Calculator and specify "Separated by" with Tab, Semicolon, and Space, it becomes perfectly readable and ready to submit to the auditor.

I'm running low on idea's at the moment, so if you'd like to know how to do anything CheckPoint related, let me know!

Cheers,


Wednesday 26 October 2011

CMA Customer Export Script

Hello everyone,

From time to time a situation arises where a customer needs to be 'exported' from an MDS and moved to a standalone Smart Center (SCS). The reasons for this can vary, however the tools for doing this are nearly non-existant.

One would love to use the uprade_export tool for a situation like this, however it simply isn't supported in a Provider-1 environment. According to CheckPoint's sk33067, this isn't even supported.

As such, I've written up a quick script to collect the required files that I need to export a customer's configuration. Please feel free to use it and share at your discretion.

When utilizing it, you'll see the following:
--------------------------------
Please specify the name of the customer (no spaces)
expertmode
Please enter the IP address of the CMA you wish to export
10.80.80.55


Thank you

You have specified to use the following CMA:
|expertmode-cma-10.80.80.55

Is this correct (yes or no)
yes

Collecting the required files...
Collection complete

Compressing...

Compression complete

Cleaning up

Done
Your files are located at /var/tmp/expertmode_migrate.tgz
Goodbye
--------------------------------

You can find the script hosted on Google docs here

As to what the script is actually grabbing, it's pretty simple:
$FWDIR/conf
$FWDIR/database
$CPDIR/conf
$CPDIR/registry

Cheers,

Friday 21 October 2011

ByteRange Filter Denial of Service Vulnerability in Check Point Products

Hello everyone,

A security update just came in that you should be aware of:

Check Point has acknowledged a vulnerability in multiple Check Point products, which could be exploited to cause a DoS (Denial of Service). This vulnerability is the Apache ByteRange Filter vulnerability, CVE-2011-3192, reported earlier this year. Because this affects network filtering and protection devices, this flaw has the potential to impact other network devices dependent on that filter, resulting in a much larger DoS. Please refer to the Check Point advisory for the list of impacted products. Users of Check Point devices should check with the vendor and apply any updates as soon as possible.

Hotfixes have been released for:
  • Connectra R66.1, R66.1n
  • R71.40, R75.20
  • DLP-1 R71.20



https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65222
http://httpd.apache.org/security/CVE-2011-3192.txt
http://secunia.com/advisories/46474/
http://secunia.com/SA45606/

Saturday 1 October 2011

SCP: How to transfer multiple files

Kudos goes to Joyce Babu, whose blog can be found at:
http://www.joycebabu.com/blog/copying-multiple-files-with-scp.html

Copying from her article

When you have to copy multiple files to your remote server, the syntax is similar to the cp command.
scp file1.sql file2.sh joyce@joycebabu.com:~/upload
Where file1.sql and file2.sh are the files to be copied, joyce is the username, joycebabu.com is the hostname and ~/upload is the destination directory on the remote server.
In order to download multiple files from the remote server, the command to be used is
scp joyce@joycebabu.com:"file1.log file2.log" ~/logs
Where file1.log and file2.log are the files to be downloaded and ~/logs is the destination directory on the local server. Notice the quotes around the filenames. This ensures that the filenames list is not parsed by the local shell and is passed to the remote shell. Similarly, when you want to download files using wildcards (*.php, files_?.log etc), you should enclose the name within quotes to ensure that the expansion is done by the remote server.
The -r option can be used to copy directories recursively.
scp -r joyce@joycebabu.com:~/logs ~/logs
This may not be a lifesaver tip and the time gained by this method may be small. After all, when a large number of files are to be transferred, I use FTP or tar my files and copy it. But at times when things go wrong, even this small gain can help.

Friday 30 September 2011

UTM-1: How to bypass the WebGUI during the initial install

Before I begin I should note that this does not 'always' work, and is not supported by TAC.

However, if you are successful with it, you can run sysconfig/cpconfig immediately instead of having to go through the initial install procedure via the WebGUI.

I know anyone who is stuck doing remote deployments/wipes with UTM-1's knows the pain this requirement can cause :)

To 'get out of jail', simply run the following from expert mode:

touch /opt/spwm/conf/wizard_accepted


Once completed, sysconfig/cpconfig will now work.

Enjoy!

SPLAT: How to automatically enter "Expert Mode" when logging in

I suppose it's pretty fitting that I include this.

Make sure you're in expert mode when you run this:

Verify your current shell (substitute 'admin' for your user):
cat /etc/passwd |grep admin
admin:x:0:0::/home/admin:/bin/cpshell

Change your shell to bash:
chsh -s /bin/bash admin
Changing shell for admin.
Shell changed.

Verify the change has taken place:
cat /etc/passwd |grep admin
admin:x:0:0::/home/admin:/bin/bash

Now, when you exit/login again, you'll immediately get dropped into expert mode:

login as: admin
admin@192.168.0.50's password:
Last login: Fri Sep 30 14:28:08 2011 from 192.168.0.10
[Expert@R75-A]#

Keep in mind this does have security implications - it's just nice to have in a lab environment :)

Friday 16 September 2011

IPSO: How to Backup and Restore via CLISH?

This will backup all of the OS information/configuration like Routes, Proxy Arps, Interface configuration etc:

The following will create a new backup in /var/backup/

clish -c "set backup manual filename your_desired_filename"
clish -c "set backup manual on"

To Restore:
clish -c "set restore manual /path_to_backup_file.tgz"

Tuesday 6 September 2011

TCPDUMP: How to capture a full packet

This request generally comes around when there is some suspicious network activity seen by one of the IDS and the engineer wants to see the entire packet:

tcpdump -nnvvXSs 1514 -i eth0

FWMonitor: How to filter by network range

Pretty simple idea, however wildcards don't work in the generic 'src/dst' statements unfortunately.

Let's say I want to capture all traffic sourced from 192.168.0.0/24 destined to the 10.15.15.0/24 over port 80, I'd use the following syntax:

fw monitor -e "firstblock={<192.168.0.0,192.168.0.255>};secondblock={<10.15.15.0,10.15.15.255>}; accept (src in firstblock, dst in secondblock, sport=80);"

The first IP Block is the starting IP for the network, and the second is the last IP in the block. You can define as many 'groups' as you'd like. Just make sure that the rest of the 'accept' statement ends up between two parent parenthesis.

Thursday 1 September 2011

How to remove a static route in SPLAT without using SYSCONFIG

It's pretty simple:

Consult the routing table to verify the routing information of your to-be-deleted route with one of the two following commands:
route | grep ip_of_your_route
or
netstat -nr | grep ip_of_your_route

An example is below:
netstat -nr |grep 192.168.72.75
192.168.72.75 172.16.25.45 255.255.255.255 UGH    0 0        0 eth5

Delete the route (help for the command can be found with 'route --help'):
route del -net 192.168.72.75 netmask 255.255.255.255 gw 172.16.25.45

Verify the route has been deleted (you should not see the original route anymore):
netstat -nr |grep 192.168.72.75

Save the changes (in case the route was pulled from sysconfig/netconf.C):
route --save