20100112

Check Point R70.20 Upgrade

I'm not sure if I can put this down to Karma or just plain luck, but I was knee deep in some recent upgrade work that wasn't travelling too well but managed to get it sorted with a bit of help from the customer.

The job was to upgrade a distributed Check Point installation to the new, all shinny R70.20. (up from NGX R65).  H/A management is running on Windows 2003, the firewalls on SPLAT.  I completed all the preliminary backups, license exports, etc, so I could get back to were I started if it all went bad then proceeded to run the R70 upgrade.  Click, click, click, reboot.  When the server came back up, I began the work to confirm the product was operating as expected.  SmartDashboard connection --> failed, services check --> sort of looks OK, Check Point stuff listed, cmd window cpstop/cpstart --> fail.

C:\>cpstart
cpstart: Starting product - SVN Foundation
The service name is invalid.
More help is available by typing NET HELPMSG 2185.
 
cpstart: Starting product - VPN-1
System error 1075 has occurred.
The dependency service does not exist or has been marked for deletion.

cpstart: Starting product - SmartView Monitor
SmartView Monitor is disabled .

Nice, I was seeing a service dependancy error and it was on the foundation service.  Now I didn't get any install errors and everything looked OK, so I compare the list of installed services against the secondary management server and sure enough, the foundation service was missing.

So a few Google, CPUG, Secure Knowlege searches later, I was no closer to resolving  it with that majic one hit fix, so I could be facing a rollback or reinstall to get this server going.again . Called over the customer and had a chat about where I was at and what I though was wrong in that the installer had failed to register the foundation service. Software appeared to be installed OK as the following command would give build number.

C:\>cpshared_ver
This is Check Point SVN Foundation (R) Version R70 - Build 153

We chatted around the windows command to register a service, and through a bit of experimentation, came up with the following:

> sc create CPSHAREDSVC binpath= "c:\Program Files\CheckPoint\CPShared\R70\bin\cpsharedsvc.exe" start= auto DisplayName= "Check Point SVN Foundation"

That was it, cpstart was now happy and management all checked out.

C:\>cpstart
cpstart: Starting product - SVN Foundation
The Check Point SVN Foundation service is starting.
The Check Point SVN Foundation service was started successfully.

cpstart: Starting product - VPN-1
The Check Point FireWall-1 service is starting.
The Check Point FireWall-1 service was started successfully.

cpstart: Starting product - SmartView Monitor
SmartView Monitor is disabled.

Note:  Keep in mind that the windows sc command is a bit random in its use of spaces after the 'arg='.

exit -0


Posted by Cole at 10:33 PM 0 comments

20100109

Laptop 3G Gateway 101

There has been the random occasion when I need to get Internet access when benching hardware or testing out MITM stuff and have found it convenient to make use of 3G connection.  Done recently on a customer site to run up a Nokia VRRP cluster that was going to replace a single production firewall.  By setting a laptop up to act as the upstream ISP gateway and another PC behind the firewall,  I could pull data while running fail over tests.

Kit used went along the lines of:
1 x Laptop with Backtrack 4 installed
1 x Optus 3G adaptor (Model E220)

The setup goes along the lines of....

1] BT4

Boot up Backtrack and config the Ethernet port to the gateway address you need to plug your router/firewall into.  You can get away with assigning Internet routable addresses to this interface to lab a production configuration as the traffic will be hidden (hide NAT) before it gets passed upstream anyways.  An example of setting an IP address to eth0:

 # ifconfig eth0 10.254.239.1 netmask 255.255.255.224

2] 3G Adaptor

Now, I'm going to conveniently skip over details on how you can detect your 3G device using lsusb & dmesg then sorting out the wvdial.conf to make this all work and just assume you have already done this.  If you haven't, Google is your friend, not my lame blog post...  By this time, I'm usually in an X session and running Terminator in full screen. Breaking out a few 'root' shell windows, plug in the 3G card and run the following command in one of them. Note:  The window you run this in will need to be left alone unless you want to bring down the 3G connection with a conveniently placed CTRL-C.

 # wvdial Optus3G

I have included the wvdial.conf file in the post below for both the Optus and Three cards I have tested.  Can;t confirm if they are optimal configs, just that they worked for me.

3]  Hide NAT

In another window of my Terminator session set up IP Tables to NAT traffic

 # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

4]  IP Forwarding

Turn on IP Forwarding to allow the Linux kernel to act as a gateway by running the following command.

 # echo "1" > /proc/sys/net/ipv4/ip_forward

5]  Monitoring

To keep an eye on the traffic passing through the laptop, use tcpdump in one of those Terminator shell windows.

 # tcpdump -n -i eth0

6] Profit






Quick Ref:

# ifconfig eth0 10.254.239.1 netmask 255.255.255.224
# wvdial Optus3G
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# echo "1" > /proc/sys/net/ipv4/ip_forward
# tcpdump -n -i eth0

Optus3G wvdial.conf config::

[Dialer Optus3G]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Stupid Mode=1
Modem Type = Analog Modem
ISDN = 0
Phone = *99\#
Modem = /dev/ttyUSB0
Password = username
Username = password
Dial Command = ATDT
Baud = 466600
New PPPD = yes

Other variations on this setup could include running up your own DHCP and DNS for some MITM work...yeeharr...

exit 0



Posted by Cole at 11:52 PM 0 comments

20100105

Wireless Sniffing Using 802.11n Hardware

This all started when looking for random wireless kit in the local trading rag after getting jacked trying to get SD storage working on a WRT54GL running Kamikaze. After locating kit and getting model numbers, would head over to http://openwrt.org/ and check the support status. While doing this came across some 802.11n AP's which triggered more searching and ultimately lead me to http://wireless.kernel.org/en/users/Drivers/ar9170. What, you can sniff 802.11n from USB adapters, lets try some of this.

1] Acquiring hardware

Yep, after checking the list of supported devices, found a shop that was doing TP-Link's TL-WN821N's for $50AUD. No idea of what hardware version they stocked but headed on down to the shop and grabbed a v2 adapter. The dude pulled a v1 off the shelf so words were exchanged and a v2 was located. Hey, v2 was on the list...

2] Initial run-up

Being a fan of Backtrack, that was the distro that I plugged my shinny new adapter into and guess what, no joy. Bit of research and found that BT4 didn't support the v2 hardware in its ar9170usb driver. Commands used to acknowledge fail...

List USB device information:
# lsusb
[SNIP]
Bus 002 Device 003: ID 0cf3:1002 Atheros Communications, Inc.

List supported devices from the ar9170usb device driver
# modinfo ar9170usb
filename: /lib/modules/2.6.30.5/kernel/drivers/net/wireless/ar9170/ar9170usb.ko
firmware: ar9170-2.fw
firmware: ar9170-1.fw
description: Atheros AR9170 802.11n USB wireless
license: GPL
author: Christian Lamparter
author: Johannes Berg
alias: usb:v04BBp093Fd*dc*dsc*dp*ic*isc*ip*
alias: usb:v2019p5304d*dc*dsc*dp*ic*isc*ip*
alias: usb:v083ApF522d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0CDEp0026d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0CDEp0023d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0586p3417d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0ACEp1221d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0846p9001d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0846p9010d*dc*dsc*dp*ic*isc*ip*
alias: usb:v07D1p3C10d*dc*dsc*dp*ic*isc*ip*
alias: usb:vCACEp0300d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0CF3p1001d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0CF3p9170d*dc*dsc*dp*ic*isc*ip*
depends: mac80211,led-class
vermagic: 2.6.30.5 SMP mod_unload 686
parm: nohwcrypt:Disable hardware encryption. (bool)

3] More hardware

Weighing up the time to build recent code vs another trip to the shop to get the v1 TP-Link adapter, I opted for fork out cash. You can never have enough wireless adapters right. So know I have two TP-LINK TL-WN821N adapters...

# lsusb
[SNIP]
Bus 002 Device 003: ID 0cf3:1002 Atheros Communications, Inc.
Bus 002 Device 002: ID 0cf3:9170 Atheros Communications, Inc. AR9170 802.11

At least I get a hit on a supported device.

4] Run up take II

Now assuming I had supported hardware good to go, I attempted to get some acknowledgment from the OS that it had something plugged in. Learned the iw command backwards but couldn't get anything working. Ref: http://wireless.kernel.org/en/users/Documentation/iw. At one stage I was looking at building my own ar9170 firmware using the SH2 toolchain... wtf... Not having a late 2.6 kernel handy at the time, opted for something else, gentoo...

5] OS build - Gentoo

Not going into details here I started building gentoo on a eeePC 1000H. Let's just say I ended up with a kernel with supported ar9170usb module but this time I actually downloaded the firmware files from the links on this page: http://wireless.kernel.org/en/users/Drivers/ar9170 and put into the appropriate location. Gentoo is hard work... emerge... wtf. Using the iw command, I could set up some monitor interfaces, pointed kismet at is and started sniffing. Also, since I was running the latest kernel, drivers, etc. I found I had support for both versions of the adapter hardware... yeeharr...

iw commands went something like:
# iw phy phy0 interface add moni0 type monitor
# iw phy phy1 interface add moni1 type monitor

6] Sniffing

Living in a very lightly populated wireless area, one of the first things I did was take it for a drive to get a feel for what it would pick up. Found that the card would take quite a few bad reads which can be identified by random MAC addresses, corrupt SSID's, etc. I sat it at work all day just to see the number of detected networks keep ticking over. I would get the occasional bad read running kismet and alfa's (802.11g) but not at this volume.

7] Fedora


So I parked it for a while, until Fedora 12 came along. Different laptop, standard build, uploaded all three pieces of firmware, svn kismet, iw command for monitor interface and cranked it up. Additions to Fedora went along the lines of:

Kismet

# mkdir /pentest/svn
# cd /pentest/svn
# svn co https://www.kismetwireless.net/code/svn/trunk kismet-devel
# yum install libpcap-devel.x86_64
# yum install libnl-devel.x86_64
# cd kismet-devel
# ./configure --prefix=/pentest/wireless/kismet 2>&1|tee make.conf.1
# make dep
# make 2>&1|tee make.out.1
# make install 2>&1|tee make.install.1

AirCrack-NG

# cd /pentest/svn
# svn co http://trac.aircrack-ng.org/svn/trunk aircrack-ng
# cd aircrack-ng/
# make 2>&1|tee make.out.1
# make install 2>&1|tee make.install.1

Giskismet

# cd /pentest/svn
# svn co https://my-svn.assembla.com/svn/giskismet/trunk giskismet
# cd giskismet
# yum install perl-libxml-perl.noarch
# yum install libxml.x86_64
# yum install libdbi.x86_64
# yum install libdbi-dbd-sqlite.x86_64
# yum install perl-DBD-SQLite.x86_64
# yum install perl-XML-LibXML.x86_64
# perl Makefile.PL
# make 2>&1|tee make.out.1
# make install 2>&1|tee make.install.1

Random

# yum install macchanger.x86_64
# yum install gpsd.x86_64
# yum install dsniff.x86_64
# yum install wireshark.x86_64

I guess the drivers are getting better because the volume of bad reads is well down.

8] Bt4 fail

I went back to BT4 download the two bits of firmware the module wanted and plugged in the v1 TP-Link adapter. Spun up kismet and watched mass packet carnage. At my place I sit in a room and usually pick up 2 AP's one of which is mine. After 5 minutes on BT4 I have 10 different variations of my SSID with random MAC's all over the place. So far, Fedora has worked the best I guess from more recent code...

TODO:

  • Get an 802.11n AP, hook up a legit client and work out how to set channel width for optimal monitoring. (more reading required, wtf channel width). Iw command lets you set it...
  • Packet injection on the what now...
  • Find out what the hell is the QSS thing is on the side of the TL-WN821N v2 adapter. (scratch that, QSS thing is a button for Quick Secure Setup)

Links

exit 0
Posted by Cole at 10:56 PM 3 comments
Subscribe to: Posts (Atom)