Off the back of the HBGary database walk, a site popped up that published all the clear text passwords. http://dazzlepod.com/rootkit/
Before I had a chance to have a look around, it was down, then came back again without the passwords sighting breach of the hosting service AUP. Meh, do it yourself I says...
Dust off your BT4 distro or whatever and...
1) Download the SQL database from a reputable source.
# wget http://stfu.cc/rootkit_com_mysqlbackup_02_06_11.gz
2) Start mysqld and create a database.
# /etc/init.d/mysqld start
# echo "create database rootkit_com;" |\
mysql --user=root --password=toor
# echo "show databases;" |\
mysql --user=root --password=toor
3) Unzip your download and feed it to mysql.
# gzip -dc rootkit_com_mysqlbackup_02_06_11.gz |\
mysql --user=root --password=toor rootkit_com
# echo "show tables;" |\
mysql --user=root --password=toor rootkit_com
4) Pull out account and password info in a format that JTR can read.
# (cat <<MEH
SELECT login, password
FROM people
INTO OUTFILE '/tmp/rootkitpw.txt'
FIELDS TERMINATED BY ':'
LINES TERMINATED BY '\n'
MEH
) > pullpw.sql
# mysql --user=root --password=toor rootkit_com < pullpw.sql
# wc -l /tmp/rootkitpw.txt
81450 /tmp/rootkitpw.txt
# mv /tmp/rootkitpw.txt /pentest/password/jtr
5) Crank up john the ripper
# cd /pentest/password/jtr
# ./john --format=raw-MD5 rootkitpw.txt
6) Wait a little while and check some of the progress out... (script outputs hash, password & account)
# (IFS=:; printf "%-34s %-15s %s\n" "raw-MD5" "Password" "Account"; printf "%-34s %-15s %s\n" "-------" "--------" "-------"; cat john.pot | while read HASH PASS; do grep ${HASH} rootkit-pwd.txt | while read ACCT FOOHASH; do printf "%-34s %-15s %s\n" ${HASH} ${PASS} ${ACCT};done ; done) | less
7) If you interested in confirming the password, compare the hash...
# echo -e "test\c" | md5sum
098f6bcd4621d373cade4e832627b4f6 -
exit 0
20100112
Check Point R70.20 Upgrade
I'm not sure if I can put this down to Karma or just plain luck, but I was knee deep in some recent upgrade work that wasn't travelling too well but managed to get it sorted with a bit of help from the customer.
The job was to upgrade a distributed Check Point installation to the new, all shinny R70.20. (up from NGX R65). H/A management is running on Windows 2003, the firewalls on SPLAT. I completed all the preliminary backups, license exports, etc, so I could get back to were I started if it all went bad then proceeded to run the R70 upgrade. Click, click, click, reboot. When the server came back up, I began the work to confirm the product was operating as expected. SmartDashboard connection --> failed, services check --> sort of looks OK, Check Point stuff listed, cmd window cpstop/cpstart --> fail.
C:\>cpstart
cpstart: Starting product - SVN Foundation
The service name is invalid.
More help is available by typing NET HELPMSG 2185.
cpstart: Starting product - VPN-1
System error 1075 has occurred.
The dependency service does not exist or has been marked for deletion.
cpstart: Starting product - SmartView Monitor
SmartView Monitor is disabled .
cpstart: Starting product - SVN Foundation
The service name is invalid.
More help is available by typing NET HELPMSG 2185.
cpstart: Starting product - VPN-1
System error 1075 has occurred.
The dependency service does not exist or has been marked for deletion.
cpstart: Starting product - SmartView Monitor
SmartView Monitor is disabled .
Nice, I was seeing a service dependancy error and it was on the foundation service. Now I didn't get any install errors and everything looked OK, so I compare the list of installed services against the secondary management server and sure enough, the foundation service was missing.
So a few Google, CPUG, Secure Knowlege searches later, I was no closer to resolving it with that majic one hit fix, so I could be facing a rollback or reinstall to get this server going.again . Called over the customer and had a chat about where I was at and what I though was wrong in that the installer had failed to register the foundation service. Software appeared to be installed OK as the following command would give build number.
C:\>cpshared_ver
This is Check Point SVN Foundation (R) Version R70 - Build 153
This is Check Point SVN Foundation (R) Version R70 - Build 153
We chatted around the windows command to register a service, and through a bit of experimentation, came up with the following:
> sc create CPSHAREDSVC binpath= "c:\Program Files\CheckPoint\CPShared\R70\bin\cpsharedsvc.exe" start= auto DisplayName= "Check Point SVN Foundation"
That was it, cpstart was now happy and management all checked out.
C:\>cpstart
cpstart: Starting product - SVN Foundation
The Check Point SVN Foundation service is starting.
The Check Point SVN Foundation service was started successfully.
cpstart: Starting product - VPN-1
The Check Point FireWall-1 service is starting.
The Check Point FireWall-1 service was started successfully.
cpstart: Starting product - SmartView Monitor
SmartView Monitor is disabled.
Note: Keep in mind that the windows sc command is a bit random in its use of spaces after the 'arg='.
exit -0
Subscribe to:
Posts (Atom)