Tuesday, December 11, 2012

How to Simulate a HTTP GET BotNet DDoS Attack

Today I would like to share a cool tool called Bonesi DDoS Botnet Simulator.

web page : http://code.google.com/p/bonesi/

BoNeSi is able to simulate a TCP based HTTP-GET flood on a victim.3way handshake is completed. Its a much more advanced testing technique than Syn Http Flood, hping can only send tcp packet flags.
Since non spoofed IP connections require correct routing setup, this tool can only be used in closed testbed setups.

It can establish several thousands of HTTP connections from different IP addresses defined at iplist.txt making this tool to simulate advanced bot networks.

How does TCP Spoofing work?
BoNeSi sniffs for TCP packets on the network interface and responds to all packets in order to establish TCP connections. For this feature, it is necessary, that all traffic from the target webserver is routed back to the host running BoNeSi
HTTP-Flooding attacks can not be simulated in the internet, because answers from the webserver must be routed back to the host running BoNeSi.

It can be used to test firewall systems, routing hardware, DDoS Mitigation Systems or webservers directly.

my test usage was,
# bonesi -i 50k-bots.txt -p tcp -r 0 -u http://cagdastestlab.com -b useragent.txt -d eth1 -v

Usage: bonesi [OPTION...] <dst_ip:port>
  -i, --ips=FILENAME               filename with ip list
  -p, --protocol=PROTO             udp (default), icmp or tcp
  -r, --send_rate=NUM              packets per second, 0 = infinite (default)
  -s, --payload_size=SIZE          size of the paylod, (default: 32)
  -o, --stats_file=FILENAME        filename for the statistics, (default: 'stats')
  -c, --max_packets=NUM            maximum number of packets (requests at tcp/http), 0 = infinite (default)
      --integer                    IPs are integers in host byte order instead of in dotted notation
  -t, --max_bots=NUM               determine max_bots in the 24bit prefix randomly (1-256)
  -u, --url=URL                    the url (default: '/') (only for tcp/http)
  -l, --url_list=FILENAME          filename with url list (only for tcp/http)
  -b, --useragent_list=FILENAME    filename with useragent list (only for tcp/http)
  -d, --device=DEVICE              network listening device (only for tcp/http)
  -m, --mtu=NUM                    set MTU, (default 1500)
  -f, --frag=NUM                   set fragmentation mode (0=IP, 1=TCP, default: 0)
  -v, --verbose                    print additional debug messages
  -h, --help                       print this message and exit

Monday, November 26, 2012

Smart Uploader (GUI for cp_uploader.exe)

As you know CheckPoint released a new upload tool called Check Point Uploader utility ( sk84000 )
This tool enables you to upload the files securely to Check Point using your user center credentials.

I have developed a GUI for cp_uploader.exe
Enjoy it!

Click to download Smart Uploader

Wednesday, November 14, 2012

How to Enable SNMP on Checkpoint

# snmp service disable
# snmp service enable
# snmp user show
You should delete the community named public
# snmp user del public
# snmp user add noauthuser CommunityName

# snmp service stat
You should see
SNMP service enabled and listening on port 161.
enable snmp extensions
# cp_conf snmp get
Currently SNMP Extension is active
# cp_conf snmp activate
Check the ports, both 260 and 161 should be listening..

Lets do some SNMP Walk
Total RAM on System
# snmpwalk -v1 -c CommunityName firewallipaddress .
do a fw tab -t connections -s and count connections
# snmpwalk -v1 -c testcom .

Snmp version should be
checkout with the command #rpm –qa | grep net-snmp
Some Checkpoint SNMP OIDS
CPU Usage .
CPU System .
CPU User .
Number of Connections .
Peak Number of Connections .
Memory Total .
Memory Used .
Memory Free
Memory Buffered .
Memory cached .
Swap error .
Chassis FAN Speed
Core Voltage
1.8 Voltage
5V Power Supply In
5V Standby Voltage
Battery Voltage
CPU temperature
M/B Temperature

DDoS Seminar in Ankara

Last friday Checkpoint and InfoNet have prepared a DDoS seminar in Ankara,
I had created a lab similar to http://www.youtube.com/watch?v=5rhw7zsiarQ&feature=plcp that I have posted earlier.

The lab had 2 phases, with DDoS protector and without it which the attacker directly faces to firewall, We have investigated and compared both behaviours..

After showing some attack vectors the main subject was to try to explain the reason of why we need a DDoS mitigation device other than getting this as a service from ISP and explained why its a network design problem and how to deal with it on every hop count

Friday, October 19, 2012

Reverse Connection Shell

Problem :
Unreachable Server Behind Firewall (Simulation of Reverse Shell)
A solution to this problem is to have the server(victim) reach out and connect to the client. In such a case, the client(attacker) will listen on a port, say, port 80, and the server will then attempt to connect every 5 seconds. If the client is not up, the server waits 5 seconds and then tries again. If a client is up, it will then establish a connection and gives a shell to the client. The client will then be able to send commands, and they will execute on the server side. This technology is called Reverse Connection Shell.

Download from the link below

Download ReverseShell Tools by Cagdas Ulucan

Monday, October 15, 2012

Bypass none L7 Firewall/Proxy systems (SSH Tunnelling)

By tunneling technics it's possible to penetrate none L7 firewalls as they don't inspect the content of the packet.
as usually port 80 and 443 is allowed for internal users and also SSH protocol supports socks proxy, this can be used to connect remote ssh servers that runs from port:443, you may place your own or find public ssh servers on net

here is the screenshot doing it via putty


some other ways of penetration may be using proxy softwares like ultrasurf, making vpn to outside,using remote connection softwares like teamviewer (reverse connection), note that all of these techniques uses port 443

I wanted to draw your attention to importance of inspecting SSL traffic as it can be used for several illegal connections that can cause data leakage in your network


Tuesday, October 9, 2012

How to Convert victim switch to a HUB

First way
ARP Poisoning (arpspoof)
Attack is based on weakness of ARP protocol, its so old and limited to local network segments but still one of the biggest threat on L2 networks
Enable routing on the attacker so that it can route the traffic back to victim, its required if you dont want to make DOS, to silently listen the traffic.
"echo 1 > /proc/sys/net/ipv4/ip_forward" # enable IP forwarding in the Linux kernel.
to test whats going on at the victim machine type arp -a and check the mac of the victims gw once started to poison it will change the value to attackers mac address

Lets start
first SSH
# arpspoof -t victimip gwip
Second SSH
# arpspoof -t gwip victimip

Protection from ARP Poisoning
Open Dynamic ARP Inspection on the related switch,

If you have a dhcp server
Cisco(config)# IP dhcp snooping vlan
Cisco(config)# IP arp inspection vlan
Cisco(config)# interface GigabitEthernet 1/11
Cisco(config-if)# IP dhcp snooping trust
Cisco(config-if)# IP arp inspection trust

If not, you have to manually set static ip-mac addresses
Cisco(config)# IP arp inspection vlan
Cisco(config)# IP source binding vlan interface Gi1/1
Cisco(config)# arp access-list
Cisco(config-arp-acl)# permit IP host mac host
Cisco(config)# IP arp inspection filter vlan

Second way
Mac Flooding is to attack with lots of bogus ARP packets on a switch network, thus overloading the switch CAM tables and making it acting like a hub.
A typical switch can handle few thousands of ARP records and can be overloaded.
Once its overloaded you may start sniffing..

you may use the tool macof
#macof -i eth0

Protection of this attack is simply enabling Port Security

Thursday, October 4, 2012

DOS on Wireless Networks (wlan jammer)

Deauthentication attack on wireless networks
As a result everyone from your attacked network will be kicked out from it,we may say that Its simply a DoS

The connection between the Mesh clients and Mesh APs has been be established by the exchange of various frames.After that the exchange of the series of management frames like authentication and association request frame takes place.As these frames are unprotected and sent in clear. So these frames has been spoofed by the attacker. The attacker then sends deauthentication requests with the client’s address set as the source. Then the mesh AP responds by sending the deauthentication response to the client. Thus the communication between the client and the AP has been halted. As deauthentication requests are notifications, so cannot be ignored and the AP responds instantly to these requests . The attacker can periodically scan all the channels and send these spoofed messages to valid clients thus terminating their connection.

During the attack the client has been deauthenticated and thus may probe other networks and connect to any other mesh AP available in the range with good signal strength.Second stage of this DOS can be Rogue AP Attack.

# airmon-ng  (shows your wlan interfaces)
# airmon-ng start wlan0 (enable monitoring mode on wlan0)
# airodump-ng mon0  (Get the related info of victim AP)
# airodump-ng -c 11 -b 1C:65:9D:B5:D8:C1 mon0   (go inside the related AP, define channel and MAC)
# aireplay-ng --deauth 100 -c FF:FF:FF:FF:FF:FF -a 1C:65:9D:B5:D8:C1 mon0  (start sending deauthentication packets,Open a separate ssh session)

I also decided to write other than Checkpoint,
more pentest related notes will be on this site.


Friday, September 14, 2012

Checkpoint DDOS Protector

Today, I had a chance to deal with new Checkpoint DDoS Protector device.
Here is a short video that shows some attack vectors and response of ddos appliance
There was a DDoS_8412 and R75.45 FW  between the hacker pc and test victim.

Friday, August 31, 2012

Interface rx-drp on Checkpoint firewalls

If your eth-driver is bnx2 apply the related driver upgrade at sk80640
I also know that there are driver upgrades for e1000 search it from support
to see the driver # ethtool -i eth0

Also note to check the buffer size on related eth
# ethtool -g eth0
The related sk is sk42181

# netstat -i will show you the drop counts on interfaces.

Error: Page cannot be displayed. An error occurred while processing the request.

I have encountered a strange error on Mobile Access Blade, In my case this was related to IPS, Try this;uncheck IPS and mobile access on firewall properties, install policy, then recheck them and reinstall the security policy.

Saturday, August 4, 2012

How to upgrade the software and migrate a distributed SmartCenter to a Full HA Cluster

This procedure is my solution method...

Take an upgrade_export file from the source SMC and import it to your vm machine with the same name and upgrade it to the version u want.
This is a MNG so you cant export and import it to a standalone firewall machine,
lets fake the system that its also a firewall with the command
# cpprod_util FwSetFirewallModule 1
check it via # cpprod_util FwIsFireWallModule
close SmartDashboard and relogin, you will see the firewall tab.
take a new upgrade_export for the utm box
You have to install the appliance as full HA primary cluster member and then,
# cp_conf fullha disable   disable its cluster membership...
import the config reboot and
# cp_conf fullha enable  to set it back to fullhacluster

Thats it, Goodluck

Thursday, July 26, 2012

DDOS Tuning for Checkpoint IPS Blade

These are the main things to check against ddos related attacks on checkpoint,
but of course not enough for sophisticated layer 7 attack techniques, checkout new radware based checkpoint ddos appliance; ddos protector.

Aggressive aging: protection against connection-consuming attacks
Lower Stateful Inspection timers: defense against slow attack
Geo protection: Rules to block by country and direction of traffic
Network quota: limit number of connections by source IP
Worm catcher signature: block known worms (HTTP and CIFS)
TCP window size enforcement: small TCP window and flood
SYN flood protection: cookie-based validation
HTTP flooding / UDP Flooding: rate-based blocking
non-TCP Flooding: restrict non-TCP traffic from occupying more than a given percentage of an enforcement point State table

Wednesday, July 18, 2012

Checkpoint Port Based Routing in ISP Redundancy

Its possible that certain outgoing connections be routed specifically through the first ISP link at ISP Redundancy Load Sharing Mode
edit the $FWDIR/lib/table.def as follows
By changing it to: no_misp_services_ports = { <500, 17>, <259, 17>, <80,6>};, (where <25,6> stands for SMTP (port 25), TCP (IP protocol 6)), all outgoing SMTP traffic would go through the first ISP link.

Also some tips
Show the currently defined ISP links
#cpstat fw
Test ISP Redundancy by administratively bringing down/up thelink
# fw isp_link ISP-1 down
# fw isp_link ISP-1 up

more advanced commands will be on next release of SmartSPLAT

Wednesday, July 4, 2012

Cant access to Mobile Access Portal, Browser keeps loading without giving an error

Look under /opt/CPcvpn-R75.20/log/cvpnd.elg for the problem reason,
In my case it was showing
Exception: open("/opt/CPcvpn-R75.20/conf/includes/CustomRulesAfter.conf") failed - No such file or directory - CVPND aborting
manually create the file or files,
touch /opt/CPcvpn-R75.20/conf/includes/CustomRulesAfter.conf
touch /opt/CPcvpn-R75.20/conf/includes/CustomRulesBefore.conf
and do  a cvpnrestart
Also check licenses on both cluster members...

Wednesday, June 27, 2012

SNX page can not be displayed error

We have faced this issue again..

uninstall this update KB2585542
Change the Encryption setting from
in the Global Settings for the Remote Access / SSL Network Extender
Install Policy to the Gateway.

Thursday, June 14, 2012

Packet (ping) latency through Checkpoint Firewall

Checkout the antispoofing settings and be sure that its configured on all interfaces and also check securexl settings..

How to Install a public CA to Mobile Access / Connectra

1. Generate the CSR
run "csr_gen <filename>" and follow the instructions.
!NOTE! If the files <filename>.csr and .key still exists, the files are overwritten without warning!
-> <filename>.key (keyfile)
This is the private key. You are requested if you want to protect this file with a passphrase - please do so. Protect this file and keep it secure.
You need this file and the passphrase later to install the certificate.
-> <filename>.csr
This is the certificate signing request that you have to send to your CA.
you will receive the signed certificate from your CA (certfile)

2. Convert certfile to PEM-Format
If the file you receive is from your CA is in p12 or pfx format convert the file into PEM format (sk30997):
$CVPNDIR/bin/p12ToPem <input-filename(.p12 /
e.g. $CVPNDIR/bin/p12ToPem cert.pfx
If the file you receive is from your CA is in p7b, spc or PKCS#7 format convert the file into PEM format:
$CVPNDIR/bin/p7bToPem <filename (.p7b, .spc, ...)> <output filename (.crt)>
e.g. $CVPNDIR/bin/p7bToPem cert.p7b cert.crt
->certfile in PEM-format <filename>.crt

3. Install the generated certificate:
Use this command to install the previous generated certificate:
$CVPNDIR/bin/InstallCert <certfile> <keyfile> '<passphrase>'
4. Restart Daemon
Run "cvpnrestart" on the Gateway

Repeat step 3. and 4. on each member
Finally reinstall the policy to the cluster.

Sunday, June 10, 2012

Policy Install Load on Module Failed

Last week I was dealing with a policy installation problem,
fwm.elg was pointing to duplicate fw object name and some certificate related problems..
After placing the upgrade_export to a VM test machine, I saw that I can install the policy on it, so I have decided to reset SIC on both members one by one and this resolved our problem.

SmartSPLAT may help you to examine this type of problems..
Load Policy to Firewall
# fwm load $FWDIR/conf/Standard.W FirewallName > /var/tmp/policy_install.ctl 2>&1
Also try
Fetching the Policy from SMC
# fw fetch SMCName
and fetching locally
# fw -d fetchlocal -d $FWDIR/state/__tmp/FW1/

FWM crashes due to corrupted license file

last week I had an interesting license problem
Got the error similar to below;

/bin/cplic_start: line 6:  4777 Segmentation fault      $CPDIR/bin/cplic "$@"

fwm is crashing on the SmartCenter server..

perform the following on SMC
# cpstop
# cd $CPDIR/conf
# rm cp.contract
# rm cp.license (If removing just the cp.contract doesnt resolve the issue try removing this file, you need to reinstall the licenses)
# cd $FWDIR/conf
# rm CPMIL*
# rm applications.C*
# cpstart

also note to check disk size with # df -h at SMC related problems.. /opt may be full

Monday, May 28, 2012

Site to Site VPN between Checkpoint and pfSense

I would like to share my experience on making Site to Site VPN between Checkpoint and pfSense
This is a working procedure..
Good Luck :)

note: If the pfsense part has more than one subnet defined, then you have to play with user.def file at checkpoint side,otherwise tunnel will just be up on one subnet.


Phase 1

Saturday, May 19, 2012

Thursday, May 10, 2012

IPS Update: ips scheduled update ended with errors

Check the internet connection on SMC and Check dns config to see updates.checkpoint.com resolves correctly

Manually update the IPS database,
Close all GUI applications,
Open a GUIDBEdit to the SMC
Application name:GuiDBedit.exe
Search (Search->Find) for:
Once found you will see a field named status under that object.
Change the value of status 0
Save changes,close GUIDBEDIT
Open Dashboard and verify if the issue resolved.

Updated Note : There is a fix for this issue, Request it from Support.

Sunday, May 6, 2012

How to use SCP upload-download option at New OS Gaia

To use SCP with GAIA, You have to change the users shell to bash

# chsh -s /bin/bash admin

To go back to cli.sh
Use  # chsh -s /etc/cli.sh admin

Or you may do these actions via Web UI as below

Thursday, May 3, 2012

R75 UFP causes high CPU usage

Be Careful when upgrading R65 to R75
There is a hotfix for UFP Opsec Connection, request it from support before going in to Production..
Symptomps are,
CPU Peak %100 , ping latency , drop packets..
How to replicate,
Try high size downloads..

Sunday, April 15, 2012

SmartSPLAT v5 Redesigned from your feedbacks..

    New Telnet Option,
    New Right Click Menu,
    New SSH Port definition,
    New Duplicate SSH Option,
    New Health Check Option,
    New Cluster Terminal,

    and more...