Enabling opsec in Checkpoint smart center server

this is for new setup.

cd $FWDIR
cd config
vi fwopsec.conf
add these lines:
   lea_server  auth_port   18184
   lea_server  auth_type   sslca

vi $CPDIR/conf/sic_policy.conf
add this line

ANY    ; ANY  ; 18184    ; sslca ; ssl, fwn1, local_ipcheck
Advertisements
Posted in Firewall, Security | Tagged | Leave a comment

Config example for ipsec vpn with iPad native vpn client

The iPad native vpn client supports ikev2. I have searched many documents in the internet and most of them are example for site-to-site, very few useful documentation about remote access vpn with ipsec using ikev2 perhaps for remote access ssl vpn is more convenient and popular.

So here’s the sample config. The config use certificate to authenticate the phase 1 and 2 tunnels, eap is not used in this configuration, also over in iPad local id is left blank hence in ASA need to disable peer-id check.

If during connection ASA syslog says something like EAP message is null then you need to turn on the debug to find out what’s wrong. iPad native vpn client does support EAP, and EAP is the default.

In the iPad native vpn client, the remote id is the fqdn of the ASA vpn server you want to connect to. The fqdn is based on the certificate that is enable in the ASA vpn server.

Need to use the default tunnel group provided by Cisco, because the native vpn client does not send group information.

In this example configuration there are site to site vpn within the crypto map, this is to give you an insight on which remote access sequence number you should use for ipsec remote access. The site to site and remote access can both co-exist in the crypto map.

A few debug commands that are useful:
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
debug crypto connection peer 1.1.1.1
where 1.1.1.1 is your peer’s ip address.

ip local pool private_pool 192.168.249.1-192.168.249.254 mask 255.255.255.0

group-policy IPSEC internal
group-policy IPSEC attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ikev2
 ip-comp enable
 pfs enable
 split-tunnel-policy tunnelall
 default-domain value xyz.local
 split-tunnel-all-dns enable
 gateway-fqdn value test.xyz.local
 address-pools value private_pool


tunnel-group DefaultRAGroup general-attributes
 address-pool private_pool
 default-group-policy IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
 peer-id-validate nocheck
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate ASDM_TrustPoint1
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256 aes-192 aes
 protocol esp integrity sha-512 sha-256 sha-1

crypto ikev2 policy 1
 encryption aes-256 aes-192 aes
 integrity sha512 sha256 sha
 group 14 5
 prf sha512 sha256 sha
 lifetime seconds 86400

crypto dynamic-map IPSEC_VPN 1 set pfs group14
crypto dynamic-map IPSEC_VPN 1 set ikev2 ipsec-proposal AES256
crypto dynamic-map IPSEC_VPN 1 set reverse-route

crypto map outside_map 5 match address XYZ_VPN1
crypto map outside_map 5 set pfs group14
crypto map outside_map 5 set peer 123.123.123.123
crypto map outside_map 5 set ikev2 ipsec-proposal IKEV2-AES
crypto map outside_map 5 set nat-t-disable
crypto map outside_map 5 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic IPSEC_VPN
crypto map outside_map interface outside


crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
Posted in Firewall, Security, VPN | Tagged , , , , | Leave a comment

[python]Code snippet to encrypt and decrypt password.

This is a code snippet which i want to use to store a password input by user, and encrypt it. My intention is to test this code snippet so that I can store the ciphertext in a file, and decrypt the cipher text file by python

import os
from getpass import getpass as GP
from Crypto.Cipher import AES
from Crypto import Random

#Prompts password, the default prompt if not specified is Password:
#When use in terminal, password entered by user will not be echoed.
password = GP(prompt='Enter password:',stream=None)

#use os.urandom() method to create a random 16 bytes string
#convert to bytes. On this example I want to use AES-128 hence 16bytes key.
#16, 24, 32bytes are AES-128,192 and 256 bits respectively.
key = bytes(os.urandom(16))

#To generate an initializing vector, fixed block size is 16 bytes.
iv = Random.new().read(AES.block_size)

#Create a cipher to use for encryption
cipher = AES.new(key,AES.MODE_CFB,iv)

#encrypts the password entered by user
ciphertext = cipher.encrypt(password)

#ciphertext is in bytes, so i open create a file - password.enc
#write the bytes into this file
with open('password.enc', 'wb') as file:
    file.write(ciphertext)
    file.close()

#print(ciphertext)

#Create a decipher to decrypt the ciphertext
decipher = AES.new(key,AES.MODE_CFB,iv)

#read byte from file
with open('password.enc', 'rb') as file:
    ctext = file.read()
    file.close()
#decrypt the ciphertext
plaintext = decipher.decrypt(ctext)

#To convert the plaintext in bytes to string, use decode "utf-8"
#print(plaintext.decode('utf-8'))
print(plaintext.decode('utf-8'))
Posted in Python, Scripting | Tagged , , , | Leave a comment

[Python]Adding firewall rules to Palo Alto using PA REST API

I was experimenting on adding firewall rules using the Palo Alto REST API. Did a few tries and finally got the result.

This code is very static, the intent is to test how to organize the xml elements so that the rules can be added.

import requests, time
from bs4 import BeautifulSoup as BS


rule_path = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules"
sample_rule = """
<entry name="API_Test_again">
    <source>
        <member>192.168.20.125</member>
    </source>
    <destination>
        <member>pool.ntp.org-128.199.224.229</member>
    </destination>
    <service>
        <member>udp-123</member>
    </service>
    <application>
        <member>any</member>
    </application>
    <action>allow</action>
    <log-end>yes</log-end>
    <from>
        <member>any</member>
    </from>
    <to>
        <member>any</member>
    </to>

</entry>
"""


try:
    response = requests.get("https://192.168.1.104/api/?type=keygen&user=admin&password=admin", verify=False, timeout=5)
    response.raise_for_status()
except requests.exceptions.RequestException as e:
    print(e)
except requests.exceptions.HTTPError as httperr:
    print(httperr)
except requests.exceptions.Timeout as timeouterr:
    print(timeouterr)
except requests.exceptions.ConnectionError as connerr:
    print(connerr)
except requests.exceptions.ConnectTimeout as conntimeout:
    print(conntimeout)

try:
    soup = BS(response.content, 'html.parser')
    key = soup.find('key').text
except AttributeError as ae:
    print("Error while parsing response:",ae)

try:
    r = requests.post("https://192.168.1.104/api/?type=config&action=set&key={}&xpath={}&element={}".format(key,rule_path,sample_rule),verify=False,timeout=5)
    r.raise_for_status()
except requests.exceptions.RequestException as e:
    print(e)
except requests.exceptions.HTTPError as httperr:
    print(httperr)
except requests.exceptions.Timeout as timeouterr:
    print(timeouterr)
except requests.exceptions.ConnectionError as connerr:
    print(connerr)
except requests.exceptions.ConnectTimeout as conntimeout:
    print(conntimeout)
time.sleep(3)

try:
    commit_response = requests.post("https://192.168.1.104/api/?type=commit&key={}&cmd=<commit></commit>".format(key),verify=False,timeout=5)
    commit_response.raise_for_status()
except requests.exceptions.RequestException as e:
    print(e)
except requests.exceptions.HTTPError as httperr:
    print(httperr)
except requests.exceptions.Timeout as timeouterr:
    print(timeouterr)
except requests.exceptions.ConnectionError as connerr:
    print(connerr)
except requests.exceptions.ConnectTimeout as conntimeout:
    print(conntimeout)

Result
Snip20171205_14

Posted in Python, Scripting | Tagged , | Leave a comment

[python]Simple tcp client

So here’s the simple code:

import socket

host = '192.168.1.152'
port = 8080
client = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
client.connect((host,port))
client.send(b'GET / HTTP/1.1\r\nHost: 192.168.1.152\r\n\r\n')
response = client.recv(4096)
print(response)

So first create an object client, the attributes are IPV4 (socket.AF_INET) and tcp (socket.SOCK_STREAM).

Use the send method to send http request, must send the msg in bytes, hence the b.

Posted in Python, Scripting | Tagged , , | Leave a comment

[python]Intrusive python: Reacting with interactive prompt with pexpect

Ok, I am reading some stuffs about brute forcing ssh server. So here is a python module that deals with possible interactive prompts.

The target server is a cisco router, I have put in all possible expected prompts.Such as:
1. if there is a timeout?
2. if there is an unknown ssh key prompting you to accept or not?
3. put in a password when the password prompt appears.

This code sample can be modified to read in dictionary of passwords, supposed the username is “admin” or “cisco”, in this example the code is against the username “cisco”

import pexpect

prompt = ">"
def send_command(session,cmd):
    session.sendline(cmd)
    session.expect(prompt)
    print(session.before)

def connect(username,password,host):
    ssh_unknown_key = "Are you sure you want to continue connecting"
    conn_params = "ssh " + username + "@" + host
    session = pexpect.spawn(conn_params)
    response = session.expect([pexpect.TIMEOUT, ssh_unknown_key, '[P|p]assword:'])
    if response == 0:
        print("Error connecting!")
        return
    if response == 1:
        session.sendline('yes')
        response = session.expect([pexpect.TIMEOUT, '[P|p]assword:'])
        if response == 0:
            print("Error connecting!")
            return
    session.sendline(password)
    session.expect(prompt)
    return session

def main():
    username = 'cisco'
    password = 'cisco'
    host = '192.168.1.150'
    cmd = 'sh version | in Cisco IOS'
    session = connect(username,password,host)
    send_command(session,cmd)

if __name__ == '__main__':
    main()

The result looks like this:

'sh version | in Cisco IOS\r\nCisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.5(2)T, DEVELOPMENT TEST SOFTWARE\r\nrouter'

Posted in Python, Scripting | Tagged , | Leave a comment

[python]Intrusive python with nmap

So i was trying some simple script to invoke nmap with python. So here is a python command line version.
The python script takes in two types of arguments:
a. target host
b. target port/ports.

the port if more than one should separate by commas. The split method is called to put each port into an array dports

So here’s the code sample:

import nmap
from optparse import OptionParser

def nmapScan(dhost,dport):
    nm = nmap.PortScanner()
    nm.scan(dhost,dport)
    state = nm[dhost]['tcp'][int(dport)]['state']
    print("[*] " + dhost + " " + "tcp/"+dport + " " + state)


def main():
    parser = OptionParser(usage='usage: %prog -d <destination host> -p <destination port separated by commas>')
    parser.add_option('-d', dest='dhost', type='string', help='specify target host')
    parser.add_option('-p', dest='dport', type='string', help='specify target port separated by commas')
    (options, args) = parser.parse_args()
    dhost = options.dhost
    #split(",") not split(", "), the latter will cause python3 to give an error like this
    #ValueError: invalid literal for int() with base 10:
    dports = str(options.dport).split(",")
    if(dhost == None) | (dports == None):
        parser.print_help()
        exit(0)
    for dport in dports:
        nmapScan(dhost,dport)

if __name__ == '__main__':
    main()

If there is no argument specified the result looks like this:

Usage: nmap2.py -d -p

Options:
-h, --help show this help message and exit
-d DHOST specify target host
-p DPORT specify target port separated by commas

Another scenario is specify one host and one port for nmap scan:

Cyruss-Air:net1 cyruslok$ sudo python3 nmap2.py -d 192.168.1.150 -p22
[*] 192.168.1.150 tcp/22 open

Another scenarios is to specifiy more than one port for nmap scan:

Cyruss-Air:net1 cyruslok$ sudo python3 nmap2.py -d 192.168.1.150 -p21,22,23,80,443
[*] 192.168.1.150 tcp/21 closed
[*] 192.168.1.150 tcp/22 open
[*] 192.168.1.150 tcp/23 closed
[*] 192.168.1.150 tcp/80 closed
[*] 192.168.1.150 tcp/443 closed

Posted in Python, Scripting | Tagged , , | Leave a comment