Friday, 21 December 2012

Checkpoint Policy Installation (a lot of buggy stuff)

- No traffic
- while installing policy, a lot of non-meaningful messages;

Firstly, Check /opt whether it is full or not.. It is vital. believe me.

Tufin - Accelerate Policy analysis calculations & Increase the amount of memory for Java

These configs are tested on 12.2 HF6;

1.      Accelerate Policy analysis calculations.


1.       Login to SecureTrack’s GUI.
2.       Add stcgitest.htm at the end of the address (Example:
3.       Choose ‘Edit stconf
4.       Click ‘Fetch current conf’.
5.       Change the following XML tag from "0" to "1": <is_calc_topology_based_on_JAVA>1</is_calc_topology_based_on_JAVA>
6.       Save the new configuration by clicking ‘Submit new conf’ on the bottom of the screen.

2.      Increase the amount of memory which can be allocated for Java:


1.       Login to SecureTrack’s CLI as root
2.       Run the command: #vi /usr/jboss-4.2.2.GA/bin/run.conf
3.       Find line: JAVA_OPTS="$JAVA_OPTS -Xms512m -Xmx1024m
4.       Change to: JAVA_OPTS="$JAVA_OPTS -Xms1024m -Xmx4096m
5.       Save the file and exit.
6.       Run the command: #service jboss restart

Tufin Syslog Debug & St Info


1.       Log in to SecureTrack CLI as ‘root’.
2.       Run the command: #tcpdump -i eth0 -vv -w /tmp/Tufin.pcap -s 1500 src <ip address of device> and udp dst port 514
3.       Edit the file: vi /etc/sysconfig/stconf.xml
a.       Find the line  <DetailLevel>normal</DetailLevel> and change ‘normal’ to ‘fine’.
b.      Add the tag: <Number_Of_Syslog_Message_Handlers>1</Number_Of_Syslog_Message_Handlers>
c.       Save & exit
4.       Run the following commands:
#tail -F /var/log/st/syslog_message_handler_0 > /tmp/syslog_message_handler.log &
#tail -F /var/log/st/syslog_change_log_manager >/tmp/syslog_change_log_manager.log &
#tail -F /var/log/st/syslog_traffic_log_manager >/tmp/syslog_traffic_log_manager.log &

5.       Run the command #st restart syslog
6.       Commit a change on the device (e.g. add a comment) and wait 5 minutes approximately. Wait for this issue to reproduce.
7.       Stop writing to temp logs (#killall tail).
8.       revert changes in etc/sysconfig/stconf.xml  
9.       Run #st restart syslog
10.   Send me the log files  + /tmp/Tufin.pcap


st info is smilar to cpinfo in Check Point, it does collect the Tufin's full config, not the monitored device revisions or policies.

Part 2: Create STINFO file.

1.            Log in to SecureTrack’s CLI as root.
2.            Run the command #st info

Juniper SSG - NS (config buffer problem)


It is caused by the buffer size, when tufin initiates "get config". It displays only limited part of the full config. This creates a problem while tufin is trying to get the full configuration;

Connection error! Reason:
Connection closed by foreign host.


set console page 0

> set cli screen-length 0

This allows tufin to get the full configuration as Juniper does not limit its display with a limited buffer.

Tufin Troubleshooting

Device Specific Communication Problems

1.      The version of SecureTrack; Please verify this by running the #st ver command from CLI.
2.      the output of the #top -cd1 command.

1)  Rise the debug level to high :
# sed -i 's/expect --/expect -d/g' /usr/local/st/*login # sed -I  's/normal/fine/1' /etc/sysconfig/stconf.xml

2) Then use tail for each one of the log files of the problematic device :
# tail -F /var/log/st/var/log/st/securetrack.client.<Device_IP>_<ID> /tmp/device1.log

Make sure to use a capital F ('#tail -F')

3)  Then run the command:
'#st restart'

4) Wait for 10 minutes (depends on the current timeout you have
defined) and let the tail -f collect all information needed.

5) Send all /tmp/client<IP>.log files to the support engineer.

7) When you have finished please run :
# sed -i 's/expect -d/expect --/g' /usr/local/st/*login # sed -i 's/fine/normal/1' /etc/sysconfig/stconf.xml
# st restart

Tuesday, 23 October 2012


  1. Mac OS X
  2. Linux 
python - V


     3. Windows binary {x86, x64]} .msi

NIX tarball [tgz, tar.bz2]
traditional unix word - install manually (compressed archive files)


Install everything for windows
  • Register Extension
  • TCL/Tk
  • Documentation
  • Test suite
RPM (redhat, fedora)

.deb (ubuntu) - APT (apt-get)

yum (redhat GUI installation package) 

source (configure, make, install)


Monday, 22 October 2012

Disabling SNX Service (Outbound link of Security Gateway)

Disabling SNX Problem.

When you unchecked SSL Extender and SecureClient Mobile under VPN clients tab (Gateway Properties), the SNX service running on http/https (outbound link of FW) would be disabled as well. 


Friday, 5 October 2012

Login to CP FW with Your Public Key & Changing CP Root Password

After you login with Public key, there was a problem to switch to root access with su – command. 
When you type and change root password with...

Although it says root password has changed, it does not change (like a bug).

To solve this issue;
After you give a password to root with the command below 
#/usr/bin/passwd root 

changing mode with '#chmod 4755 /bin/su' is enough to resolve the problem. Now, you can get access from your user account (logged in with the public key) to root access. 

In my understanding, there is a permission issue on the directory placed above which does not allow us to change root password (Although it never says so). 


Friday, 28 September 2012

fw unloadlocal in safe@office!

There is no such a thing, but there is a useful command which can save the day too;

fw delete rule ?

<indexed rules>
1-15 // Depending on size of the rule table.

you may easily delete the last rule which is an implicit deny...

Friday, 21 September 2012

Erasing CMI Temp Files

Case: SmartDashboard could not be opened, giving the Connection and GUI Client Error. When the migrate export file used in sandbox, the problem did not persist. To resolve the issue; the CMI Temp files deleted and forced to be re-created on startup.

1. cpstop
2.  cd $FWDIR/conf
 mv applications.C applications.C.old
  mv applications.C.backup applications.C.backup.old
  mv CPMILinksMgr.db CPMILinksMgr.db.old
  mv CPMILinksMgr.db.private CPMILinksMgr.db.private.old

3. cpstart

Monday, 17 September 2012

Profilo, TeamViewer ve Dijital Reklam Panoları

Müthiş Bilgi Güvenliği Yönetimi..

TeamViewer Username ve Password Dijital reklam panolarında gösteriliyordu.. Sonrada hack'landık diyorlar..
elimizle bilgileri sunuyoruz, biri bizi hack'lamıyor.. Şaka gibi..

Monday, 10 September 2012

Attacking the Domain

Windows is the first domino..

How do you crack the tough nuts?
 - Unguessable, uncrackable passwords
 - No known exploits
 - Not allowed to fuzz or write exploits
 - Modern OS protections
 - Modern networking protocols
 - Very Critical Production Environments.

Attacking the domain.

Think Fi'nesse
- the skillful handling of a situation; adroit maneuvering.

Password Guessing

Tools that excel at this;
- THC-Hydra
- enum -

Fuzzing (Intro)

When it comes to testing the security posture of a target application, nothing is more indicative than supplying the application with random data and seeing it crash. The idea behind fuzzing is to automate the generation and feeding of data that will identify flaws in a target application.

·         Introduction
By automating fault injection, a researcher can identify flaws in an automated fashion and focus his or her attention on assessing the risk associated with any vulnerabilities found. The automated fault injection is better known as fuzzing, and has been introduced in many Software Development Life Cycles (SDLC) to identify both easy to find flaws and security issues that might require a more targeted approach. This article will introduce the idea behind fuzzing and explain where this approach can be useful and also what the shortcomings are.
·         Dumb Fuzzing
Software that does fuzzing usually falls under two categories. Dumb fuzzing usually consists of simple modifications to legitimate data, that is then fed to the target application. In this case, the fuzzer is very easy to write and the idea is to identify low hanging fruit. Such flaws are usually found on the surface of the application code and do not require other dependencies or perquisites before the vulnerability can be triggered. An example of a dumb fuzzer to tests a file format parser would be one that takes a valid file and replaces each 2 bytes with an 0xFFFF one test at a time. An example of such a fuzzer is FileFuzz by iDefense. Although not an elegant approach, dumb fuzzing can produce results, especially when a target application has not been previously tested.

·         Intelligent Fuzzing
A security researcher will probably initially work with a dumb fuzzer because it is so easy to setup and to get a general idea of the target application. However many commercial applications are more robust and will not choke on data generated with a dumb fuzzer. In that case a security researcher might make use of a fuzzer that knows the protocol or format of the data. Some protocols require that the application (fuzzer) keeps a state, for example in the case of HTTP or SIP. Other protocols will make use of authentication or a valid CRC before any vulnerabilities are identified. If a target application makes use of a CRC, mutated data produced by a dumb fuzzer would never reach vulnerable code. Apart from providing much more code coverage, intelligent fuzzers tend to cut down the fuzzing time significantly since they avoid sending data that the target application will not understand. Intelligent fuzzers are therefore much more targeted and sometimes they need to be developed by the security researcher himself. Available fuzzing frameworks such as Sulley and Peach can make this task less of a challenge, and one may be able to setup a fully working fuzzer in a couple of minutes.
·         Fuzzing and your Security Testing approach
When compared to other software security testing methods, fuzzing provides a good starting point. By making use of fuzzing, a researcher can identify flaws in software that he or she does not have full access to and take a blackbox approach. Since test cases are automated, different lengths and variations of the same data can be produced in a very short time; something that be impossible to perform manually. However, unless the fuzzer fully understands the target application and especially in the case of complex code, a fuzzer may only scrape the surface when it comes to identifying vulnerabilities. Fuzzing will also not identify logic issues. For example, a backdoor in an authentication procedure will not be found using the fuzzing approach. Such vulnerabilities can only be found by careful understanding of the target application, with code reviews and reverse engineering techniques.
·         Conclusion
The place of fuzzing should probably along side regression testing in the SDLC, where before each major build the target application is tested against a set of mutated data. It is important to realize that fuzzing does not replace manual approach to security testing but rather complement it by providing time saving and unique advantages to vulnerability research.

Testing Environment

Disassemblers and debuggers are required in order to do reverse engineering and analysis of crashes. These tools include GNU Debugger (GDB), IDA Pro, objdump, WinDbg, Immunity Debugger, OllyDbg, and many others. Fuzzing tools such as Sulley and PacketFu can help to automate the bug discovery process.

Debugger and Dissambler; IDA Pro:
supported processor architectures.

Familarity with a scripting language for instance, Ruby or Python assist a tester saving countless time. It is a requirement that the tester has programming knowledge when performing product security testing as analysis often leads to reverse engineering and exploit writing. Ruby and Python have lead a long way with support for exploit research.

Sniffers are also an essential part of testing, enabling the tester to determine network behavior and perform protocol testing.

Thursday, 6 September 2012

Large Directory Listing //Checkpoint

You can identify large directories on one filesystem (-x) by running:
du -kx /opt | sort -n

You can identify the large files on one file system 
find .  -size +100000

Thursday, 17 May 2012

CheckPoint - Checking Duplex Settings of Interfaces in one go!

# for ii in $(ifconfig | awk ' /Ethernet/ {print $1}') ;do ethtool $ii; done | egrep  'eth|Speed|Duplex' 
Settings for eth0:
Speed: 100Mb/s
Duplex: Full
Settings for eth1:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.150:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.160:
Speed: 1000Mb/s
Duplex: Full

Friday, 17 February 2012

Bilgi Güvenliği (10 Farklı Alan)

Bilgi güvenliği hakkında okuduğum ve uyguladığım işlem, sistem, konfigürasyon ve/ya teorik gelişmeleri hem düzenli olarak bir yerde tutmak hem de bilgi güvenliği alanına ilgi duyanlara bir portal yaratabilmek adına Güvenlik Analizi bloğunu açtım.
Bloğun faydalı bilgilere ev sahipliği yapacağını umuyorum. Kısa bir giriş yapacak olursak, ana tablodan başlanması gerektiğini düşündüm ve birşeyler karaladım.
Bilgi güvenliği konusunda yapılabilecekler teorik olarak sınırsızdır. İçerdiği birçok cihaz, protokol, teknik altyapı ve teknolojinin yanında kullanıcıya da bağlı olan bir bilinç meselesidir. Bilgi güvenliğini bir bütün yapan farklı etki alanlarını aşağıdaki listede bulunabilir.
  • Erişim Kontrolü (Tehditler ve Karşı Önlemleri)
  • Yazılım Geliştirme Güvenliği  (Program Yaşam Döngüsü Kontrolleri)
  • İş Devamlılığı ve Felaket Yönetimi
  • Şifreleme / Kriptografi
  • Bilgi Güvenliği İdaresi ve Risk Yönetimi 
  • Yasal, Düzenleme, Soruşturma ve Uyum İşlemleri
  • Operasyon Güvenliği (Medya, Yedekleme ve  Teknik Geçiş İşlemleri Yönetimi)
  • Fiziksel ve Çevresel Güvenlik
  • Güvenlik Mimarisi ve Dizayn (Sistem ve Firma Şeması)
  • Ağ Güvenliği