What would you do  ?

 What would you do when there is no telnet client enabled but you want to test a port, most of the linux clients are installed with curl, in that case we can use curl to achieve the same.

curl -v telnet://x.x.x.x:22

* About to connect() to x.x.x.x port 22 (#0)

* Trying x.x.x.x...

* Connected to x.x.x.x (x.x.x.x) port 22 (#0)

SSH-y.0-OpenSSH_y.y

How to connect a PaloAlto VM in GN3 running in Linux

Assumption -  PaloAlto Management IP (default) : 192.168.1.1/24

 

sudo ip tuntap add name tap0 mode tap

sudo ip addr add 192.168.1.100/24 dev tap0

sudo ip link set dev tap0 up

 

Verify the adpater configs using "ip address" command in terminal. Once confirmed - 

1. Connect Add tap0 adpater to gns3 cloud

2. Connect Tap0 adapter in cloud to PA VM using GN3 Links

At this point in time, you will be able to connect Palo Alto GUI from Webbrowser in Linux machine

Visual Studio Code : How to se the new line character

Many of the systems want to see Unix type of files and it will throw errors with windows style end of line sequence

  

How to remediate and test TMUI RCE vulnerability CVE-2020-5902 ?

How to remediate and test TMUI RCE vulnerability

CVE-2020-5902 ?

F5 Codes affected :

11.x to 15.x except 15.1.0.4, 14.1.2.6, 13.1.3.4, 12.1.5.2 and  11.6.5.2

How to test you are affected with this vulnerability?

https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/hosts

https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license

https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.conf

https:///tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin

How to fix this ?

Ofcoz its a code upgrade to the fixed version, but its not easy to plan this over night...

What would be the workaround ?

It’s a 3-step approach (as of now), priority in order....

1.       Secure your Self IP with Port lockdown enabled, set to none (preferably) or custom as per requirements (don’t allow configuration utility ports, usually 443 or 8443 (for BIG-IP 13.x Single NIC BIG-IP Virtual Edition (VE)). This will help to avoid any attacks by exploiting this vulnerability from INTERNET.

2.       Allow management access only from a secure network.

3.       Enable location match settings (This is not covering all, not every effective completely. However, better than nothing), regex to match is  was  ".*\.\.;.*" and later corrrect to ";"

However, this can be still exploited as per the latest research. 

a.       edit /sys httpd all-properties

b.       replace the line “include none” by following and save the file

c.       save /sys config

d.       restart sys service httpd

How to check the attempts of exploitation ?

Versions till  to 14.1.0:

In versions earlier than 14.1.0, with the default configuration, you can check logs in /var/log/audit and /var/log/ltm as follows. 

grep -i '%tmui' /var/log/audit
grep -i '%tmui' /var/log/ltm

Log entries similar to the following are an indication of possible compromise:
audit.1:Jul  7 18:43:12 [REDACTED] notice tmsh[27903]: 04426005:5: AUDIT - Cannot load user credentials for user "%tmui" Current session has been terminated.
ltm.1:Jul  7 18:43:12 [REDACTED] notice tmsh[27903]: 04426006:5: Cannot load user credentials for user "%tmui" Current session has been terminated.

Versions 14.1.0 and up

In version 14.1.0 and up, you can examine the output of journalctl for evidence of attempts to exploit this vulnerability by issuing the command bash

journalctl /bin/logger | grep -F ';'

Output may appear similar to the following example on a device
Jul 07 22:23:07 hostname logger[29929]: [ssl_acc] nnn.nnn.nnn.nnn - - [07/Jul/2020:22:23:07 +0000] "/[REDACTED]/..;/[REDACTED]" 200 252

If any log entries are visible similar to above, it's an indication of exploiting the BIG-IP system.

Last but not the least, its always a good idea to chain of security (multi vendor), so that you will not get hit by a vulnerability directly, eg: FW ->IPS->BIGIP in this case.... Sigh!

cURL : How do you highjack DNS when there is no permission

Recently, I have landed on an issue, and I need to test a https domain by "hijacking" the DNS (I am getting a different IP being in a different part of the world)

So I decided to use my favorite tool curl with "-H" or --header option, No Luck. And I understand we need to manipulate the SNI. Host entry is the best way, but what if you are not a privileged user... sigh

But, here is the Panacea to address this convoluted issue  - "Lickety-Split"

curl --resolve domainname:port:ipaddress https://url/path


curl --resolve xyx.test.com:443:1.1.1.1 https://xyx.test.com/path

R80.40 is in GA

R80.40 EA is available now and seems interesting, especially on the supported migrations and  IOT Security.

After all, we have a new Kernel: TL:DR

IoT Security

A new IoT security controller to:

• Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis). 
• Configure a new IoT dedicated Policy Layer in policy management.
• Configure and manage security rules that are based on the IoT devices' attributes.                      

TLS Inspection

HTTP/2

• HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience. 
• Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol.
• Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS
• Inspection capabilities.                      

TLS Inspection Layer

This was formerly called HTTPS Inspection. Provides these new capabilities:

• A new Policy Layer in SmartConsole dedicated to TLS Inspection.
• Different TLS Inspection layers can be used in different policy packages.
• Sharing of a TLS Inspection layer across multiple policy packages.
• API for TLS operations.

Threat Prevention

• Overall efficiency enhancement for Threat Prevention processes and updates.
• Automatic updates to Threat Extraction Engine.
• Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects.
• Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI.
• Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol.
• Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols.
• Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature.

Access Control

Identity Awareness

• Support for Captive Portal integration with SAML 2.0 and third party Identity Providers.
• Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing. 
• Enhancements to Terminal Servers Agent for better scaling and compatibility.

IPsec VPN

• Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides: 
• Improved privacy - Internal networks are not disclosed in IKE protocol negotiations.
• Improved security and granularity - Specify which networks are accessible in a specified VPN community.
• Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain).
• Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles.

URL Filtering

• Improved scalability and resilience.
• Extended troubleshooting capabilities.

NAT

• Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse.
• NAT port utilization monitoring in CPView and with SNMP.

Voice over IP (VoIP)

Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance.

Remote Access VPN

Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).

Mobile Access Portal Agent

Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410.

Security Gateway and Gaia

CoreX L and Multi-Queue

• Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot.
• Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load.

Clustering

• Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP

Broadcast or Multicast modes.

• Cluster Control Protocol encryption is now enabled by default.
• New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses.
• Support for ClusterXL Cluster Members that run different software versions.
• Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet.

VSX

• Support for VSX upgrade with CPUSE in Gaia Portal.
• Support for Active Up mode in VSLS.
• Support for CPView statistical reports for each Virtual System

Zero Touch

A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration.

Gaia REST API

Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612.

Advanced Routing

• Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon.
• Enhancing route refresh for improved handling of BGP routing inconsistencies.

New kernel capabilities

• Upgraded Linux kernel
• New partitioning system (gpt):
• Supports more than 2TB physical/logical drives
• Faster file system (xfs)
• Supporting larger system storage (up to 48TB tested)
• I/O related performance improvements
• Multi-Queue:
• Full Gaia Clish support for Multi-Queue commands
• Automatic "on by default" configuration
• SMB v2/3 mount support in Mobile Access blade
• Added NFSv4 (client) support (NFS v4.2 is the default NFS version used)
• Support of new system tools for debugging, monitoring and configuring the system

CloudGuard Controller

• Performance enhancements for connections to external Data Centers.
• Integration with VMware NSX-T.
• Support for additional API commands to create and edit Data Center Server objects.

Security Management

Multi-Domain Server

• Back up and restore an individual Domain Management Server on a Multi-Domain Server.
• Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management.
• Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server.
• Migrate a Domain Management Server to become a Security Management Server.
• Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing.

SmartTasks and API

• New Management API authentication method that uses an auto-generated API Key.
• New Management API commands to create cluster objects.
• Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.
• SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy.

Deployment

Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.

SmartEvent

Share SmartView views and reports with other administrators.

Log Exporter

Export logs filtered according to field values.

Endpoint Security

• Support for BitLocker encryption for Full Disk Encryption.
• Support for external Certificate Authority certificates for Endpoint Security client
• authentication and communication with the Endpoint Security Management Server.
• Support for dynamic size of Endpoint Security Client packages based on the selected
• features for deployment.
• Policy can now control level of notifications to end users.
• Support for Persistent VDI environment in Endpoint Policy Management.

How to connect to wifi from Raspberry Pi - CLI

Although there are easy ways connect to wifi using "sudo raspi-config" , I have decided to stick with CLI so that we will know what is happening behind the fancy screens ;) Come on, you dont get high when it is easy :).

On a serious note, it doesnt encypt the PSK - that is the actual reason..

Following are the steps I followed  :


Step 1 - Scan the Network by issuing the following command

                sudo iwlist wlan0 scan

Step 2 - Generate an encrypted PSK (pre-encrypted 32 byte hexadecimal number) and then you will be asked for the password of the WiFi network

               wpa_passphrase



               example :

                       wpa_passphrase "test"
                                   
                       Then you will be asked for the password of the WiFi network (in this case  testingPassword). The output is as follows:

  network={
      ssid="test"
      #psk="testingPassword"
      psk=131e1e221f6e06e3911a2d11ff2fac9182665c004de85300f9cac208a6a80531
  }

You can ideally copy paste this to /etc/wpa_supplicant/wpa_supplicant.conf, but one should be nuts id you don't delete the clear text password (commented in above example)

Also, you can do this in a diff way when you are more lazy (again delete the clear text as needed, dont be that ;))

sudo su

wpa_passphrase "testing" >> /etc/wpa_supplicant/wpa_supplicant.conf

Now save the file by pressing Ctrl+X, then Y, then finally press Enter.

Reconfigure the interface by issuing the following command

wpa_cli -i wlan0 reconfigure

You can verify whether it has successfully connected using ifconfig wlan0. If the inet addr field has an address beside it, the Raspberry Pi has connected to the network. If not, check that your password and ESSID are correct.

On the Raspberry Pi 3 Model B+, you will also need to set the country code, so that the 5G networking can choose the correct frequency bands. You can either use the raspi-config application and select the localisation option, or edit the  wpa_supplicant.conf file and add the following. (Note you need to replace 'GB' with the ISO code of your country. See Wikipedia for a list of country codes.)

country=US

Its time for QA - 

What about unsecured networks ?

If the network you are connecting to does not use a password, the  wpa_supplicant entry for the network will need to include the correct  key_mgmt entry. e.g.

network={
    ssid="test"
    key_mgmt=NONE
}

What about hidden networks ?

If you are using a hidden network, an extra option in the wpa_supplicant file,  scan_ssid, may help connection.

network={
    ssid="yourHiddenSSID"
    scan_ssid=1
    psk="Your_wifi_password"
}
You can verify whether it has successfully connected using ifconfig wlan0. If the inet addr field has an address beside it, the Raspberry Pi has connected to the network. If not, check your password and ESSID are correct.

What about adding multiple wireless network configurations?

On recent versions of Raspbian, it is possible to set up multiple configurations for wireless networking. For example, you could set up one for home and one for school.

For example

network={
    ssid="SchoolNetworkSSID"
    psk="passwordSchool"
    id_str="school"
}

network={
    ssid="HomeNetworkSSID"
    psk="passwordHome"
    id_str="home"
}
If you have two networks in range, you can add the priority option to choose between them. The network in range, with the highest priority, will be the one that is connected.

network={
    ssid="HomeOneSSID"
    psk="passwordOne"
    priority=1
    id_str="homeOne"
}

network={
    ssid="HomeTwoSSID"
    psk="passwordTwo"
    priority=2
    id_str="homeTwo"
}

Finally, what about me ? 


Well, thats THE same... Still counting on you, will try my best before I call it..... On a serious note, that was a silly question, seldom cares.. Thanks for asking - see you next time ?


Courtesy: https://wiki.debian.org/WiFi/HowToUse