Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Binary obfuscation - String obfuscating in C

The first step in reversing any binary for any purpose is to try and elicit any meaningful information that is most easy to retrieve. One such information is clear text strings in the binary. They may disclose a lot of information if the programmer did not take care to remove them. The funniest cases are when a programmer wants to stay anonymous (say malware author) and still leaves the various info left in the binary by the compiler/linker (Microsoft Visual Studio is notorious for that) which includes his host folder structure, his operating system’s username, local time etc. Just as an example let’s look at the Hacknet https://en.wikipedia.org/wiki/Hacknet game (cute “hacking” environment and ambience emulator for those who want to feel themselves “hacker”), which is on sale at Steam right now for 3$ and see what we can deduct from its binary.
I am using HIEW hex editor but of course any hex editor or even plain Linux strings tool will do. But before looking at the strings let’s have a peek at the executable file headers: Hacknet binary analysis headers
From it we can say:
  1. Linker version 11.0 says that the file was first compiled with the Microsoft compiler released as part of the Visual Studio 2012. en.wikipedia.org/wiki/Microsoft_Visual_C
  2. Magic optional header 010B means it is a 32-bit executable , 64-bit would have it 020B.
  3. OS version and subsystem of 4.0 means that most probably Steam that bundled this binary set these numbers artificially for compatibility – Windows internal version of 4.0 is Windows NT, I doubt the software author wrote it on Windows NT in Visual Studio 2012 .
  4. Subsystem Console means that the software from the beginning was defined as Windows console project in Visual studio, that is, does not include any GUI libraries or code.

Not bad for a mere header. Now to the strings. The default minimum string length of 4 characters finds us 16162 strings, too many , I will increase the minimum string length to 25 characters. Almost immediately we can see this string:
hacknet binary analysis xna string
Which confirms our suggestion that it was written in Microsoft Visual studio on Windows, XNA Game development platform from Microsoft says so en.wikipedia.org/wiki/Microsoft_XNA . Also most probably author used FNA framework to port the game to Linux and OS for which it is also available. This also suggests the game was written in C# . This string indeed proves it is a Steam uploaded game:
Here we can even see the page URL for sending victory mail. It is, by the way, sometimes used by malware writers to set a trap – URL which no one will visit but only those looking at it in the binary:
hacknet binary analysis email And the final piece of information is here:
hacknet binary analysis final
which confirms all we suggested earlier, giving us in addition the full path to MS Visual Studio project/debug location on the author machine and his user – Matt, which coincides with the author real name – Matt Trobbiani. And of course not mentioned in this post there are tens of thousands of strings of in game text and function names.

Now to the strings obfuscation itself. There are few ways to obfuscate/encypt them in the binary so that you deobfuscate/decrypt them in real time just before actually using in the code flow. Sure you cannot protect anything like that – because of that it is called obfuscation, but it can make work of a reverser a bit harder, that is it.
First, the easiest, way to hide the strings is by adding/substracting an integer value before compiling the file, then having a routine to do a reverse mathematical addition/substraction to get in the memory the needed string, use it, then discard or again obfuscate it. This will make a gibberish out of a string but will look like a suspicious string still.
Of course it will only work with ASCII strings, which here are treated as integers. The source code is in C to give an example. I mangle/obfuscate string “secret password” via macro compiler preprocessor HIDE_LETTER, then de-obfuscate it using UNHIDE_STRING at run time. I plan on running a series of posts about obfuscation so stay tuned.

#include <stdio.h>

#define HIDE_LETTER(a)   (a) + 0x50
#define UNHIDE_STRING(str)  do { char * ptr = str ; while (*ptr) *ptr++ -= 0x50; } while(0)
#define HIDE_STRING(str)  do {char * ptr = str ; while (*ptr) *ptr++ += 0x50;} while(0)
int main()
{   // store the "secret password" as mangled byte array in binary
	char str1[] = { HIDE_LETTER('s') , HIDE_LETTER('e') , HIDE_LETTER('c') , HIDE_LETTER('r') , HIDE_LETTER('e') 

	UNHIDE_STRING(str1);  // unmangle the string in-place
	printf("Here goes the secret we hide: %s", str1);
	HIDE_STRING(str1);  //mangle back

    return 0;
keywords: languages, programming, assembly-language, reversing, software-protection

DNS cookbook - do complete zone transfer from remote DNS server.

  • For security reason zone transfer should only be allowed from specific and trusted IPs, as the information in it can be used to gain insight into the domain/network structure before breaking in.
  • Zone transfer is always done over the TCP , even if the reply is less than UDP limit of 512 byte, so port 53/TCP should be open to the DNS server.
And the command itself:
$ dig AXFR example.com
To ask for incremental zone transfer, that is only changes ( just to test this feature is enabled or not) :
$ dig ixfr  example.com
Default Server:  dns1-adc.netvision.net.il

> ls -d yurisk.info
*** Can't list domain yurisk.info: BAD ERROR VALUE
The DNS server refused to transfer the zone yurisk.info to your computer. If this
is incorrect, check the zone transfer security settings for yurisk.info on the DNS
server at IP address
DNS, DNS-cookbook

DNS cookbook - trace domain origin to the authoritative server.

First step in debugging DNS problems is to verify that authoritative name servers for the domain are set correctly and answer the queries. To do so and circumvent caching DNS resolvers, use:
$ dig +trace  example.com 

Continue reading
keywords: DNS, DNS-cookbook

DNS cookbook - query a specific name server for a record.

Linux To verify that some specific DNS server answers some query , use its IP address after @ sign, like that:
$dig A example.com @

where A is record we are interested in, and is Google DNS server we are querying directly, bypassing any caching resolvers on the way.
nslookup -type=a yurisk.info
Server:  google-public-dns-a.google.com

Non-authoritative answer:
Name:    yurisk.info

keywords: DNS, DNS-cookbook

DNS cookbook - query DNS server for a PTR record using canonical form.

To query for a PTR record of some specific IP, you first reverse the IP address into the canonical form, then query for a record as usual. The canonical form is -> . Few examples:
$dig +short PTR

$dig +short PTR

DIG also supports shorter form of PTR query using -x switch:
dig +short  -x

nslookup -type=PTR
Server:  dns1-adc.netvision.net.il

Non-authoritative answer:    name = google-public-dns-a.google.com

8.8.8.in-addr.arpa      nameserver = ns2.google.com
8.8.8.in-addr.arpa      nameserver = ns4.google.com
8.8.8.in-addr.arpa      nameserver = ns1.google.com
8.8.8.in-addr.arpa      nameserver = ns3.google.com
ns1.google.com  internet address =
ns2.google.com  internet address =
ns3.google.com  internet address =
ns4.google.com  internet address =
keywords: DNS, DNS-cookbook

DNS cookbook - query multiple records and domains from a batch file.

DIG supports getting queries from a file as well. Just put queries in a file, each query on a line by itself and then use -f option:
a +short yurisk.info
+short SOA yurisk.info

Then supply this file to the dig
$ dig -f dig.txt

keywords: DNS, DNS-cookbook

DNS resolving problems debug cheat sheet

Here is the short DNS debug presentation I uploaded to the Slidehshare to help you in first steps of the debug:
keywords: DNS, network

HIEW Hex editor tutorials series , part 2 – the basics.

This post is an add-on to the video tutorial I uploaded to the youtube.

See also other posts in the series: Part 1. Round up of the basic HIEW commands used:
Change the color scheme - edit hiew8.ini the last section "Colors", set ColorMain = 0x07 to have the black background.
ESC - To exit any window/mode without saving the changes.
F1 - Context-sensitive help.
F3 Enter the Edit mode.
ENTER In the read mode, switch between Hex/Decode/Text modes.
F7 Open a search window
Ctrl + Enter continue searching.
Alt + F1 Change location addressing mode.
F9 Save the changes.
F6 In Decode/Disassembled mode, find cross-references.
* In Read mode, select block(s) of bytes.
F8 Show the file header.
F8 -> F6 ->F3 In Hex/Decode modes, show then edit file header sections.
Alt + F6 Show all strings in a file.
+/- See above, increase/decrease minimal string lentgh.
F5 Go to offset.
Alt + F7 Change the search direction.
Sample "serial1.exe" program used in the tutorial:
Compiled binary "serial1.exe":yurisk.info/assets/serial1.7z Its SHA256 hash (use PowerShell command Get-FileHash "serial1.exe") to verify: 6AC50BCA0044F2DF418B46218358BF1F6D382B881FD87E741EAA8EFF940CD829
The source code (compiled in Microsoft Viual Studio 2015):

#include "stdafx.h"
#include <stdio.h>
#include <string.h>
// this example and all the following will be posted on my site https://yurisk.info

int main()
	char serial_input[6] = "";
	char serial_correct[6] = "23845";
	int result = 0;
		printf("Please enter the serial of 5 numbers:");
	fgets(serial_input, 6, stdin);
	result = strncmp(serial_input, serial_correct, 5);
		if (result != 0) 
		printf("Wrong serial!, quitting ..\n");
		return 1;
	else { printf("Great, you have the correct serial !\n"); }
    return 0;

keywords: languages, programming, assembly-language, reversing, software-protection

HIEW Hex editor tutorials series , part 1 – the history.

The story of this hex editor started in the dark 90-s. The first name was ViHE (Viewer-HexEditor) and was released by its author Eugene Suslikov as a free software in early 1991. As he stated back then “for occasional looking into and changing few bytes in a file, like 7xh -> EBh”. Later that year the name changed to Hiew (Hacker's view), still being the free software and also it supported DOS and OS/2. As the researching software protection and circumventing it deemed back then to be the best way to learn assembly and programming, the disassemblers and hex editors got popularity and fame. Starting 1999 and version 6.15 the HIEW became shareware. The last version to support OS/2 was 6.85 in the year 2002. Along the shareware version author started providing the demo version with limited features. The current version is 8.53 and has the following features:
  • Can open/view files of any size
  • Has built in disassembler, not a competitor to the IDA but still pretty good Supports 32/64-bit executables
  • Knows ELF/COFF/NE (16-bit, pretty rare today https://en.wikipedia.org/wiki/New_Executable) / LE (Successor of the NE, used in OS/2 and Windows Vxd http://fileformats.archiveteam.org/wiki/Linear_Executable / LX OS/2 successor of the NE format / Mach-O)
  • Search of the strings/hex values/ASM instructions
  • Simple crypt/decrypt system
  • Keyboard macros
  • HIEW External Module support allows to extend the functionality by exposing the API
  • ARMv6 disassembler

keywords: languages, programming, assembly-language, reversing, software-protection

XCK and CRK file formats for binary patching in Windows.

Do not bother Googling these file types as they belong with the era before Google even existed. In these pre-Google Dark Ages there were people taking pride in circumventing software protections or cracking in other words, and believe or not – absolutely for free. Yep, even DMCA didn’t exist back then. But this post is about technical side anyway. So, in these days of distributing software via BBS and floppies disk space played an important role and to save bytes, the crackers were distributing not the cracked software but the patch instructions to be applied to the original software to remove the protection. These patching instructions were placed in the XCK/CRK text files to be supplied to the dedicated binary patchers. You can still find those patchers on the Net even though they are DOS programs: Cracker by Corner Crackers, 1991; Cracker Advanced by Professor Nimnull ; Program Cracker by Dr.Stein's labs, 1993; Crack Studio by Turansoft, 1997 . You can download them for example from http://old-dos.ru/ website. The process was simple – a cracker was removing in some way the protection, then he/she run a software that compared the differences between the original file and the patched one (most popular being C2U.exe), and dumped them in hex format to the text file .CRK or .XCK to be later supplied to a patcher. The binary diff is still around as part of Windows 10, the good old fc \B <original file> <patched file>> patchme.crk . Here is example:
HIEW\PROJECTS>fc /B serial_orig.exe serial1.exe
Comparing files serial_orig.exe and SERIAL1.EXE
00003F08: 74 EB
00003F09: EB 16
The CRK / CRA / XCK files basically contained the same information enclosed inside [BeginCRK] and [EndCRK] tags – 1st comes byte offset into the file, next is byte value in the original unpatched file at this location to be changed, followed by the new byte value to be placed at this location. That is it. In the above example the instruction JZ (0x74) is to be changed to plain JMPS (EB). This example is part of the tutorial series I record about HIEW hex editor, later to be posted on the Youtube. The rest of the CRK/CRA/XCK file was mostly dedicated to bragging and self-promotion. For the history I will list the fields that were usually found in the complete CRK/CRA/XCK file along with my comments after //:
[BeginXCK]   //Beginning of the file
Description:  // Description of the targeted software
Crack [subject]: // What is being cracked (serial/time limit/floppy protection/etc)
Crack by: // Author of the crack
Crack made at:  // Date of the crack
Used packer: // Whether some packer was used
Target OS:  // Target OS ,   e.g. DOS/Win95
URL:  // if the program had a website
Protection: // level of the software protection difficulty in percent, subjective to the cracker of course
Language:  // Guessed programming language of the original software
Size: // software size in bytes
Type of Hack: // type of crack , e.g. JMP correction
Used Tools: // tools used to beat the protection, e.g. HIEW/Soft-Ice
Under Music: // Music being listened to while cracking, in those days it should have been HMR of some kind to sound cool
[BeginCRK]   // actual patch information starts here
Filename.exe // file to be patched
00003F08: 74 EB


keywords: languages, programming, assembly-language, reversing, software-protection

Hello World in C, C++, Lua, Python, Go, Tcl, Awk, PowerShell, Java

This series of posts will explore the idea of comparative programming – doing the same tasks in different languages. The usefulness or difficulty of the task is of no importance, just want to compare the languages by doing. The first program has to be the “Hello World” of course. Let’s see.

#include <stdio.h>

int main() {
printf("Hello World!\n");
return 0;

#include <iostream>
int main() {
  std::cout<<"Hello World ! \n";
  return 0;


print("Hello World!\n")


print “Hello World\n”

Go (golang):

package main

import "fmt"

func main() {
 fmt.Println("Hello World\n")
#go run hello.go


puts stdout "Hello, World!\n"


awk 'BEGIN {print "Hello World\n"}'


PS> echo "Hello World\n"


class HelloWorld {
     public static void main(String[] args) {
          System.out.println("Hello, world!");

keywords: languages, programming, c-language, c++-language, java-language, python-language, tcl-language, awk-language, lua-language, go-golang-language, powershell-language

NMAP UDP DNS scan unexpected packets sending

I got the other day an automated mail alert from some ID/IPS equipment that ‘ a NULL DNS scan was detected and blocked from your IP’. NULL DNS scan? I wasn’t sending any such packets, not to mention I have no idea what they mean by that. After some packet level investigation here is what happened.
I was scanning the Internet space for open DNS resolvers for my security project, and was doing it with nmap –sU –p 53 –n -script=dns-recursion. This scan in turn is supposed to send dull and completely legitimate A record query for a www.wikipedia.org domain and if the target answers it, then it is an open DNS resolver. Still, somehow it triggered an alert on NULL DNS, which does exist by the way as an experimental record but has nothing to do with the NMAP scan.
Doing the scan again with wireshark running I saw to my surprise the following packet (usually 2 of them) being send before NMAP sends the aforementioned www.wikipedia.org request: wireshark screenshot of the strange UDP packet It is called Server Status request (OPCODE 2 see details here https://www.ietf.org/rfc/rfc1035.txt) and was meant to be used by DNS server admins for various management and health check purposes. And of course it is highly unexpected and naturally rejected when coming from the Internet. But why does NMAP send this packet?
Turns out (thanks to David Fifield, one of the NMAP developers) when NMAP does UDP scan, beyond what you specify on the cli it adds various payloads depending on the destination port, all taken from /usr/share/nmap/nmap-payloads. The port 53 UDP scan has there the payload:
# DNSStatusRequest
udp 53 "\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00"

which includes a lot of x00 in the packet, which in turn seems to trigger the alert on NULL scan.
NMAP sends such payloads in UDP scan in order not to send an empty UDP packet, i.e. it thinks “something is better than nothing”. To fix this there are 2 ways:
  1. specify 0 data length for UDP packet: "--data-length 0"
  2. comment out with # the needed port section in /usr/share/nmap/nmap-payloads
nmap, scan, network

DNS resolving problems how-to debug flow

DNS is very developed and complex protocol, its problems are as well. I compiled a short debug flow graph to help in tackling DNS resolving problems. Here it is:

Last measure for the desperate case of a lost access to the Check Point firewall

It may happen to anyone – mistaken security rule “Any Any Drop”, or using dynamic object for URL block. The end result – after the policy install you have no administrative access to the firewall with SmartDashboard/ssh/https. For this case Check Point came with fw unloadlocal console expert level command to unload the Security Policy. Unlike the Initial policy when installing the firewall, here you get a firewall without ANY policy – open by any port from any source. So probably a good idea to do so after you physically disconnect the firewall from the Internet. Next step is to connect to this “naked” firewall with SmartDashboard and fix the mistake that caused this situation and install the fixed Security policy.

How many times can we change IP address of the Check Point license

Today most licenses are of a central type so we rarely need to change their IP address as IP address of the Management server does not change that often. Still, if this happens then there is an option to change IP address or re-license the existing license. Don’t take my word for this as this is completely up to Check Point to decide but from my experience they allow to do so 6 times, after which you would need either contact them to settle this or buy a new license.

The first time Google failed me – missing documents from the Google Docs

I have been an avid everything-Google user for years and been happy with their services. Until today. I keep all my documents as Google Docs and there are lots of them. Today I wanted to continue to work on a document I have had for few weeks and last updated few days ago. To much of my surprise – it was nowhere to find! I took all the measures Google support advises – no joy. I started then searching the Google for this problem and lo and behold – this is a well-known issue with Google Docs and has been happening to people’s docs for years without any resolution. From technical standpoint I can understand – no cloud provider can promise 100% reliability of its storage, even the Amazon AWS S3 state it as 99.99% or such depending on the price. Which in turn means out of hundreds documents we will inevitably lose few. Google itself nowhere states its reliability for storage but I do not need to know – my trust in this service is gone, and I switched all the documents to the local PC and now backup locally to an external flash-drive using built-in Windows 10 Backup feature and advise you to do so.

NMAP run stages flow diagram

NMAP scanner has become over the years so friendly that it is not apparent what is going on when it runs. Below is a typical NMAP workflow:
NMAP scan stages
Continue reading

Hex editor of binary files on Linux

Reading this thread on Stackoverflow http://stackoverflow.com/questions/5498197/need-a-good-hex-editor-for-linux I wondered how come with so many hex editors in Linux there is not really the best one. In Windows it is easier - the expensive WinHex or cheap Hiew. Anyway, as to the Linux I can always use Vim:
Entering %!xxd to switch to Hex editing mode, and after finishing the edit issuing %!xxd -r back to binary to be able to save the edited file. Do not save in the Hex editing mode - the file will be saved as ASCII hex representation file, always revert back to binary.

Ever wondered how much does IP addresses allocation really cost to your provider?

Ever wondered how much does IP addresses allocation really cost to your provider? Well, that is easy. If we talk about the RIPE IP address space (majority today) then they have published their fees for PI (Provider Independent) allocations for LIRs (Local Internet Registry) which is by coincidence your ISP is. Here it is:
all prices Euro2014201520162017
Annual fee per LIR1750 + 50 per PI assignment1600 + 50 per PI assignment1400 + 50 per PI assignment1400 + 50 per PI assignment
Taken from ftp://ftp.ripe.net/ripe/docs/ripe-666.pdf

Public DNS servers open to any on the Internet

Following the good will by Google many other providers made their DNS servers available to us without any limitations as recursive resolvers. As they do not announce it widely enough you may not have heard abouth them, here is the list of these DNS servers:.
  • OpenDNS:  and
  • Hurricane Electric (he.net)
  • OpenNIC (http://www.opennicproject.org/)
  • VeriSign  and
  • Comode Secure DNS  and
  • Level3  and
  • Free DNS https://freedns.zone/en/  and
  • DynDNS  and

Linux ip route command reference by example

# ip address show - show all IP addresses (also ip ad sh)
# ip address show ens36 - show IP addresses of a particular interface
# ip address show up - only show IPs of those interfaces that are up
# ip address show dynamic|permanent - show dynamic or static IPv6 addys
# ip address add dev ens36 - add a new IP address to the interface
First addy you added will be used as SRC addy for outgoing traffic by def, often called primary addy . Receiving will do for all added IPs
# ip address add dev ens36 lablel ens36:hahaha - add IP and label it
# ip address delete dev ens36 delete Ip address from interface
# ip address flush dev ens36 - delete all IPs from an interface
ROUTE If you set up a static route and interface through which it is available goes down - the route is removed from the active routing table as well. Also you cannot add route via inaccessible gateways.
# ip route [show] / ip ro Show the routing table, includes IPv4 and IPv6
# ip -6 route - show only IPv6 , which are not shown by def
# ip -4 route
# ip route show root - can use supernet to include multiple more specific routes to show, i.e. show this net and SMALLER subnets
# ip route show match // show routes to this and LARGER nets
# ip route show exact // show routes to EXACT network only
# ip route get // simulate resolving of a route in real time
Continue reading

Free public NTP servers from Google

It has passed somewhat unnoticed but Google have made available to us their free, accessible to all NTP servers. I have been using their DNS servers for years without any issues so will trust their NTP ones as well. So far works just fine. For a single server we can use time.google.com and for multiple servers, even though they all seem to be in the same class C yet I get different latencies - from 85 msec up to 185 msec, we can use time1.google.com, time2.google.com, time3.google.com, time4.google.com .

Disconnect VPN or Mobile Access or SNX user from Check Point firewall

You may need occasionally to disconnect some or all connected users from the firewall forcibly. There are few ways I can think about to do so, for example installing Security Policy clears the cached authentication of the remote users, and while it does not disconnect them it will force a user to reenter his/her credentials. So, if you say want to disconnect a user you could expire it in SmartDashboard or change its password and then push the Security Policy. But actually there is an easier way to do it : just go to the SmartView Monitor -> Users -> click on any of the options: Users by Gateway, Users by Name, All Users, CheckPoint Mobile Users and after finding the user you want to disconnect, right click on it and Reset Tunnel. Here is the screenshot of this procedure: Continue reading

On what Linux version do Check Point firewalls run ?

Throughout its history CheckPoint firewall changed versions and names, incorporated other products. The last, so far, evolution has been the Gaia operating system released in 2012. All this holds true of course but nevertheless the base platform for the firewall all these years has been Red Hat Enterprise Linux server of different versions. The latest one used for the whole R75 and R77 line of firewalls is based on Red Hat RHEL 5.2 that was first released in 2008. This in part explains why even new firewalls still work on the old kernel 2.18. It doesn’t mean something bad in terms of its security, to remind - 'based on' means even though it is based on RHEL 5.2 it is still heavily secured and stripped down. In their latest communications Checkpoint promise in 1st quarter of 2017 to upgrade Gaia to the kernel version 3.10 as part of the move to Red Hat RHEL 7.

Configure SSL protocol version used in SSL VPN by Check Point

With a lot of attention recently to the SSL protocol vulnerabilities browser vendors increase security of their SSL implementation almost daily. One of the recommendations is to use the most up to date SSL version available. Check Point for its SSL based VPNs (by the way it is the same configuration for Endpoint clients) like SNX SSL and Mobile Access can support SSL versions in the range SSLv3 up to TLS 1.2. So if your clients’ browsers support it you can force the specific SSL version for their connections.   Warning: do NOT set minimal SSL version higher than TLS 1.0 because this would cause internal communication of applications of the Check Point itself to fail. You set the parameters here: SmartDashboard -> Global Properties -> SmartDashboard Customization- > Configure -> Portal Properties-> snx_ssl_max_ver and snx_ssl_min_ver change ssl algorithm strength in smartdashboard of check point

As usual for changes to take effect - click on Ok, Save, Install Policy

VPN Star Community Routing setting that can be dangerous

There is one setting that may expose your networks and firewall to unexpected dangers if used inadvertently. I mean Star VPN Community -> Advanced Settings -> VPN Routing . You can see there 3 options: To center only, To center and to other satellites through center, To center or through the center to other satellites, to internet and other VPN targets. If you are not sure, or almost always anyway - choose the 1st option “ To center only” . The other 2 options can be a potential risk allowing remote VPN LANs of one VPN peer to communicate with remote VPN LANs behind another, possibly unrelated VPN peer if rules permit.

Check Point VPN star community settings

Hash algorithm used for Check Point Internal Certificate Authority communications

In the light of all the commotion with the recommended by various vendors switch from SHA-1 to at least SHA-256 hash algorithm you may wonder what is the hash used by ICA for internal communication. The answer is - SHA-1 for all the versions still in use, including R77. You can change it to SHA-256 using the command cpca_client acording to Checkpoint sk103840 but I haven’t done it myself so not sure what are implications of this.

Add free disk space to Check Point appliance hard disk

With previous generation of Check Point UTM appliances (so called UTM-1 which included UTM 132, 270, 450 etc.) it was a really nagging issue when firewall run out of space on its hard disk. It was especially problematic for the root partition cause it is used for update downloads, upgrade files etc. It is less of a problem today as Check Point folks made root partition by default much bigger than the old UTM-1 one, still from time to time you may need to increase root or some other partition to add free space to the firewall. As Check Point is a Linux in disguise to do so is actually easy using native Linux tools . Fortunately UTM appliances come with quite a bit of Unallocated space you can see with fdisk -l. This unallocated space is used to store images for factory reset in case of need so do not go wild using it up. For resizing to take effect you will have to reboot the firewall afterwards. Here are commands to be run in expert mode: Let's say I want to add 15 Gb to the root partition:
Checkpoint# lvresize -L 15GB vg_splat/lv_current
Checkpoint#  resize2fs /dev/mapper/vg_splat-lv_current
That is it . BTW Officially, it is not supported by Checkpoint to modify the size of partitions / file systems on Check Point appliances. Still, many times I've done it I didn't experience any issues, but be aware.

Russian English Slang Dictionary of the Russian Hacking Community

This dictionary, which I will update from time to time, comes to help those following the Russian Internet Undeground with the aid of Google Translate and alike. Those tools unfortunately fail on any word that is a slang word or a less known variation of a generic word. For this reason I list here words with some of their variations - like number, gender, conjugation, so that you can search for them after Google Translate did its work. If you stumble upon the word not in the list - feel free to send me it and I will add its meaning to the dictionary. You can reach me via yuri@yurisk.info or on Twitter. You can download PDF version Here

ава avatar
абузоустойчивые хостинги abuse-proof hosting companies, that is – hosting companies that ignore the abuse complaints on their clients. It can be either legitimate hosting providers or servers ‘owned’ by the seller
абузы abuse complaints
автозапуск autoloading of software
АЗ (Автозалив) automatic upload of software
айфон, яМобилко, яблофон, айвонь nicknames for the iPhone
ак / акки / акков / акками account in any sense of the word
анонимайзер / анонимайзеры anonymizer
атака посередине MiTM attack

бакинские / бакинскими / бакинских US dollars
бан / банить to ban, block someone/something from using a resource
бат файл bat file
БД database in the wide context (forum db / client db / IPs db/ etc)
билд / билдом / билды build, as a software versioning feature
бинарник binary file
бот bot
брандмауэр firewall
брутфорс / брутфорсы / брутфорсом process of bruteforce attacking, also a verb
БС Base Station in cellular telephony en.wikipedia.org/wiki/Base_station
бурж / буржуйский foreign to the Russia/former USSR, mostly everything belonging to the West
варез / вареза warez, pirated software
валидный / валидными / валидных / валидными / валидная adj. valid, current, working
ведроид Android OS as well as any smartphone running it
взять за жопу to apprehend, be caught with grave consequences
виндофон smartphone running Windows
винчестер hard dsik
вифи wi-fi
вафля / вафле wi-fi [literal meaning – waffle]
вложение / вложения attachment
впаяли / запаяли / паяли / паять to sentence to serve jail time
впска / впски VPS server
Continue reading

Check Point Gaia route missing after adding via ip route add problem

Check Point Gaia route missing after adding via ip route add problem

Well, it is actually a feature not a bug of all Check Point firewalls working on Gaia. If you haven't noticed as opposed to good old SPLAT firewall platform the Gaia is selective about which routes to propagate. I guess it was done on purpose to give more control to the administrator over the routing table. One of the quirks of it is when you add a route via SSH the Linux way you don’t get any error but this new route does not show anywhere – neither in Gaia nor on Linux level. On the other hand if you add the very same route via Gaia GUI or in clish – works fine. The culprit for this behavior is this setting you can change in Gaia https GUI: Gaia ip route kernel propagate option

Go to Gaia https: Advanced Routing -> Routing Options -> and click to select on “Kernel Routes” -> then Apply. That is it – now if you add routes in expert mode with ip route add via this newly added static route will appear on both Gaia and Linux OS with the mark K for Kernel:

smartcenterr77> show route
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive
S via, eth0, cost 0, age 16426
C is directly connected, lo
K via, eth0, cost 0, age 25
When working with routes/networking on the command line make sure to read these as well: All you need to know about networking in Checkpoint firewall SecurePlatform FAQ
Convert Checkpoint SPLAT routes into Gaia configuration commands

RHEL get firewall zones and their interfaces in one go

The firewall-cmd  doesn’t have an option to show all zones and to which one the server interfaces belong, so here is a one-liner to show that:

 # for ii in `ls /usr/lib/firewalld/zones/`; do  echo ${ii%%.xml}: ; firewall-cmd –zone=${ii%%.xml} –list-interfaces; done 

The output:
eno16777736 eno50332184

fw ctl zdebug drop - Check Point firewall ultimate debug command

Check Point provided us many ways to debug issues. Some are easier, some are harder.
The first thing to do when you have dropped traffic is to see whether the packets are being dropped by the firewall or not. The first impulse is to look at SmartView Tracker's logs and that's ok, unless of course you have some Security Rules without log enabled on them. But there has always been available this command that gives us real time insight of what is being dropped at the KERNEL level! What can be better ? You may use it in cases when fw monitor or SmartView Tracker logs do not give conclusive results. Or, you can use it as the first command as I do - this saves time loading all the logs or decluttering fw monitor output. The command, run in the expert mode, is fw ctl zdebug drop :
[Expert@smartcenterr77:0]# fw ctl zdebug drop
Defaulting all kernel debugging options
Initialized kernel debugging buffer to size 1023K
Updated kernel's debug variable for module fw
Kernel debugging buffer size: 1023KB
Module: kiss
Enabled Kernel debugging options: None

Module: kissflow
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common

Module: fw
Enabled Kernel debugging options: drop
Messaging threshold set to type=Info freq=Common
;[fw4_0];FW-1: Initializing debugging buffer to size 1023K;
;[fw4_0];Setting the flags for debug module fw: drop;
On loaded firewall it is advisable to limit output to the terminal for decluttering using grep:
[Expert@smartcenterr77:0]# fw ctl zdebug drop  | grep 192.168.21
;[fw4_0];fw_log_drop_ex: Packet proto=1 -> dropped by fw_handle_first_packet Reason: Rulebase drop - rule 1;
Here you can clearly see that ICMP is being dropped on Security Rule 1 (which blocks all ICMP). The tool becomes even more interesting when a firewall drops some packets NOT on rules, but say on IP Options set field.

Do not miss Netflow capability of Check Point Gaia R77 and above

Do not miss Netflow capability of Check Point Gaia R77 and above. In the past measuring the traffic passing through firewall wasn't easy - you had to either query interface counters via SNMP or run custom Bash scripts on the firewall itself to get interface statistics. The problem with both of the ways was that you didn't get exact results. And to get insight into what kind of packets are going through the firewall wasn't possible to do easily at all.
Sure, you have always had SmartView Monitor dashboard to see real-time statistics, but you need a separate license for that.
Finally, starting with R76 for regular firewall and R75.40VS for virtual one we have Netflow export capability available in Gaia OS. It supports Netflow version 5 and 9. I haven't tried version 9 but all common version 5 works as expected. Features and limitations:
  • SecureXL (i.e. hardware acceleration) should be enabled for correct results (most of today's firewalls have it on anyway).
  • You can set up to 3 external collectors to receive Netflow data. Of course it means that the same Netflow packet will be sent 3 times, I don't see reason to do so.
  • You can specify source IP address for outgoing Netflow packets, the defult is IP of the interface where packets leave.
  • Do not forget to set Netflow version, as default is 9.
To configure and enable Netflow on Gaia clish (here I send Netflow to port 2055, version 5) :
gateway1> add netflow collector ip port 2055 export-format Netflow_V5
gateway1> save config

gateway1> show netflow all
Address           Port    Format      Src Addr          Enable     2055    Netflow_V5                    yes

Change colors of ls output in the bash shell

Usually colorization is put in action via alias : alias ls=’ls –color=auto’
You can turn off the colors each time you run ls: ls –color=never l or change the alias itself to disable fancy colors permanently or even simple \ls . But to change the colors you’d need to cause dircolors utility to read your own color database when the login session starts. So let’s do just that
1) Export existing db:
dircolors -p > dircolors.db[/bash]
2) edit :
vi dircolors.db[/bash]
e.g. change directories color from blue to red:[bash]di=01;34 -> di=01;31[/bash]
3) save changes
4) make bash to reload color scheme:
[bash]eval `dircolors dircolors.db`[/bash]
5) put eval `dircolors $HOME/dircolors.db` into .profile file at the end of it.
That is it.

How to know Checkpoint UTM Appliance model from the cli

Many times you get to work on some UTM appliance remotely via ssh and need to know which exact model it is. It takes just one cli Expert level command to know: dmidecode | grep “Product Name” . Then you go and compare the output with the UTM models table which Tobias Lachmann diligently compiled for us Determine appliance hardware from command line .
As of 09/07/2016 Tobias’ website is down. So to preserve the useful info I put the list of UTM models to compare with:
G-50 Check Point 21400
P-230 Check Point 12600
P-220 Check Point 12400
P-210 Check Point 12200
T-180 Check Point 4800
T-160 Check Point 4600
T-140 Check Point 4400
T-120 Check Point 4200
T-110 Check Point 2200
Continue reading

Undocumented command to install policy on Locally managed Checkpoint UTM 1100 series appliance

I was trying the other day to exclude on UTM 1180 gateway some IP address and service combination from being encrypted inside VPN tunnel and noted that any changes you do to the firewall files on the CLI, in this case – crypt.def, do not take effect . It is actually logical as every SK asking you to do such changes also specifies that “Changes are to be done on SmartCenter/Management server and then you are to install Security Policy” . The catch here is “installing the policy” – if it is what is known as Locally managed UTM, i.e. you manage it via its Web interface, you have no such action – “install policy” .
One solution would be to restart the UTM – works, but kinda harsh. The other solution is this undocumented (not listed in any Checkpoint documentation I searched) command :
* You should be in Expert mode to run it . Also pay attention to the output – there should be no errors.

# fw_configload
Compiled OK.
Resolver Error 0 (no error)
Resolver Error 0 (no error)
Resolver Error 0 (no error)
Resolver Error 0 (no error)


How to get available on Check Point firewall kernel modules for debug

The list of available and active Check Point modules depends on the firewall version and installed components. We have the following helpful command fw ctl debug -m to list all the modules. After getting modules and their options using them in a debug session is just a matter of enabling any of them with "+" before the name , e.g. ... +xlate to get debug of NAT translations.
[Expert@HQ-firewall:0]# fw ctl debug -m
Module: fw
Kernel debugging options: error warning cookie crypt domain ex driver filter hold if install ioctl kbuf ld log machine memory misc packet q xlate xltrc conn synatk media sip vm chain bridge         tcpstr scv highavail ipv6 packval sync ipopt link nat cifs drop route citrix misp portscan leaks mgcp sock mail spii chainfwd msnms wire balance dynlog smtp wap content mrtsync sam sock malware cmi aspii dos advp multik netquota monitor monitorall dfilter integrity epq cvpnd cptls ftp nac span ucd acct dlp ua icmptun dnstun ips rad te zeco user qos context prof connstats nat64 cgnat sctp
Messaging threshold set to type=Info freq=Common

Module: h323
Kernel debugging options: error init h225 h245 ras decode align cpas
Messaging threshold set to type=Info freq=Common

Useful CLI commands for Cisco CUCM

Useful CLI commands for Cisco CUCM .

I don’t work on the command line of CUCM often, if ever – you may add, but when the need arises here is the short list of commands to keep. A little reminder – the latest (starting version 5 and on) of Cisco CUCM software is Linux (namely Red Hat) based,  which of course includes the terminal access – be it a physical via console or a network one over ssh .
You create a username/password for the terminal during the CUCM  installation.
As Cisco do not want us to mess with the underlying OS, our interaction is limited to a very restricted kind of shell . So you don’t have access to the Linux commands, but you do have a predefined set of CUCM commands of which I present most useful ones here.
I run the examples below on a MCS hardware server so your output may vary.


– Changing password for yourself/another user . Know that it is here, but do not play with it risking to lock yourself out of the server.

admin:set password { age* | complexity* | expiry* | inactivity* | user* }

–  Get the disk usage

show diskusage activelog

– Show the status of the fans (irrelevant for VMware based install)

admin:show environment fans
(RPMS)     Lower                     Critical

ID     Current   Threshold Status

Fan Sensor 1 7800     4200      OK
Fan Sensor 2 7950     4200      OK
Fan Sensor 3 7800     4200      OK
Fan Sensor 4 7350     4200      OK
Fan Sensor 5 7200     4200      OK

– Show the server temperature (irrelevant for VMware based install)

show environment temperatures

(Celcius)    Non-Critical   Critical   Threshold    Threshold

     ID       Current  Lower   Upper   Lower   Upper  Location Temperature Sensor
24          53          54           55        62   1

– Show the server hardware (irrelevant for VMware based install)

show hardware

HW Platform    : 7825I4
Processors     : 1
Type           : Intel(R) Core(TM)2 Duo CPU E8400  @ 3.00GHz
CPU Speed      : 3000
Memory         : 2048 MBytes

show logins
administ pts/0   Wed Aug 12 09:56   still logged in

– Show physical memory (irrelevant for VMware based install)

show memory modules

Bank  Locator   Size  Active Status

– Show interface status (more useful for hardware based servers than VMware ones)

show network eth0

Ethernet 0
DHCP      : disabled        Status : up
IP Address   :     IP Mask :
Link Detected: yes             Mode    : Auto enabled, Full, 100 Mbits/s
Duplicate IP : no
DNS   Not configured.
Gateway   : on Ethernet 0

– Show number of open connections . If there is some network connectivity issue this number will be unusually low as each IP Phone/voice gateway is counted as a connection.
show network ip_conntrack


– Show open and accessible over the network ports

show network ipprefs public

Application  IPProtocol   PortValue Type      XlatedPort   Status    Description

———— ———— ———— ———— ———— ———— ————

sshd      tcp       22        public    –         enabled   sftp and ssh access
clm       udp       8500      public    –         enabled   cluster manager
clm       tcp       8500      public    –         enabled   cluster manager
tomcat    tcp       8443      translated   443       enabled   secure web access
tomcat    tcp       8080      translated   80        enabled   web access
ntpd      udp       123       public    –         enabled   network time sync Continue reading

Available encryption and hashing algorithms by default in Check Point R77.30

These are enabled by default for use in VPN site to site configurations:
Phase 1 encryption:

phase 1 encryption algo

Phase 1 hashing:

phase 1 hashing algo

Phase 2 encryption:

phase 2 encryption algo

Phase 2 hashing :

phase 2 hashing algo

Cisco reflexive access-lists are still on CCNP Security exam

Today I was surprised to hear from someone who just took one of the CCNP Security exams that they still test for Reflexive access-lists - what a nostalgy. I was sure it has long been ousted by ip inspect and Zone Based Firewall, but no - it is still tested and still available in the newest IOS images of at least ISR routers. If you, like me, are rusty on its config, here it is how to allow from inside outbound everything:
ip access-list extended OUTBOUND 
permit tcp any any reflect MIRROR 
permit udp any any reflect MIRROR 
permit icmp any any reflect MIRROR 
Then the access-list to put on external facing interface inbound:
ip access-list extended INBOUND 
evaluate MIRROR 
And finally apply it:
#conf t
(config)# interface FastEthernet 0/1 
(config-if)# ip access-group OUTBOUND out 
(config-if)# ip access-group INBOUND in
Do not forget of course its drawbacks:
  • It does not work well with complex protocols like FTP
  • It is not exactly stateful - what happens is that router dynamically adds non-stateful entries in INBOUND access list that mirror the passing traffic, expiring it after some time. In doing so Cisco router looks only on destination/source IP address and port.

How to know if a license or a subscription is about to expire for Check Point product

There are two ways to be warned when some license or subscription based service from Check Point is about to expire:
  • Every time we login into the SmartUpdate (part of the SmartConsole suite) if there are any licenses/services to expire within next 30 days we’ll see a pop up with licenses/contracts to expire in red
  • If you have (and if not - make sure you do have) User Center account attached to your Checkpoint account - you will get to the registered email address a reminder, again within 30 days of expiration.

Overlooked but nice utility from Checkpoint – cpview

Checkpoint has made available starting with R77 this helpful information utility called cpview of which not many are aware. This is basically a Bash script that runs a bunch of native Checkpoint commands in the background and displays the output on the terminal while updating the data every other second.
– Running the command (you have to be in the Expert mode):

#cpview – File location:
# which cpview alias cpview='/bin/cpview_start.sh' /bin/cpview_start.sh
– Some of the commands the utility runs:
fw ctl pstat
fw ctl multik stat
fw ctl affinity -l -r

Example output:cpview
« Older posts

© 2016 yurisk.info