Information

Step 1: Updating and Upgrading the System
Before upgrading to Ubuntu 18.04, make sure to update the available packages, upgrade the existing system, and clean the disk from unnecessary packages.

  1. Update the software packages repository list:

sudo apt-get update

  2. Then, upgrade already installed packages and let the system handle package dependencies with:

sudo apt-get upgrade -y

sudo apt-get dist-upgrade -y

  3. Finally, free up disk space by removing all unnecessary packages:

sudo apt-get autoremove

Press y to confirm you want to remove the packages.

Step 2: Setting Up Update Manager
Ubuntu allows you to easily upgrade to a newer LTS version using the Update Manager. If you do not have this package installed on the system, follow the steps below.

  1. Run the command for installing Update Manager:

sudo apt-get i... more

Informational

Update Pi-hole:

#pihole -up

Update Gravity:

#pihole -g

Rate-limiting can easily be disabling:

RATE_LIMIT=0/0 in /etc/pihole/pihole-FTL.conf

Rate-limiting of 1 query per hour, the option should look like
RATE_LIMIT=1/3600

Syslog configuration example:

log-facility=local2 in /etc/dnsmasq.d/01-pihole.conf

Informational

Configure a Switch for Authentication and Authorization

In order to create a local user on the switch with full privileges for fallback access, enter:

Switch(config)#username admin privilege 15 password 0 cisco123!

In order to enable AAA, enter:

switch(config)# aaa new-model

In order to provide the IP address of the RADIUS server as well as the key, enter:

switch# configure terminal

switch(config)#radius-server host 172.16.71.146 auth-port 1645 acct-port 1646

switch(config)#radius-server key hello123

In order to test RADIUS server availability, enter the test aaa command:

switch# test aaa server Radius 172.16.71.146 user1 Ur2Gd2BH

The test authentication fails with a Rejection from the server because it is not yet configured, but it will confirm that the server itself is reachable.

In order to configure login authentications to fall back to local users if ... more

Informational

Add the Cisco ASA Firewall as a RADIUS Client: You need to add the firewall as a ‘client’ before it can authenticate. Edit the following file;

vi /etc/freeradius/clients.conf
Add the following test to the end of the file, (cisco123 is the shared secret we will enter on the ASA later);

client 192.168.110.1 {
secret = cisco123
shortname = CiscoASA
nastype = cisco
}

On the ASA you create an AAA group, set its authentication type to RADIUS, then add the FreeRADIUS server as a host, specify the secret key you used above. REMEMBER you need to specify the ports or authentication will fail, (you get a no response error).

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 192.168.110.85
authentication-port 1812
accounting-port 1813
key cisco123
radius-common-pw cisco123
exit

Informational

Older versions of Cisco AnyConnect are now incompatible with newer versions of Mac OS's. You will run into "..will damage your computer” Mac warning popup removal. Use the command below to remove the older AnyConnect package.


$ sudo pkgutil --forget com.cisco.pkg.anyconnect.vpn

Informational

Reboot the FMC. You will then see a red LILO boot menu. Press any key to interrupt the boot sequence. At the prompt, type the version of the FMC (6.3.0 in my case) followed by ‘single’ and hit return.

boot: 6.3.0 single

Once the FMC boots up into single user mode, you should see the # prompt, proceed to type passwd admin to bring up the reset password prompt for the Admin user. Enter a new password and then again for confirmation.

bash-3.2# passwd admin

Once your new password is set, you must then reboot the FMC again. Let it boot normally this time and do not interrupt like you did previously, once at the login prompt you should then be able to login using the newly set password.

At the prompt enter sudo usertool.pl -p ‘admin password’ (where password is the new password) like the below.

admin@FMC:~$ sudo usertool.pl -p 'admin cisco'
Password:
admin@FMC:~$

Now go back to the web GUI ... more

Informational

conf t

ssh key-exchange group dh-group14-sha1

write mem

Informational

The openssh-server package should already be installed, to verify this you can use the following command:

# apt list openssh-server
You should see the version with [installed] after it like this:


If it’s not installed, you can use this command to install it:

# apt install openssh-server
When enabling the service, be sure to fully secure SSH first.  I will cover some of the basics briefly, but this is not meant to be a guide on securely running an SSH server.  Since Kali comes with pre-generated SSH keys, to make it more secure, the first thing we will do is generate new ones.

To backup the original keys first as a precaution use:

# mkdir /etc/ssh/default_keys
# mv /etc/ssh/ssh_host_* /etc/ssh/default_keys/
Then to regenerate the keys:

# dpkg-reconfigure openssh-server
The next step is to edit the SSH server configuration file with the settings you need:

... more

Informational

Useful Check Point Commands

cpconfig

change SIC, licenses and more


cpview -t

show top style performance counters


cphaprob stat

list the state of the high availability cluster members. Should show active and standby devices.


cphaprob -a if

display status of monitored interfaces in a cluster


cphaprob -l list

display registered cluster devices and status


cphaprob syncstat

display sync transport layer statistics


cphaprob ldstat

display sync serialization statistics


cphastop

stop a cluster member from passing traffic. Stops synchronization. (emergency only)

more

Informational

FreeRADIUS server

Copy /etc/radius-dictionaries/dictionary.checkpoint file from Gaia OS to /etc/freeradius/ on FreeRADIUS server.


Add this line to /etc/freeradius/dictionary:

"$INCLUDE /etc/freeradius/dictionary.checkpoint"


To add users edit the /etc/freeradius/users file.

-Use "Tab" key and not "Space" on rows following a username.
-Use comma "," after each command except the last command in the file.


Syntax of this file (if syntax is wrong, service will fail to start):

Example of syntax:

  Cleartext-Password := vpn123,
  CP-Gaia-User-Role = adminRole,
  CP-Gaia-SuperUser-Access = 1
  

Restart the service:

service freeradius restart

Informational


Run the enable boot start command:

As root, run:

$SPLUNK_HOME/bin/splunk enable boot-start

Informational

Mine:

https://github.com/stevenbalch

Others:

https://github.com/Cybereason/Logout4Shell
https://github.com/toniblyx/my-arsenal-of-aws-security-tools
https://github.com/skavngr/rapidscan
https://github.com/yudai/gotty
https://github.com/redcanaryco/atomic-red-team
https://github.com/k4m4/dcipher-cli
https://github.com/falcosecurity/falco
https://github.com/joe-shenouda/awesome-cyber-skills
https://github.com/tennc/Awesome-Hacking
https://github.com/OpenCTI-Platform/docker

Informational

It seem like every time I upgrade my Check Point SMS, I have to reconfigure the Log Exporter, hence, I have to remember this command:

cp_log_export add name "name" domain-server "domain-server" target-server "target-server IP/host name" target-port "target-port" protocol "udp|tcp" format "syslog|cef|splunk|logrhythm|generic" [optional arguments]


Internal Commands:

add - Deploy a new Check Point Log Exporter.

delete - Remove an exporter.

reexport - Reset the current position and reexport all logs per the configuration.

restart - Restart an exporter process.

set - Update an existing exporter's configuration.

show - Print an exporter's current configuration.

start - Start an exporter process.

status - Show an exporter's overview status.

stop - Stop an exporter process.


Parameters:

apply-now - Applying any change that was done ... more

Informational

# apt-get install pdftk

# pdftk original.pdf output cleaned.pdf allow AllFeatures

It will give you a warning, but cleans the file just fine.

WARNING: The creator of the input PDF:
   original.pdf
   has set an owner password (which is not required to handle this PDF).
   You did not supply this password. Please respect any copyright.


SYNOPSIS
       pdftk < input PDF files | - | PROMPT >
            [ input_pw < input PDF owner passwords | PROMPT > ]
            [ < operation > < operation arguments > ]
            [ output < output filename | - | PROMPT > ]
            [ encrypt_40bit | encrypt_... more

Informational

Procedure to unlock the ESXi host account at the console

1. At the console press CTRL+ALT+F2 to get to the ESXi shell. If a login shows up continue with step 3, otherwise continue with step 2.

2. Login to the DCUI (to enable the ESXi Shell if not already done)
a. Login with root and the correct password.
b. Go to Troubleshooting Options
c. Select Enable ESXi Shell
d. Press CTRL+ALT+F1

3. At the ESXi shell login with root and the password

4. Run the following commands to show number of failed attempts:

pam_tally2 --user root

5. Run the following command to unlock the root account:

pam_tally2 --user root --reset

.

Informational

From Check Point IPS Blade:

Description: Prevented zend technologies zend framework zend_xmlrpc information disclosure originating from 45.155.205.108

/Autodiscover/Autodiscover.xml


Description: Prevented nonecms thinkphp remote code execution (cve-2018-20062) originating from 45.155.205.108

/index.php?s=/Index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]


From Cisco Firepower:

Event: SERVER-WEBAPP PHPUnit PHP remote code execution attempt (1:45749:2)

/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

Informational

Symptoms

When an ESX host reboots, you see the error:
UNEXPECTED INCONSISTENCY; RUN fsck MANUALLY.

(i.e., without -a or -p options)
*** An error occurred during the file system check.
*** Dropping you to a shell; the system will reboot
*** when you leave the shell.

Give root password for maintenance
(or type CTRL-D to continue)

Cause
This issue is caused by a corrupted ESX file system.

Resolution
Use one of these two options to resolve this issue:

Use fsck
Use fdisk and e2fsck–p

Both of these options require that you use single user mode on the ESX host. To enter single user mode:

Reboot the ESX host.

When the GRUB screen appears, press the space bar to stop the server from automatically booting into VMware ESX.
Use the arrow keys to select Service Console only (troubleshooting mode).

Press the a key to modify the kernel arguments (b... more

Informational

Default Username: admin.
Default Password: Sourcefire (capital S)
Default Password (after version 6.0.0): Admin123 (capital A)

A unique alphanumeric registration key is always required to register a device to a FireSIGHT Management Center. This is a simple key that you specify, and is not the same as a license key.

The command has the following syntax:

> configure manager add reg_key

One of the following error messages are seen on the console of VMware FMC/FTD/NGIPS running on ESXI 6 and 6.5.

“INIT:  Id  "s1" respawning too fast:  disabled for 5 minutes”

or

“INIT:  Id  "ftd1" respawning too fast:  disabled for 5 minutes”

Fix:

Edit the settings of the virtual device in VSphere while powered off.
Select “Serial Port” from the “New device... more

Informational

First, install the package:

$ sudo apt-get install libpam-radius-auth
That was pretty painless. Now let's configure it. First, let's tell pam_radius which radius server to talk to:

$ sudo vi /etc/pam_radius_auth.conf

Edit the line "other-server other-secret 3" replacing 'other-server' with the IP address or hostname of your radius server.

Edit your /etc/pam.d/sshd file and add the line:

auth       required     /lib/security/pam_radius_auth.so

Just above:

# Standard Un*x authentication.
@include common-auth

Now, you are ready to test. I recommend you run 'tail -f /var/log/auth.log' while you test.