CheckPoint Security Gateway (firewall) and Security Management password hashes - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: CheckPoint Security Gateway (firewall) and Security Management password hashes (/thread-4436.html) |
CheckPoint Security Gateway (firewall) and Security Management password hashes - emvee - 06-14-2015 This forum post will explain how to get all sorts of different password hashes out of the Check Point Security Gateway / Management and use oclHashcat modes to process these hashes. This article does not explain how to hack any of the Checkpoint products. You will need a highly privileged administrative account for getting these hashes. I will discuss the:
The tests were performed on the Check Point R77.10 on SPLAT and R77.20 on Gaia. OS Level hash During the initial installation proces an administrative account for the OS (Gaia/SPLAT) is configured. In the examples the name “admin” is used, but this could be anything. This administrative account is used to access the OS (e.g. SSH or via the HTTPs webinterface). Within Gaia the default password policy for this account is a minimum of 6 and a maximum of 128 characters (and a mixture of Upper, Lower, digit, punctuation (the password “hashcat!” will be compliant (R77.20/GAIA). The MD5Crypt password hash of the Linux based Checkpoint OS (Gaia) is stored in a couple of places and looks like this (using expert mode): [Expert@gaia:0]# cat /etc/shadow admin:$1$E.kZY52L$p0FPOFtATJqMIiGO4g/15.:16599:0:99999:8::: monitor:*:16599:0:99999:8::: root:*:16599:0:99999:7::: nobody:*:16599:0:99999:7::: postfix:*:16599:0:99999:7::: rpm:!!:16599:0:99999:7::: shutdown:*:16599:0:99999:7::: The hash (including a history) is also stored in the internal Check Point database (initial_db) and can be found with sqlite3 using the following query. [Expert@gaia:0]# cd /config/db [Expert@gaia:0]# sqlite3 initial_db SQLite version 3.6.20 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> SELECT * from revisions WHERE binding="passwd:admin:passwd"; passwd:admin:passwd|0|$1$uqG52icP$Hmscx8cYThBuQc9j6RI8f0||||2015-06-13 07:34:14|1 passwd:admin:passwd|1|$1$E.kZY52L$p0FPOFtATJqMIiGO4g/15.|admin|localhost||2015-06-13 20:03:36|0 You can process this hash with oclHashcat using the –m 500 mode (password is “hashcat!” (without the quotes) oclHashcat64.exe -a 3 "$1$E.kZY52L$p0FPOFtATJqMIiGO4g/15." -m 500 hashcat! Expert mode hash (Check Point Gaia) To get a bash shell you have to get into the expert mode, which is also protected with a password. The hash of this password is stored in /config/db/initial and is using the same Unix md5crypt scheme, see example of the format of this entry in the file (initial) below: expertpwdWD $1$TZBPBB`X$Bb.xgkzxV02AO8ASBFoa50 The hash of the expert mode (and history) can also be found with a sql query in the sqlite database (in the screenprint below the last set password is “hashcat!”. [Expert@gaia:0]# sqlite3 initial_db SQLite version 3.6.20 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> SELECT * from revisions WHERE binding="expertpwdWD"; expertpwdWD|0|||||2015-06-13 08:34:14|1 expertpwdWD|1|$1$WBALVJDB$BznmpO.J3EgrWbQOfprEA.|admin|localhost||2015-06-13 07:55:15|0 expertpwdWD|2|$1$TZBPBB`X$Bb.xgkzxV02AO8ASBFoa50|admin|localhost||2015-06-13 21:51:07|0 The expert mode hash can be checked with the same –m 500 mode (same scheme). oclHashcat64.exe -a 3 $1$TZBPBB`X$Bb.xgkzxV02AO8ASBFoa50 -m 500 hashcat! Checkpoint Password (authentication scheme) application (CPsuite) At the Check Point application level a Security Management administrator account is created during the installation proces (cpconfig_administrators). Additional accounts can only be defined using the SmartDashboard GUI. The hash of this password is stored in the file fwmusers located in /var/opt/CPsuite-R77/fw1/conf and is stored in the following format: [Expert@gaia:0]# cat fwmusers secadmin 259d025bf03dd16127ce5162fb88f5654d864743 ffffffff The administrator’s name in this case is secadmin, but can be set during the installation proces. The password used is “hashcat!” (without the quotes). Looking into the hash format, it appears to be a salted MD5 hash and using a 4 byte hex value salt. The first 4 bytes in the 20 byte hash above are the random salt (259d025b), the remaining 16 bytes are the MD5 hash (f03dd16127ce5162fb88f5654d864743). oclHashcat can handle this hash type by using the generic hash mode 20 (md5($salt.$pass)) with the --hex-salt option. Testing can be done with the following one liner: oclhashcat64.exe -a 3 "f03dd16127ce5162fb88f5654d864743:259d025b" --hex-salt -m 20 hashcat! When adding a new account (e.g. newadmin) to the administrators group using the SmartDashboard, it will not add this to the fwmusers file but it will store the hash in the /var/opt/CPsuite-R77/fw1/conf/fwauth.NDB file. (use grep or an editor, but make sure you have 20 bytes, because the fwauth.NDB is a data filetype and non-printable ascii characters could be present which need to be removed first). [Expert@gaia:0]# grep -a -i internal_password fwauth.NDB :internal_password (bfab0767964c4991faa6a054f553368fb3f55e27) Please note that if you added more accounts to the “administrators” tab, by using the above grep more hashes will return and you will have to look into the fwauth.NDB to match the corresponding name. Use the oclHashcat–m 20 mode as explained before to handle this hash. oclhashcat64.exe -a 3 964c4991faa6a054f553368fb3f55e27:bfab0767 --hex-salt -m 20 hashcat! Interestingly enough is when adding a user (e.g. user999) with exactly the same authentication scheme (Check Point Password) as used with the newadmin administrator, the hash of that password is stored in a different format, a DESCrypted hash. See sample below. The first hash is the “newadmin” MD5 based hash, the second hash is for the added user999). See attachment to get an idea of the SmartDashboard administrator/users layout. [Expert@gaia:0]# grep -a -i internal_password fwauth.NDB :internal_password (bfab0767964c4991faa6a054f553368fb3f55e27) :internal_password (q7Lq07kQU.PPI) The DESCrypted hash can be handled with oclHashcat hashmode –m 1500 oclhashcat64.exe -a 3 q7Lq07kQU.PPI -m 1500 hashcat! Cheers Maarten RE: CheckPoint Security Gateway (firewall) and Security Management password hashes - epixoip - 06-14-2015 Great information, thank you for sharing! RE: CheckPoint Security Gateway (firewall) and Security Management password hashes - Rolf - 06-14-2015 Indeed, very good stuff, thoroughly explained. RE: CheckPoint Security Gateway (firewall) and Security Management password hashes - emvee - 06-14-2015 Thanks guys, you are welcome. Just a minor addition: The hash for the expert mode on both SPLAT and the Gaia platform can also be found in /boot/grub/grub.conf. [Expert@cpsplat]# grep password grub.conf password --md5 $1$^BZBBABB$ICuFdZqgMooVF7CMBaX8x0 Once again you can check it with the -500 hashcat mode (make sure you use quotes because of the special chars in the hash). oclHashcat64.exe -a 3 "$1$^BZBBABB$ICuFdZqgMooVF7CMBaX8x0" -m 500 hashcat! When you are changing the expert password in the cp_shell (set expert-password) make sure you do a "save config" after that. Otherwise the expert password hash is not saved into the initial_db (Gaia). Cheers Maarten RE: CheckPoint Security Gateway (firewall) and Security Management password hashes - atom - 06-15-2015 Excellent post, thanks! |