Blocking Browsec Chrome Extension

Browsec is VPN extension similar to ZenMate

CheckPoint:
Image.png

Cisco ASA:

Cyberoam:

Fortigate:

Juniper:

Mikrotik:

/ip firewall address-list
add address=12.12.12.0/24 list=LAN
/ip firewall layer7-protocol
add name=browsec regexp=”^.+(postls.com).*\$”
/ip firewall filter

add action=drop chain=forward layer7-protocol=browsec src-address-list=LAN

PaloAlto:

SonicWall:

Blocking Telegram

Telegram is like WhatsApp that can be downloaded here

https://telegram.org

CheckPoint:
Image.png

Cisco ASA:

interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 12.12.12.1 255.255.255.0
clock timezone gmt 7
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
object network PAT
 subnet 12.12.12.0 255.255.255.0
object network telegram1
 subnet 91.108.4.0 255.255.252.0
object network telegram2
 subnet 91.108.56.0 255.255.252.0
object network telegram3
 subnet 149.154.160.0 255.255.252.0
object network telegram4
 subnet 149.154.164.0 255.255.252.0
object network telegram5
 subnet 149.154.168.0 255.255.252.0
object network telegram6
 subnet 149.154.172.0 255.255.252.0
object-group network objgrp-telegram
 network-object object telegram1
 network-object object telegram2
 network-object object telegram3
 network-object object telegram4
 network-object object telegram5
 network-object object telegram6
access-list LAN extended permit ip any any
access-list acl-telegram extended deny ip any object-group objgrp-telegram
access-list ping extended permit icmp any interface outside
access-list ping extended permit icmp any interface inside
access-list outside_access_out extended deny ip any object-group objgrp-telegram
access-list outside_access_out extended permit ip any any
object network PAT
 nat (inside,outside) dynamic interface
access-group outside_access_out out interface outside
access-group LAN in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.10.1 1
user-identity default-domain LOCAL
http server enable
http 10.0.10.0 255.255.255.0 outside
http 12.12.12.0 255.255.255.0 inside
ntp server 180.211.88.211
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error

 

FortiGate:
config system interface
    edit “port1”
        set vdom “root”
        set mode dhcp
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1
    next
    edit “port2”
        set vdom “root”
        set ip 12.12.12.1 255.255.255.0
        set allowaccess ping https ssh fgfm
        set type physical
        set snmp-index 2
    next
end
config firewall policy
    edit 1
        set name “PAT”
        set uuid 170d4c60-0d49-51e6-102b-cc84e02a9dfb
        set srcintf “port2”
        set dstintf “port1”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
        set nat enable
    next
    edit 2
        set name “telegram”
        set uuid 0b2d9320-0d5b-51e6-ce90-307685813f39
        set srcintf “port2”
        set dstintf “port1”
        set srcaddr “all”
        set dstaddr “telegramgroup”
        set schedule “always”
        set service “HTTP” “HTTPS”
        set logtraffic all
    next
end
config firewall address
    edit “telegram”
        set uuid 532c2ac0-0d5a-51e6-754f-62c1c2f11af6
        set subnet 91.108.4.0 255.255.252.0
    next
    edit “telegram2”
        set uuid a0149520-0d5a-51e6-b083-9fda96570787
        set subnet 91.108.56.0 255.255.252.0
    next
    edit “telegram3”
        set uuid a0149520-0d5a-51e6-b083-9fda96570787
        set subnet 149.154.160.0 255.255.252.0
    next
    edit “telegram4”
        set uuid a0149520-0d5a-51e6-b083-9fda96570787
        set subnet 149.154.164.0 255.255.252.0
    next
    edit “telegram5”
        set uuid a0149520-0d5a-51e6-b083-9fda96570787
        set subnet 149.154.168.0 255.255.252.0
    next
    edit “telegram6”
        set uuid a0149520-0d5a-51e6-b083-9fda96570787
        set subnet 149.154.172.0 255.255.252.0
    next
end
config firewall addrgrp
    edit “telegramgroup”
        set uuid 72081cc0-0d5e-51e6-f4e3-e05511d7c552
        set member “telegram” “telegram2” “telegram3” “telegram4” “telegram5” “telegram6”
    next

end

Juniper:

# show
version 12.1X46-D10.2;
system {
    host-name SRX1;
    root-authentication {
        encrypted-password “$1$htJmWkYL$Dij6D2dwMvBOvSm64mJVt0”; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    services {
        ssh;
        web-management {
            http {
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        file messages {
            any any;
        }
    }
    license {
        autoupdate {
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                filter {
                    input BLOCK-TELEGRAM;
                }
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 12.12.12.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.0.10.1;
    }
}
policy-options {
    prefix-list ADDRESSLIST-TELEGRAM {
        91.108.4.0/22;
        91.108.56.0/22;
        149.154.160.0/22;
        149.154.164.0/22;
        149.154.168.0/22;
        149.154.172.0/22;
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: ‘queue-size’ is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set PAT {
                from zone trust;
                to zone untrust;
                rule PAT {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
    }
}
firewall {
    filter BLOCK-TELEGRAM {
        term LIST-TELEGRAM {
            from {
                source-prefix-list {
                    ADDRESSLIST-TELEGRAM;
                }
            }
            then {
                discard;
            }
        }
        term ALLOW-REST {
            then accept;
        }
    }
}

 

Mikrotik:
/ip firewall address-list
add address=12.12.12.0/24 list=LAN
add address=149.154.160.0/22 list=telegram
add address=149.154.164.0 /22 list=telegram
add address=149.154.168.0 /22 list=telegram
add address=149.154.172.0 /22 list=telegram
add address=91.108.4.0/22 list=telegram
add address=91.108.56.0/22 list=telegram
/ip firewall filter
add action=drop chain=forward dst-address-list=telegram src-address-list=LAN

PaloAlto:

SonicWall:

Blocking ZenMate

CheckPoint:
Image.png

Cisco ASA:

(config)# object-group network zenmate
(config)# network-object host 78.137.98.120
(config)# network-object host 78.137.98.123
(config)# network-object host 162.159.244.96
(config)# network-object host 162.159.245.96
(config)# network-object host 207.244.77.22
(config)# network-object host 103.10.197.146
(config)# network-object host 46.165.220.211
(config)# network-object host 81.17.26.242
(config)# network-object host 149.3.140.250

(config)# access-list acl-inside extended deny ip any object-group zenmate

Cyberoam:

FortiGate:

Juniper:

Mikrotik:
# export
/ip firewall address-list
add address=12.12.12.0/24 list=LAN
/ip firewall layer7-protocol
add name=zenmate regexp=”^.+(zenguard.biz|zenmate.io|zenguard.zendesk.com|zendesk.com|zenguard.org).*\$”
/ip firewall filter

add action=drop chain=forward disabled=yes layer7-protocol=zenmate src-address-list=LAN

PaloAlto:

SonicWall:

Hacking Cisco ISE 1.4

NOTE: This for evaluation purposes only and can use VMware Workstation 11 or ESXi 5 above

Download flex_ISE_1.x.x.rar from Internet
extract and copy flex content into FAT32 pen drive
insert pen drive into your pc
-download Cisco ISE and Centos LiveCD
-install Cisco ISE
-set vm boot options to 7000
-add CD/DVD drive and USB Controller into ISE vm

-power on ISE vm
-configure ISE
-reboot
-connect pen drive to ISE vm
-connect to Centos LiveCD
-press Esc within 7s or Ctrl-All-Insert to reboot and try press Esc again
-click Troubleshooting
-click Rescue a CentOS system
click Continue to begin Installation
click OK 2x

# cd /mnt/sysimage
# mkdir usb
# mount /dev/sdb1 usb
# cp usb/flexlm-10.9.jar ./opt/CSCOcpm/upgrade/javalib/flexlm-10.9.jar
# cp usb/flexlm-10.9.jar ./opt/CSCOcpm/appsrv/apache-tomcat-ca-7.0.42/webapps/caservice-webapp/WEB-INF/lib/flexlm-10.9.jar
# cp usb/flexlm-10.9.jar ./opt/CSCOcpm/appsrv/apache-tomcat-ca-7.0.42/webapps/ocsp-responder-webapp/WEB-INF/lib/flexlm-10.9.jar
# cp usb/flexlm-10.9.jar ./opt/CSCOcpm/appsrv/apache-tomcat-7.0.42/lib/flexlm-10.9.jar
# reboot
disconnect Centos LiveCD and pen drive

login: setup
Enter hostname[]: ise
Enter IP address[]: 10.0.20.79
Enter IP netmask[]: 255.255.255.0
Enter IP default gateway[]: 10.0.20.1
Enter default DNS domain[]: poc.com
Enter primary nameserver[]: 10.0.20.2
Add secondary nameserver? Y/N [N}:
Enter NTP server[time.nist.gov]:10.0.20.2
Add another NTP server? Y/N [N}:
Enter system timezone[UTC]: Jakarta
Enable SSH service? Y/N [N]: y
Enter username[admin]:
Enter password:
Enter password again:

Here will take about 15min to get https active
open FireFox and go to https://10.0.20.79
click Administration/Licensing
scroll to the bottom and copy Serial Number (SN)
open Basic and Advance license file in your pen drive with NotePad++
replace all 4L4CAAMFHJ6 with your Serial Number above and save
back to Administration/Licensing, click Import License and import both Basic and Advance license
delete existing Evaluation license

FortiClient IPSec VPN

Image

1. Create 2 users, User1 and User2
go to User & Device/User/User Definition
2. Create 1 group named vpn and add User1 and User2 into vpn group
go to User & Device/User/User Groups
3. Create a Policy to allow LAN address to WAN1 address
go to Policy & Objects/Policy/IPv4

Image

4. Create VPN Wizard for Windows, Mac or Android
go to VPN/IPSec/Wizard

Image

Image

Image

Image

Image

5. Create VPN Wizard for IOS
go to VPN/IPSec/Wizard
 Image
Image
Image
Image
6. Policy & Objects/Policy/IPv4
 Image
7. FortiClient Windows Setup
-download and install FortiClient for Windows from http://www.forticlient.com
Image
8. FortiClient Android Setup
-download and install FortiClient from PlayStore

9. IOS Native Client Setup
-open Settings/VPN/
click Add VPN Configuration
click IPSec
Server: 10.0.10.54
Account: user1
Password: password
Secret: password

Site-to-Site IPsec VPN Cisco Router to FortiGate

Image

SOURCE: http://blog.webernetz.net/2015/02/02/ipsec-site-to-site-vpn-fortigate-cisco-router/

ROUTER1
# sh run
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname RTR2811a
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M10.bin
warm-reboot count 10 uptime 7
boot-end-marker
aaa new-model
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip dhcp excluded-address 10.0.31.201 10.0.31.254
ip dhcp excluded-address 10.0.31.1 10.0.31.100
ip dhcp pool pool10.0.31.0
network 10.0.31.0 255.255.255.0
default-router 10.0.31.1
dns-server 8.8.8.8 8.8.4.4
no ip domain lookup
ip domain name nbctcp.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
multilink bundle-name authenticated
redundancy
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key P@ssw0rd address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto ipsec profile 3DESMD5
set transform-set TS
set pfs group2
!
interface Tunnel1
ip unnumbered FastEthernet0/0.206
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.207
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel2
ip unnumbered FastEthernet0/0.221
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.221
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel3
ip unnumbered FastEthernet0/0.224
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.224
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel4
ip unnumbered FastEthernet0/0.226
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.226
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel5
ip unnumbered FastEthernet0/0.228
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.228
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel6
ip unnumbered FastEthernet0/0.230
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.230
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel7
ip unnumbered FastEthernet0/0.232
tunnel source 10.0.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.232
tunnel protection ipsec profile 3DESMD5
!
interface FastEthernet0/0
ip address 10.0.10.206 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.31.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.10.1
ip route 10.0.41.0 255.255.255.0 Tunnel1
ip route 10.0.42.0 255.255.255.0 Tunnel2
ip route 10.0.43.0 255.255.255.0 Tunnel3
ip route 10.0.44.0 255.255.255.0 Tunnel4
ip route 10.0.45.0 255.255.255.0 Tunnel5
ip route 10.0.46.0 255.255.255.0 Tunnel6
ip route 10.0.47.0 255.255.255.0 Tunnel7
access-list 101 permit ip 10.0.31.0 0.0.0.255 any
!
control-plane
mgcp fax t38 ecm
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
line vty 5 15
transport input ssh
scheduler allocate 20000 1000
end

– refresh routing table if needed
# clear ip route *

FORTIGATE2
-create objects
Image

-create a vpn tunnel
Image

Image

Image

-create Policy/IPv4
Image
-create a static route
Image
-Back to Cisco1
make sure after 5min, 10.0.44.0 through Tunnel4 is appear
# clear ip route *
# sh ip route
S*    0.0.0.0/0 [1/0] via 10.0.10.1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C        10.0.10.0/24 is directly connected, FastEthernet0/0
L        10.0.10.206/32 is directly connected, FastEthernet0/0
C        10.0.31.0/24 is directly connected, FastEthernet0/1
L        10.0.31.1/32 is directly connected, FastEthernet0/1
S        10.0.41.0/24 is directly connected, Tunnel1
S        10.0.43.0/24 is directly connected, Tunnel3
S        10.0.44.0/24 is directly connected, Tunnel4
S        10.0.47.0/24 is directly connected, Tunnel7

You can try ping from PC1 to PC2 now