CheckPoint Security Gateway (firewall) and Security Management password hashes
#1
This forum post will explain how to get all sorts of different password hashes out of the Check Point Security Gateway / Management and use oclHashcat modes to process these hashes. This article does not explain how to hack any of the Checkpoint products. You will need a highly privileged administrative account for getting these hashes. I will discuss the:
  • OS level hash (CheckPoint Gaia and SPLAT (Secure Platform) OS, Linux based;
  • expert mode hash (Gaia OS, bash shell);
  • Security Management Administrators hash (hex-salted MD5). I didn’t find any posts which link this specific checkpoint hash mechanism to the generic –m 20 hashcat mode.
  • Checkpoint Password scheme hash for users (DEScrypt).

The tests were performed on the Check Point R77.10 on SPLAT and R77.20 on Gaia.

OS Level hash
During the initial installation proces an administrative account for the OS (Gaia/SPLAT) is configured. In the examples the name “admin” is used, but this could be anything. This administrative account is used to access the OS (e.g. SSH or via the HTTPs webinterface). Within Gaia the default password policy for this account is a minimum of 6 and a maximum of 128 characters (and a mixture of Upper, Lower, digit, punctuation (the password “hashcat!” will be compliant (R77.20/GAIA).

The MD5Crypt password hash of the Linux based Checkpoint OS (Gaia) is stored in a couple of places and looks like this (using expert mode):

[Expert@gaia:0]# cat /etc/shadow
admin:$1$E.kZY52L$p0FPOFtATJqMIiGO4g/15.:16599:0:99999:8:::
monitor:*:16599:0:99999:8:::
root:*:16599:0:99999:7:::
nobody:*:16599:0:99999:7:::
postfix:*:16599:0:99999:7:::
rpm:!!:16599:0:99999:7:::
shutdown:*:16599:0:99999:7:::


The hash (including a history) is also stored in the internal Check Point database (initial_db) and can be found with sqlite3 using the following query.

[Expert@gaia:0]# cd /config/db
[Expert@gaia:0]# sqlite3 initial_db
SQLite version 3.6.20
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> SELECT * from revisions WHERE binding="passwd:admin:passwd";
passwd:admin:passwd|0|$1$uqG52icP$Hmscx8cYThBuQc9j6RI8f0||||2015-06-13 07:34:14|1
passwd:admin:passwd|1|$1$E.kZY52L$p0FPOFtATJqMIiGO4g/15.|admin|localhost||2015-06-13 20:03:36|0


You can process this hash with oclHashcat using the –m 500 mode (password is “hashcat!” (without the quotes)

oclHashcat64.exe -a 3 "$1$E.kZY52L$p0FPOFtATJqMIiGO4g/15." -m 500 hashcat!


Expert mode hash (Check Point Gaia)
To get a bash shell you have to get into the expert mode, which is also protected with a password. The hash of this password is stored in /config/db/initial and is using the same Unix md5crypt scheme, see example of the format of this entry in the file (initial) below:

expertpwdTongueWD $1$TZBPBB`X$Bb.xgkzxV02AO8ASBFoa50

The hash of the expert mode (and history) can also be found with a sql query in the sqlite database (in the screenprint below the last set password is “hashcat!”.

[Expert@gaia:0]# sqlite3 initial_db
SQLite version 3.6.20
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> SELECT * from revisions WHERE binding="expertpwdTongueWD";
expertpwdTongueWD|0|||||2015-06-13 08:34:14|1
expertpwdTongueWD|1|$1$WBALVJDB$BznmpO.J3EgrWbQOfprEA.|admin|localhost||2015-06-13 07:55:15|0
expertpwdTongueWD|2|$1$TZBPBB`X$Bb.xgkzxV02AO8ASBFoa50|admin|localhost||2015-06-13 21:51:07|0


The expert mode hash can be checked with the same –m 500 mode (same scheme).

oclHashcat64.exe -a 3 $1$TZBPBB`X$Bb.xgkzxV02AO8ASBFoa50 -m 500 hashcat!

Checkpoint Password (authentication scheme) application (CPsuite)

At the Check Point application level a Security Management administrator account is created during the installation proces (cpconfig_administrators). Additional accounts can only be defined using the SmartDashboard GUI.

The hash of this password is stored in the file fwmusers located in /var/opt/CPsuite-R77/fw1/conf and is stored in the following format:

[Expert@gaia:0]# cat fwmusers
secadmin 259d025bf03dd16127ce5162fb88f5654d864743 ffffffff


The administrator’s name in this case is secadmin, but can be set during the installation proces. The password used is “hashcat!” (without the quotes).

Looking into the hash format, it appears to be a salted MD5 hash and using a 4 byte hex value salt.
The first 4 bytes in the 20 byte hash above are the random salt (259d025b), the remaining 16 bytes are the MD5 hash (f03dd16127ce5162fb88f5654d864743).
oclHashcat can handle this hash type by using the generic hash mode 20 (md5($salt.$pass)) with the --hex-salt option. Testing can be done with the following one liner:

oclhashcat64.exe -a 3 "f03dd16127ce5162fb88f5654d864743:259d025b" --hex-salt -m 20 hashcat!


When adding a new account (e.g. newadmin) to the administrators group using the SmartDashboard, it will not add this to the fwmusers file but it will store the hash in the /var/opt/CPsuite-R77/fw1/conf/fwauth.NDB file. (use grep or an editor, but make sure you have 20 bytes, because the fwauth.NDB is a data filetype and non-printable ascii characters could be present which need to be removed first).

[Expert@gaia:0]# grep -a -i internal_password fwauth.NDB
:internal_password (bfab0767964c4991faa6a054f553368fb3f55e27)


Please note that if you added more accounts to the “administrators” tab, by using the above grep more hashes will return and you will have to look into the fwauth.NDB to match the corresponding name.

Use the oclHashcat–m 20 mode as explained before to handle this hash.

oclhashcat64.exe -a 3 964c4991faa6a054f553368fb3f55e27:bfab0767 --hex-salt -m 20 hashcat!


Interestingly enough is when adding a user (e.g. user999) with exactly the same authentication scheme (Check Point Password) as used with the newadmin administrator, the hash of that password is stored in a different format, a DESCrypted hash. See sample below. The first hash is the “newadmin” MD5 based hash, the second hash is for the added user999). See attachment to get an idea of the SmartDashboard administrator/users layout.

[Expert@gaia:0]# grep -a -i internal_password fwauth.NDB
:internal_password (bfab0767964c4991faa6a054f553368fb3f55e27)
:internal_password (q7Lq07kQU.PPI)


The DESCrypted hash can be handled with oclHashcat hashmode –m 1500

oclhashcat64.exe -a 3 q7Lq07kQU.PPI -m 1500 hashcat!


Cheers Maarten


Attached Files
.png   cproles.png (Size: 38.36 KB / Downloads: 8)
#2
Great information, thank you for sharing!
#3
Indeed, very good stuff, thoroughly explained.
#4
Thanks guys, you are welcome.

Just a minor addition: The hash for the expert mode on both SPLAT and the Gaia platform can also be found in /boot/grub/grub.conf.

[Expert@cpsplat]# grep password grub.conf
password --md5 $1$^BZBBABB$ICuFdZqgMooVF7CMBaX8x0


Once again you can check it with the -500 hashcat mode (make sure you use quotes because of the special chars in the hash).

oclHashcat64.exe -a 3 "$1$^BZBBABB$ICuFdZqgMooVF7CMBaX8x0" -m 500 hashcat!

When you are changing the expert password in the cp_shell (set expert-password) make sure you do a "save config" after that. Otherwise the expert password hash is not saved into the initial_db (Gaia).

Cheers Maarten
#5
Excellent post, thanks!