Saturday, December 2, 2017

SANS Holiday Hack 2017 Alert

It's that wonderful time of year again... SANS Holiday Hack 2017 will soon be released.  Those of us who share a love of solving puzzles will be shut in our rooms and up late nights trying to solve this challenge.

I wanted to practice writing some more Powershell code, so I thought of a program that has a reference index of the SANS Holiday Hack site, compares it to a newly downloaded version, and emails or texts me if there have been any changes.  I could then schedule it to run every hour in Task Manager in a Windows VM, so hopefully I'll have a good indication of when I can start on the challenge.

I Googled it.  Sources:

https://learn-powershell.net/2011/02/11/using-powershell-to-query-web-site-information/
https://blogs.msdn.microsoft.com/koteshb/2010/02/12/powershell-how-to-create-a-pscredential-object/
https://www.pdq.com/blog/powershell-send-mailmessage-gmail/

I stitched the pieces together to come up with the following.  Note:  I am new to Powershell, so there is likely a better way to do this.:

**WARNING**

Please do not under any circumstances run this kind of thing in a production environment.  Having plain text credentials in a program is a sure fire way of being pwned.

**END WARNING**

Here's the code:

#sets the $username variable to test
$username = "test"

#sets the $password variable to test password
$password = "testpassword"

# Can Convert the $password value to a more secure version, however, I told it to use Plain 
#Text.
$secpassword = ConvertTo-SecureString -String $password -AsPlainText -Force

#Creates a $PSCredential Object that can be piped into Cmdlets that have a -Credential 
#Parameter
$mycreds = New-Object System.Management.Automation.PSCredential $username, $secpassword

#Create a new web client object
$web = New-Object Net.WebClient

#get the index page of the holidayhackchallenge website
$index = $web.DownloadString("https://www.holidayhackchallenge.com")

Try{

    #tries to get the index page of the holidayhackchallenge website and output the source to    
    a file.
    $index | Out-File -FilePath 'C:\Users\Me\new.html'  

}
Catch{

    #returns an error message if the $index try block doesn't succeed.
    Write-Host -ForegroundColor Red -NoNewLine "The website may be down or your access is down."

}
Try{

    #tries to compare the new.html file created in the $index | Out-File... line to the reference 
    #index.html that I downloaded to begin with.
    $change = Diff -ReferenceObject $(Get-Content 'C:\Users\Me\index.html') -DifferenceObject $(Get-Content 'C:\Users\Me\new.html')

}
Catch{

    #returns an error message if the $change try block doesn't succeed.
    Write-Host -ForegroundColor Red -NoNewLine "Something went wrong."

}

if ($change) {

    #if $change is true, i.e., there's a difference, I get an e-mail saying that the challenge may 
    #be live.
    Send-MailMessage -To "<Insert User Here> <Insert Email Here>" -From "<Insert User Here> <Insert Email Here>" -Subject "Holiday Hack 2017 may be live!" -SMTPServer "<Gmail SMTP Server Here>" -Port "<Gmail SMTP Port Here>" -UseSsl -Credential $mycreds



There may be a problem with the logic...  Not exactly sure how the pipeline would work if I can't connect to the website for some reason.  If the website is down, it might still create the "new.html" file, but it would be empty, meaning that there would be a change.  However, the Diff (an alias for Compare-Object) throws an error if the difference object is null, so that should not be a problem for my purposes.  Others may want more robust code.

Thursday, November 9, 2017

Convert JSON file to CSV With Powershell

I'm trying to learn Powershell.  I tend to do better when I have real world puzzles to solve.

Today, someone wanted an inventory of devices from our firewall manager.

Luckily, you could export a list of the devices that it was managing, but it exported it in a .dat file.

That .dat file was compressed.  Fortunately, 7Zip seemed to know what type of compression it was, so I simply extracted the list using 7Zip.

The list was kind of json formatted.  I wanted a csv file because it's easier to work with.

I say kind of because if I opened it in Notepad++, it had extra data at the top and bottom.  Reason being is so that if I wanted to import the list back into the manager, the manager could process it.

I tried using the data as it was in Powershell.  Powershell did not like it one bit.

Get-Content -Raw list | ConvertFrom-Json

Invalid Json Primitive
<a bunch of red error messages here>

So, I opened it in Notepad++ and removed the extra data at the top and bottom of json data.  Still a bunch of red error messages.

Added a curly bracket at the top { and a curly bracket at the bottom}.  Powershell finally did something with it.  So, I tried this.

Get-Content -Raw list | ConvertFrom-Json | ConvertTo-Csv | Out-File list.csv

It kind of worked.  The data I wanted was in a couple of arrays though.  So I had to do this:

Get-Content -Raw list | ConvertFrom-Json | Select -Expand <array name here> | Select -Expand <another array name here> |  Select name,"serial number" | ConvertTo-Csv | Out-File list.csv

Bingo!  It had a header and a footer in the csv - something to do with Powershell, but it worked.  I just opened it in Excel and removed the header and footer.  I saved it as an Excel doc.  Seems to be fine.



Sunday, October 29, 2017

Moving Files From Inoperable Computers With Wiebetech Forensic Ultradock

Full disclosure:  I do not get kickbacks for mentioning anything in my blog.  If I ever do, then I will specifically say so.  I just happen to like the devices that I mention and feel that they may help others.

At work, I used a Wiebetech Forensic Ultradock to look at some files on some drives.  It was incredibly easy to use.  When you open the computer cases, unplugged of course, being very careful, you just note the type of connection cables that are plugged into the hard drive, disconnect them to remove the hard drive, remove the hard drive, and use the same connection cables that come with the dock.  Everything is well labeled on the dock.  Then you plug the dock into your laptop/Desktop computer with the appropriate cable via a USB port.  Plug the dock into a wall socket using the power cord, and the dock should display info about the drive.  When you flip the switch, you should be able to browse the files on the docked hard drive on your laptop/Desktop computer just like you can with an external drive.

Regarding taking apart laptops/towers:  If you feel unsure, simply take it slow, and take pictures as you go along so that you'll remember how everything is assembled, so you can reassemble it later.  Many devices are taken apart on YouTube, so you can see tutorials about how to do so on there, or simply Google it.  Even if your specific model isn't on Google/YouTube, many computers are usually similar, so understanding what things are, inside the case, isn't difficult.

I have some old computers at home where I have some photos stored.  I made backups, but a couple of moves later, and I have no idea where the backups are.  I've wanted to get those photos for quite some time, but I've been working on other things.

My spouse recently took SANS FOR 500.  I can't look at his books-it's against the licensing.  (I hope to be able to save enough and take this course as a work-study, later.)  I don't think that SANS can be opposed to me using the equipment provided in the class, though-ie the Wiebetech Forensic Ultradock.

I looked on Amazon for the same model of Wiebetech Forensic Ultradock, in case others are interested.  It is ~$280 as of this writing.  The version I'm using is FUDv5.5 in case this link doesn't work in the future.

https://www.amazon.com/CRU-31350-3109-0000-WiebeTech-Forensic-UltraDock/dp/B0167NDLOU

Looking for older versions-looks like they can be purchased for around ~$55.

https://www.amazon.com/WiebeTech-Forensic-UltraDock-V4-controller/dp/B002MF68HA/ref=sr_1_2?s=electronics&ie=UTF8&qid=1509300870&sr=1-2&keywords=WiebeTech+Forensic+UltraDock

I did not check to see if the connection cables were included with those prices.  Also, one should probably make sure that the dock will work with their OS and with the device that they want to retrieve files from.

You can find documentation, the device, and other parts on this site:

https://www.cru-inc.com/products/wiebetech/forensic-ultradock-v5-5/

Fortunately, my spouse's dock works just fine with my MacBook Pro.  It also works with Windows 10.  Also, note:  Be very careful.  If your old docked device was compromised by malware, you could still be at risk.  This forensic dock, according to the manual provides write blocked access to the docked device, however, you can still copy files from the docked device to your computer.  If you run those files, and they are infected, you have a chance to infect your computer with malware if the malware is compatible with the OS of your current device.

The most trouble I had was taking apart the laptop and old towers that I was interested in getting the photos off of.  Every one of them had a different case style.  The most difficult one was the Compaq.  It's case was a little bent.  None of them were difficult though.

I was laughing at the specs on an on Compaq that was running Miserable Edition.  At the time, it was awesome.  Now it's ancient.  It could probably still run some retro games just fine.  Since I now have the files off of it, I might tinker with it later.

The old towers were all in my garage, so they were dusty, had a couple of crickets, and had some spiderwebs inside.  So be aware, no matter how clean you are, if things are in storage or a garage, you may find some surprises.

It was interesting seeing the change in technology over time.  The hard drives from the towers were clunky and only 40GB.  My older laptop had a 500 GB hard drive.  I might get a case and make an external drive out of the 500GB hard drive.

I showed my children the inside of the computers and explained to them the dangers of taking them apart.  I also explained that I was very careful, and that I had taken computers apart before to troubleshoot problems, and add hard drives and memory.  They seemed to like looking at the inside of each of the computers. :)  It was a fun, family activity.

Have fun :)




Friday, October 27, 2017

Ubuntu Bootable USB Drive

Create an Ubuntu Bootable USB with an ISO with dd

1.  Start Ubuntu on a host machine or VM.  I used VMWare Workstation and a guest Ubuntu ISO.
2.  apt-get install gparted
3.  plug in an empty USB
4.  See which /dev directory that the USB is attached to.  Usually like /dev/sdb.  Can do this by typing dmesg | tail -n 10.  The output should show the name, size, and directory of the USB
5.  sudo gparted ; enter password if it is set.
6.  Select the correct device from the dropdown on the right.
7.  On the menu, choose Partition.  If the drive isn't empty, delete what is on the drive by clicking on "Delete".  This will permanently delete the info, so keep this in mind.  Click on the green checkmark icon to apply the changes to the drive.
8.  If/when the drive is empty, select "New". A popup should appear.  Choose ext4 for the File system.  Click OK.  Click on the green checkmark icon to apply the changes to the drive.
9.  Exit the program.
10.  Download the Ubuntu ISO
11.  dd if=/pathandname/of/Ubuntu.ISO of=/dev/devname bs=4MB

Create an Ubuntu Bootable USB with an ISO with unetbootin

1.  Start Ubuntu on a host machine or VM.  I used VMWare Workstation and a guest Ubuntu ISO.
2.  apt-get install gparted && apt-get install unetbootin
3.  plug in an empty USB
4.  See which /dev directory that the USB is attached to.  Usually like /dev/sdb.  Can do this by typing dmesg | tail -n 10.  The output should show the name, size, and directory of the USB
5.  sudo gparted ; enter password if it is set.
6.  Select the correct device from the dropdown on the right.
7.  On the menu, choose Partition.  If the drive isn't empty, delete what is on the drive by clicking on "Delete".  This will permanently delete the info, so keep this in mind.  Click on the green checkmark icon to apply the changes to the drive.
8.  If/when the drive is empty, select "New". A popup should appear.  Choose ext4 for the File system.  Click OK.  Click on the green checkmark icon to apply the changes to the drive.
9.  Exit the program.
10.  Download the Ubuntu ISO
11.  Mount the device mount /dev/sdX /mnt
12.  sudo unetbootin
13.  Either A)  Select Ubuntu from the OS dropdown and the version of Ubuntu from the dropdown at the top of the screen and select USB at the bottom of the screen and the directory of the USB from the elevator bar, then click OK
Or B) Select your Ubuntu ISO in the elevator bar at the bottom of the screen and select USB at the bottom of the screen and the directory of the USB from the elevator bar, then click OK.

DOS Bootable USB Drive With Samsung Magician Secure Erase

I've never had to create a bootable drive before.  I'm not exactly a hardware person either.  I wanted to erase an SSD drive.  I've read a little bit of forensics and how if drives aren't properly handled, some information can still be retrieved.  I wanted to make sure that the information on this particular drive was either not accessible to get or completely erased.  I prefer the latter, but realize that sometimes that may not be possible.

So I did some research.  SSD drives cannot be erased in the same way as the old spinning platter drives.  The spinning platter disc drives could simply be overwritten by flipping all of the bits on the drives to 0s.  The way in which SSD drives work, the user is only presented with sort of a window of data that the controller shows them, not every single section on the drive.  So theoretically, some information can still be on the drive, even if all the bits on one part are overwritten with 0s.  Not sure how great the following websites are, but I found them helpful.

The tech behind SSD is explained here:

https://computer.howstuffworks.com/solid-state-drive.htm

The difference between SSDs and Spinning Platter hard drives:

https://www.extremetech.com/extreme/210492-extremetech-explains-how-do-ssds-work

SSDs can be reset using a Secure Erase command that is in most of the SSDs produced since 2001.  According to the following Q&A, it's not exactly an erase; it's more of a reset.

Secure Erase Q & A  - this is a doc file.

My device isn't that old, so it should support that command.  My device is a Samsung EVO 850.  There is a utility by Samsung called Magician that works with certain devices-this model being one of them.  I figure that the manufacturer knows its drive better than anyone, so it seems safer to use the manufacturer's own utility even though there are other options like linux hdparm.  My drive is no longer in the laptop that it was originally in.

The manual for Magician says that it can't erase a drive that is connected in any manner other than the motherboard, but it says that one can create a bootable USB drive that has secure erase on it to delete the SSD.

Download - Samsung Magician Consumer Magician Installation Guide

I installed Magician on a Windows device.  I tried docking the drive on a Wiebetech Forensic Ultradock to see if I could make a bootable USB drive.  Magician wouldn't give me the option to create a bootable USB drive because it didn't detect the drive.  (Windows detected the drive just find. I could peruse the directory structure in Windows Explorer.  It was like browsing a USB drive.

So I did more research.

I found this:

https://us.community.samsung.com/t5/Others/How-to-use-Secure-Erase-on-an-SSD-when-you-only-have-one-SATA/td-p/103566

I didn't use Rufus, like in the directions in the website above.  I used Ubuntu, a FreeDOS ISO downloaded from the FreeDOS website, gparted, and the native dd command to create a bootable DOS drive.

1.  Start Ubuntu on a host machine or VM.  I used VMWare Workstation and a guest Ubuntu ISO.
2.  apt-get install gparted
3.  plug in an empty USB
4.  See which /dev directory that the USB is attached to.  Usually like /dev/sdb.  Can do this by typing dmesg | tail -n 10.  The output should show the name, size, and directory of the USB
5.  sudo gparted ; enter password if it is set.
6.  Select the correct device from the dropdown on the right.
7.  On the menu, choose Partition.  If the drive isn't empty, delete what is on the drive by clicking on "Delete".  This will permanently delete the info, so keep this in mind.  Click on the green checkmark icon to apply the changes to the drive.
8.  If/when the drive is empty, select "New". A popup should appear.  Make the size of the drive 4096 KB (4 MB).  Choose NTFS for the File system.  Click OK.  Click on the green checkmark icon to apply the changes to the drive.
9.  Exit the program.
10.  Download the FreeDos ISO
11.  dd if=/pathandname/of/FreeDos.ISO of=/dev/devname bs=4MB

I then had a bootable DOS USB.

I then followed the directions on the following website from steps 2 down.

https://us.community.samsung.com/t5/Others/How-to-use-Secure-Erase-on-an-SSD-when-you-only-have-one-SATA/td-p/103566

I hooked up the SSD drive to the SATA port of an old tower Desktop computer.  I plugged in the USB and it booted from DOS.  (It asks to install DOS to the hard drive, but you just choose the language, and then exit to DOS.  It doesn't install DOS.)

When the DOS prompt appeared, I typed in "serase" and pressed enter. (It is whatever the name of the secure erase bat file is, if serase doesn't work for you.  In case you changed the name of the bat file for some reason.)

It should bring up a pseudo-GUI.  Magician should detect the drive if it was connected properly.  Then it will give you the option to secure erase the drive.  Follow the on-screen directions.  It's weird because it doesn't take long to erase at all.

Then I exited to DOS, and typed shutdown.  I now have an erased SSD drive.

I'm not exactly sure how the different versions of secure erase works.  From what I understand there are a couple of versions- secure erase and enhanced secure erase.  For my needs, whatever Samsung Magician did is probably fine, but for any business purpose the drives should probably be secure erased and destroyed if they have PII on them because even secure erase is no guarantee that everything is off the drive.  I'm not sure if secure erase meets the legal requirements for HIPPA, PCI, or other laws.  Companies should consult their compliance advisors and/or legal team to determine this.

Wednesday, October 25, 2017

DerbyCon Door Key Challenge-Solution

I've been so busy I completely forgot to post these solutions.

You start out with a double-sided card with grey and green letters and numbers.  If you look at the front of the card, you'll notice that the legible words are the green letters.



If you look at the back of the card, you'll notice that these are hexadecimal characters.  One of my fav online tools helped to solve this one.



Solving the green ones gives a rotational cipher.  SLNHJF. KLYIF JVBUALYOHJR. JVT.

Using a rotational cipher solver, one of many that can be found online, you get the url of a website: DERBYLEGACY.COUNTERHACK.COM




Visiting the website, you are asked to create an account.  After creating an account, you are greeted with the following screen...


The first question clue was the following:


The solution was to find the item that matches the slip of paper.  There was a SANS Pen Test Blog posting with a piece of paper that looked similar to that.  Googling Python Reverse Shell and SANS Pen Test Blog Python Reverse Shell showed a blog posting.  At the bottom of the completed paper, it says, "Featuring SEC573".   

https://pen-testing.sans.org/blog/2017/01/31/pen-test-poster-white-board-python-python-reverse-shell

Another option is to search for the photo using TinEye.  TinEye is like a search engine of pictures on the Internet.  It can find photos similar to the one that you upload, and it displays the closest matches. It's great for ctf questions involving pictures.


The next one asks which SANS Pen Test Challenge Coin was created, but never released.


This one can be found by looking at the Pen Testing Blog post detailing the Pen Testing coins backstory.  



There's also a hint about a SANS poster.  The following poster shows a coin that no-one has.  It's a coin for SEC562.  flag{sec562}



The next question is simple.  Simply visit https://www.holidayhackchallenge.com and right-click and select view source.  Look for an ascii Santa with the flag.  flag{santa}


For the next challenge question, I downloaded the image and used Tineye, as I mentioned earlier to find a similar picture online.  The answer is flag{Bryce Galbraith}.




In the next question you can view the hex of the file using a hex editor like Bless or xxd or you can use the strings command.  The title is : Introduction to Reverse Engineering for Pen Testers.  The speaker is Stephen Sims.


I used Wireshark to look at the following pcap.  Then I clicked on Statistics>Protocol Hierarchy, highlighted HTTP, and Right-Clicked and chose Apply As Filter>Selected.  After that, I simply looked for a POST message, Right-Clicked and chose Follow TCP Stream.  If you look through the requests and responses, you'll see a password in clear text.


The code in the next question prints the flag.  It's backwards in the bottom of the code.  flag{pyWars}


Google the next one.  https://www.sans.org/netwars/cybercity  flag{SCADA}


Do a WhoIs lookup to find the first one.  Look on https://www.sans.org to see where he is teaching next.  Google the last one.  flag{edwardskoudissec560washingtonpost}

The next one is easy if you use the strings command.  flag{counterhack&sans}

Unfortunately, the challenge isn't still up as far as I can tell.  These may help others solve similar challenge questions, though.
Have fun!











Thursday, September 28, 2017

Easy Exploit

If you ever want to try an easy exploit, I recommend the Intel AMT Vulnerability CVE 2017-5689.  This vulnerability is slightly scary because it's a firmware vulnerability that is accessible remotely.  The only problem:  You need a computer that has an Intel VPro Core processor.  Those are usually sold to businesses.  They are easily spotted because they usually have a nice sticker that says its a VPro Core Processor.  Not always though.  Sometimes the sticker is removed, or it never had one, so check the processor specs online if you aren't sure.

Items Needed:

Computer with an Intel Core VPro Processor
AMT drivers and software
Firefox and Tamper Data-or whatever you prefer to use to tamper with html requests.

The vulnerable processors and AMT version numbers are here:

https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00075&languageid=en-fr

Here is a getting started guide for setting up Intel AMT, if you'd like to try to exploit this vuln:

https://software.intel.com/en-us/articles/getting-started-with-intel-active-management-technology-amt

The only nightmare is getting the computer configured to be vulnerable.  I found that if you custom install Windows, that some of the required drivers are not present, so you have to look up your computer model number and install the drivers.  Once that is done, it's not so bad to configure.

You have to configure it in Intel Management Engine BIOS extension (Intel MEBx).  For the computer I was testing, I had to press Ctrl-P before the computer booted into Windows to access that menu.  Then you just configure all the options.  Piece of Cake.

There's plenty of tutorials about how to exploit the vuln.  One is here:

https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00075&languageid=en-fr

The user has to be admin, or a valid user, otherwise, obviously, it won't log you in.

Thankfully, it looks like this vuln has been patched, so make sure to install the patch if you have vulnerable systems.

It's good to be admin. :)  Have fun.

Wednesday, September 27, 2017

DerbyCon Door Key Challenge

If you look on Twitter, CounterHack has opened the DerbyCon Door Key Challenge up to everyone.  I'm not going to publish the answers to the challenge right now so that others can join in on the fun.  It's open until October 13th.  Didn't take long to solve.  You should be able to use your mobile phone to solve it.  Good luck!

https://twitter.com/SANSPenTest/status/913130021929279491

Friday, September 8, 2017

Fortinet HQIP Test

I've been busy lately, obviously.  Learning a bunch of new stuff related to my job, and some unrelated.  In order to be good at information security, one should be good at areas in IT-the sys admin work.  So I'm learning about Fortigate firewalls.  

Sometimes issues come up and tests need to be performed in order to be able to get a return authorization for the device.  Since I have an older model, I had to perform something called an HQIP Test.  The directions are here: 


The directions show the diagram for the 60C Model.  The model that I have is a 60D.  Needless to say, there are a couple of different things about the model that I have.  Mine has 7 switch Ports, a DMZ port, a WAN1 port, and a WAN2 port.

So, I will describe how to perform the test to make others lives easier.

Make sure you have everything that you need:

Hardware
Laptop/Desktop Computer to act as Terminal/TFTP Server
Ethernet Cables * 5 in this case.
A USB-to-Console adapter
The console cable that came with the device.
The power cable that came with the device.
A paper clip.
USB drive

Software
FortiExplorer can be used.  However I didn't use it because I didn't know how to save the output with it.  In order to do an RMA, the output must be included with the request.
I used Putty and SolarWinds TFTP Server.  
Correct HQIP Test Image
Firmware Image on a USB drive in case something goes wrong.

Acquire The Test Image

The image can be downloaded from the Fortinet Support site.
  • Login with your account username and password
  • Click on your account.
  • Select the Download Tab
  • Select the HQIP Images Option
  • Click on the text-box
  • Type in your serial number
  • Download the specified test image by clicking on the link.
  • Once the TFTP Server is set up, move this image from downloads to C:/TFTP-Root which is the default folder for SolarWinds TFTP Server or whatever folder you set it up to be in.

Device Set-UP
  • Connect the USB-Console adapter into the firewall via the Console Port
  • Make sure that the other end is connected to the laptop via the USB port.
  • Connect the Ethernet Cable from the laptop to the WAN1 port on the firewall (this can be any of the ports so long as it’s configured properly in the test script.)
  • Connect the loopback wiring according to the diagram below.  If the diagram is wrong, the test will tell you how to wire it properly.
  • You will not start out with the device properly wired according to the instructions.  Wire as much of it as you can to make your life easier later.  Don’t worry that you can’t wire all of it properly yet.  One port has to be connected to the laptop serving as the TFTP Server/Terminal, leaving one port open.  This is normal.  Before the test is performed, you will be asked to wire the rest of it properly.
  • Connect the Power Cable

FortiWifi 60D Loopback Wiring Diagram
Port 1 to Port 2
Port 3 to Port 4
Port 5 to Port 6
Port 7 to DMZ Port
WAN1 Port to WAN2 Port

Set Ethernet Adapter to Static IP Address

For Windows 10:
  • Right-Click on the Connection Icon in the task bar on the right hand side
  • Select “Open Network and Sharing Center”
  • Click on the “Change Adapter Settings Link” on the left-hand side
  • Right-Click on the Adapter you want to use
  • Select “Properties”
  • Click on “Internet Protocol Version 4 (TCP/IPv4)” to highlight it
  • Click the “Properties” button
  • Select the “Use the following IP Address” radio button
  • Type in the desired IP Address, Subnet, and default Gateway

Make Sure that the Firewall Allows TFTP
For Windows 10:
  • Click the Windows icon at the bottom left of the screen
  • Type “Windows Firewall”
  • Select the “Windows Firewall Control Panel” Option
  • A popup will appear
  • Click on the “Advanced Settings” link on the left-hand side
  • Click on “Inbound” Rules
  • Click on the “New Rule” link on the right-hand side
  • A pop-up will appear to configure the new rule.
  • Click on the "Port" radio button
  • Click "Next"
  • Click on the "UDP" radio Button
  • Click on the "Specific Local Ports" radio button
  • Type "69" into the text box
  • Click "Next"
  • Choose the “Allow the connection” radio button
  • Choose which areas the rule applies.  Be careful with this one because you don’t want just anyone to be able to connect.  Most people choose domain or home-actually as I recall though, public has more strict rules-but you don't want the TFTP server to be connected to on a public network, so it’s best not to use public.
  • Type in a Name for the rule: TFTP, and a Description if desired.
  • Click "Finish"
  • To ensure that not just anyone can connect, you can limit the IPs that can connect to it.
    • Find the TFTP rule in the rules list
    • Right-Click on it
    • Click "Properties"
    • Click "Scope"
    • Change the scope to the IP or range of IPs that you are comfortable connecting with your TFTP server.  (In this case, the IP that you plan to set the firewall to in the HQIP test.)
    • Remember that people can spoof IP Addresses, so this isn't foolproof.
  • If you’re paranoid, remove/disable this rule when you are done.  Disabling is as simple as right-clicking the rule in the rules list and selecting the “Disable” option.
  • Repeat the above steps with the exception of choosing “Outbound” instead of “Inbound” rules in the second step.

Setting up the TFTP Server:
If you are using SolarWinds TFTP Server:
  • Click on “File>Configure”
  • Select the “Server Bindings Tab”
  • You can bind it to all IP Addresses on the machine by selecting the "bind to all IP Addresses" radio button.  This is not recommended for security reasons.
  • Select the “use custom server binding” radio button
  • Click in the text box
  • Type the desired IP range that the laptop will be serving the file from in CIDR notation (if it is not specified, the program will choose the CIDR notation.  Like /32.
  • Click the + sign on the right side.  The IP Address should now be added to the custom server binding box.
  • Click OK
  • There should be a popup showing that TFTP was started on Port 69.

Setting up Putty for the Console Connection:

  • On the left-hand side, there will be a section called “Connection”
  • Choose “Serial”
  • On the right-hand side, change the “Serial line to connect to” to the COM interface of the laptop.
  • This can be checked in "Device Manager" under "Ports (COM & LPT)"
  • On the right-hand side,
  • Speed(baud) should be 9600
  • Data bits should be 8
  • Stop bits should be 1
  • Parity should be None
  • Flow Control should be XON/XOFF
  • Click "Open".  Assuming that the cables are properly set up and device is functioning properly, you should get a console connection to the device.  Sometimes you have to press Enter to see the prompt.


Configure the Settings on the Router for the TFTP Transfer

  • Login using your credentials.  The default username for this model is: admin, the default password is <no password>.
  • Type “execute reboot”.
  • Watch the screen carefully.  When it says, “Please wait for the OS to boot, or press any key to display configuration menu”, at this point, press any key.
  • A configuration menu will be displayed.


The first menu looks like this on this model:

[C]:  Configure TFTP parameters.
[R]:  Review TFTP parameters
[T]:  Initiate TFTP firmware transfer
[F]:  Format boot device.
[I]:  System information.
[B]:  Boot with backup firmware and set as default
[Q]:  Quit menu and continue to boot.
[H]:  Display this list of options.

Configure the following settings, noting that anything in brackets is the default setting.

First, we want to configure it to grab the test image from the TFTP server (AKA our laptop/Desktop computer running Solarwinds TFTP Server.)

So the first option we should select is C.

The next menu looks like this:

[P]:  Set firmware download port
[D]:  Set DHCP mode
[I]:  Set local IP address.
[S]:  Set local subnet mask.
[G]:  Set local gateway
[V]:  Set local VLAN ID
[T]:  Set remote TFTP server IP address
[F]:  Set firmware file name
[E]:  Reset TFTP parameters to factory defaults
[R]:  Review TFTP parameters
[N]:  Diagnose networking(ping).
[Q]:  Quit this menu
[H]:  Display this list of options.

Select P to set the firmware download port.  You can choose the default option-in this case I think that it’s WAN1, but keep in mind that if that port is bad, it won’t work, so you’ll have to choose a different port in that particular case.  It’s trial and error choosing the correct one because the default port may be different for each model and like I said, the port could be bad.   If one port fails to work, start this portion over again, and try another.  The options are:

[0]:  Any of port 1-7
[1]:  WAN1
[2]:  WAN2

Choose 1 for the WAN1 port.

The next option that should be selected is I, to set the local IP address.  This is the IP address of the firewall.  Again, you can select the default, just make sure that the ethernet adapter on your laptop is configured to be on this same subnet.  I make it easy and use 192.168.0.2.

Select S to set the local subnet mask.  I use 255.255.255.0, which is the default.  Press enter to choose the default.  Just make sure that your laptop ethernet adapter is configured with the same subnet mask.

Select G to set the local Gateway.  I make this the same as the laptop/TFTP Server/Terminal.  Usually 192.168.0.1.

I’m not concerned with the local VLAN ID, but this may apply to you if you use VLANs, so use it if you need to.

Select T to set the remote TFTP server IP Address.  This should be the same as your laptop Ethernet Adapter IP Address.  Again, I use 192.168.0.1.

Select F to set the firmware file name.  This must the same name as the test image name you downloaded from the fortinet support site or whatever you rename it to.

Select R to review the settings.

Make any necessary changes.

Select Q to exit this menu and return to the first menu.

Select T to grab the test image from the laptop/TFTP Server.

If the file is transferring properly, you will see a bunch of pound signs in the Putty display.  When the image is transferring, you will see a notification in the SolarWinds TFTP window.
If it isn’t transferring, do normal troubleshooting to find out what the error is.

Common issues:

Cables aren’t properly configured.
The wrong download was chosen in the router settings.
TFTP server not configured properly.
Firewall not configured to allow TFTP connections.

If it transferred properly, the Putty/Terminal display will ask you what you want to do with the test image.
Type R to reset without saving the image.
In this case, it doesn’t start on it’s own.  (Some models will automatically start.)  You have to login with the default credentials.  For this model:  User: admin, password: <no password>.
Type “diagnose hqip start” into Putty/Terminal Session.

There will be a message asking for a USB key.  Don’t worry about it.  That is for a firmware image on a USB drive.  Just press enter twice.  Since you selected “R”, it should just keep the old firmware.  You may want to reset the firmware anyway, but for RMA purposes, it may be best to keep the firmware as is.

It will run tests on its own.

You will be asked to check the LEDs.  Follow the directions in the Putty/Terminal session.  Press the spacebar if it passes, enter if it fails.

You will be asked to check to see if the reset button functions properly.  Follow the directions in the Putty/Terminal Session.  Simply use a paperclip to press the reset button.  If it functions properly, you will see output and the word “PASSED”.  If you don’t see that, then it may have “FAILED”.  Wait a few minutes.  If it still doesn’t do anything, press Enter.  For the 60D model, it is located near the power plug in.
Do not unplug anything yet.

Save the Test Results

In Putty:
Method 1:
Right-Click on the Title in the Terminal Screen
Select "Copy Contents to Clipboard"

Open Notepad
Paste the contents into the file
Save the results as your desired file name (I use serial number_HQIP_Test_Results)

Method 2:
Enable Logging in Putty
On the left-hand side, there will be Session.  Select Logging.
Choose the “Printable Output” radio button.  (“All session output” will show you everything.  For RMA, the All session output option may be the best.)
Select the log file name.  The default is “putty.log”
Choose what to do if the file exists.  Choose either the radio button that says, “always append to the end of it” or the “ask the user” radio button.
Confirm that all the output was captured.

Gracefully Shut Down the Firewall

In the Putty session, before unplugging anything, type "execute shutdown" and press enter.
Do not unplug anything until it says, “The system is halted.”