Helloo!!
Voila, since a few weeks I'm a CSSA aka Certified Sonicwall Security
Administrator
;-) Ok, nothing really exciting, but now it's time to start messing with
these boxes, I would love to know what these boxes do, apart from the
stuff that the webinterface tells me... :-p
Sonicwall firewalls provide a function to export the configuration (for
backup purposes, and nothing else..) to a *.exp file, which looks
unreadable at the first glance, but basically it's just a simple
textfile, which has been base64 encoded. So again something for your
bashrc (linux+cygwin). Add the lines below, and wait for the results..:
function swall-fwinfo {
cat "$1" | base64 -d 2>/dev/null | sed 's/&/\n/g' | sed 's/%20/ /g' | awk -F"=" ' /serialNumber/ { serial = $2 } /firewallName/ { name = $2 } /shortProdName/ {product=$2} END { printf "Product: %s \nSerial: %s\nFirewall-Name: %s\n",product,serial,name } '
}
function swall-fwdecrypt {
cat "$1" | base64 -d 2>/dev/null | sed 's/&/\n/g' | sed 's/%20/ /g'
}
and now let's try it out:
|| user@workstation ~ || swall-fwinfo sonicwall-TZ_210-5_6_0_9-49o.exp
Product: TZ 210
Serial: 0017C5000000
Firewall-Name: 0017C5000000
|| user@workstation || swall-fwdecrypt sonicwall-TZ_210-5_6_0_9-49o.exp | less
checksumVersion=1
buildNum=5.6.0.9-49o
shortProdName=TZ 210
hasHAPort=0
userIV=9d65e1d46d2e483e
passwordUniqueNum=0
schedObjId_0=Work Hours
schedObjType_0=2
schedObjProperties_0=29
schedObjDaysOfWeek_0=22614152
...
checksum=02650bb5
Ok, so the first 'swall-fwinfo' is to quickly get the most important
data out of it. I tend to have a bunch of exp-files in my download
folder, but no clue to which box they belong, so an easy way to figure
it out ..again :-D
Second one is to get the whole configuration decrypted and pass it over
to less, so you can view
the VPN-Endpoints, figure out it's original WAN-IP, check for custom
services etc.
If somebody needs a Perl implementation, checkout this page:
http://it-blog.timk.de/...,
found that one after I created my little bash-thingy, but happily I'm
not the only one posting about Sonicwalls, thanks Tim! ;-)
Next thing to do is to find out a way to 'encrypt' them back. A simple base64 (without -d) isn't what I'm looking for. Sonicwall creates the 'checksum' field at the end of the configuration (see above), which looks like crc32, adler32, cksum, elf32 or sum32 according to it's length, but I wasn't able to figure it out based on which data it generates the sum. Additionally with every export, some fields get altered. Namely the password fields, which are likely encrypted with the userIV value somehow, which uses a random (based on timestamp!?) value, and therefore the checksum tends to get higher and higher, and doesn't decrease (ok, I've seen 1/2 exceptions..)... Anyway, will dig into it again soon, wait for more!
..btw, currently struggling a bit with code-blocks.. I don't like any of the syntax-highlighting plugins for WP, either they mess with my code, or they just look terrible, or are out of date... :-D hints or patience appreciated ;-)
Thanks for reading and cheers,
Raphi