Professional Documents
Culture Documents
15 Threat Prevention TE & TEX Lab PDF
15 Threat Prevention TE & TEX Lab PDF
R80.10 Training
(revised: September 14, 2018)
External Network
IP: 192.168.103.x VMware:
suspend
Kali
Pen Test Tool
Internal Client
Kali
Win-Victim IP: 192.168.103.100
User: root/Cpwins1!
IP: 192.168.101.100
Default Gtwy: 192.168.103.254
User: jroberts/Cpwins1!
Default Gtwy: 192.168.101.254
DNS: 192.168.102.2 Internal Network DMZ Network
DNS: 8.8.8.8 IP: 192.168.101.x IP: 192.168.102.x
Management
&
Gateway
VMware:
suspend R80
Endpoint
Endpoint Eth0: 192.168.101.254
Active Directory
Management Eth1: 192.168.102.254 Web Server
Eth2: 192.168.103.254
User: admin / Cpwins1!
GUI : admin / Cpwins1! Ubuntu Win-DC
EndpointServer
Default Gtwy: 192.168.103.2
IP: 192.168.101.165 DNS: 8.8.8.8 IP: 192.168.102.5 IP: 192.168.102.2
User: admin/Cpwins1! User: admin/Cpwins1! User: Administrator /Cpwins1!
Default Gtwy: 192.168.101.254 Default Gtwy: 192.168.102.254 Domain: LAB.TEST
DNS: 192.168.102.2 Default Gtwy: 192.168.102.254
DNS: 8.8.8.8 DNS: 127.0.1.1
DNS: 192.168.103.2
DNS: 8.8.8.8
©2017 Check Point Software Technologies Ltd. 3
SandBlast Threat Prevention Lab
Enable SandBlast
• Edit the Gateway object. The First Time Activation wizard
launches.
• Enable Threat Emulation.
Review Questions
Threat Emulation
Note: Prior to
running the lab,
ensure the Threat
Emulation Gateway
is up to date.
©2017 Check Point Software Technologies Ltd. 11
SandBlast Threat Prevention Lab
Enable SandBlast
• Select Custom.
• The web server sends the emails to the gateway which is now configured
as an Mail Transfer Agent (MTA).
• The gateway inspects the emails. When it has a verdict it sends the emails
to the mail server on win-dc.
• One tab is to the Ubuntu web server hosting the Unknown 300 page.
Note: If you don’t see the success message, see slide 27 below to create a variant.
• Enable AutoScroll.
Auto scroll
• Using the Gaia Web UI Terminal or putty, log into the R80 VM as
admin and then expert.
• While you’re waiting launch the outlook client on the win-victim VM.
• It should be fairly
quick because it now
has a hash of the file.
• Enable Threat
Extraction.
• If you trust the source click on the link to the original attachment.
• This launches a batch file to change the md5 of the resume.doc file.
Review Questions
• Install My_Policy.
• Browse to www.eicar.org.