Wednesday, 6 August 2025

nessus advanced

Terrascan 

Need to tick a box to download it. 

Scans code for infrastructure as code (IAC)

Used to scan an GIT repo URL for example.

  • Log level: set the verbosity 
  • IAC type: select arm cft, docker, k8s etc
  • Remote type: git, s3, gcs, http, terraform-registry
Not we need git installed on nessus server to select the git type

Reviewing results is much like a regular Nessus scan.
Click on the control to get more detail on why the control failed etc.
For example SSH port 22 is open to the internet.

It will give your the file / line number where it found the issue so the code can be reviewed

Attack surface discovery

This is the initial scan to see what is visible 
My scans > new scan
select attack surface discovery template 
supply comma separated list of top level domains
domain.com,other.com
save and launch 

The scan will provide results

On the records tab we will see the IP's / hostnames names that were found. We will see the record types:
  • A and AAAA
  • MX
  • NS
  • PRT
  • CNAME
  • SOA etc 
Now we can select what was discovered
  • Click more > create scan
  • Select a basic or advanced network scan
  • The targets field automatically populates
  • Now we can run the normal Nessus scan on the targets we discovered

Web application scanning

Traditional Nessus scans are done on IP's. Web app scans will scan web applications looking deeper into the web app. It can run with creds or no creds. It can look for the unknown. It will send info the web forms. There are known and unknown vulns. 

Traditional Nessus scan is looking for the known. WAS is investigating on web apps. I will send many special request were page it finds.

  • Traditional will suggest patches/software upgrades to fix the problem .
  • WAS will show you leaks but further investigation will be needed from there. You will need to work with the customer/developer 
WAS scanning sequence 
  • Identify web server
  • Known web app (wordpress, joomla etc)
  • Vulnerabilities on the known web apps
  • Spider through website to understand the layout
  • identify forms (CGI etc)
  • Pass parameters at forms
  • Identify vulnerabilities in the web app forms etc
Credentialed WAS (going beyond the public areas of the web app/site)
  • Connect to website 
  • Connect to login form
  • Login 
  • Preform tests
  • Looking for SQL injection / XSS / Session mgmt
  • Like a traditional scan we get more info from a credentialed scan
  • WAS could have bad affects
  • Run on test/staging site (avoid live environment)
  • Scans can ddos/overload web servers/apps (rate limit the scan, run OOH)
  • Run with read only user
How to mitigate issues
  • Backup before starting scan
  • Scan a mirror of the site (test site etc)
  • Maintenance window for scan
  • Light scan first followed by scan tuning 
WAS workflow
  • Get website sub domains
  • run config scan
  • run overview scan (get creds)
  • develop scan policy 
  • follow up scans (code can change over time)
  • Keep WAS up to date
Sitemap.csv
This contains a list of URL discovered / HTTP methods supported etc

How to enable WAS in nessus
  • You need to have docker installed on your nessus server
  • Tick enable WAS
  • It will download the image
WAS Scan types

What kind of scan are we doing ?
  • Risk assessment 
  • Compliance requirements (credit card data requires PCIDSS, others may require CIS etc)
  • Data sensitivity 
  • Technology stack
  • Specific vulnerabilities 
Web app config audit scan
  • Checks HTTP headers available
  • XSS checks
  • HTTPS enforced ?
  • quick to run, good first step
SSL_TLS web app scan 

  • Look for proper implementation of SSL/TLS on your web server
  • Measured against industry standards
  • Runs quickly too, good for regular checks
Web app overview scan
  • Discovery scan
  • Spider and inventory all web pages / files / folders / sub domains
  • Results stored in sitemap.csv
  • The bigger the site, the longer the scan takes

Quick scan
  • Similar to config audit scan
  • Checks common security standards
  • Checks HTTP/SSL/TLS/DNS configs

Comprehensive  scan
  • Includes config audit, overview and SSL/TLS scans
  • Takes a long time depending on site size
  • Plugin family options for all web app plugins
  • The most detailed scan

Scans for special cases

PCI DSS - For payment card industry
API - checks APIs for RESTful API's (checking API's is key to web app testing)
OpenAPI (previously called Swagger)
Log4Shell - For the log4shell issue. Needs local creds for local checks.


Overview scan
  • New scan > web app tab
  • choose "overview"
  • provide URL
  • scan name
  • target URL

Config scan
  • New scn > web app tab
  • choose "Web app config audit"
  • scan name
  • target URL
SSL scan
  • New scn > web app tab
  • choose "SSL_TLS"
  • scan name
  • target URL
Filter results for SSL

Non credentialed web app scan
  • New scn > web app tab
  • choose "scan" scan
  • scan name
  • target URL

credentialed web app scan

  • Credentialed scans are important as it looks deeper looks at all the user pages /forms etc
  • Identify
  • can break sites so best to run on a copy of the live site
  • Basic/NTLM auth (type username and password). NTLM stronger than basic.
  • Nessus supports cookie based auth
    • Use web browser to login
    • Copy cookie
    • Name+Contecnt
    • chrome://settings/siteData
    • Check limitations (https, NoScript, expiration etc)
  • Form based auth (manual and selenium scripting)
    • login url and form paramaters
    • you can use selenium script
    • plugin 98033 detects a form
    • You will give details there
    • login page
    • creds (username and password), field name; field value
    • pattern for success (regex)
    • Page to veryify active
    • pattern to verify active (regex)
    • All patterns are regex
    • Selenium is used for scripting browser automation
    • Selenium IDE browsers extension (record, edit and play back)

Selenium scripting

  • Chrome extension makes it easier
  • create a new test project (givename)
  • enter Url and click start recording 
  • login and do you actions
  • open tool again and stop recording in top right
  • give the script a name
  • save it for use later

Using the script in a credentialed scan

  • New scan > web app tab
  • choose "scan"
  • enter scan name
  • enter URL
  • credentials tab
  • select web authentication
  • Select authentication method: Selenium Authentication 
  • You can upload your script file here
  • Enter the page to verify auth worked
  • Enter pattern to verify active session: Sign off (text or regex) text method is case in-sensitive
  • save scan and launch
  • On our results 
  • filter for selenium in the info we should see it succeeded
  • Give screenshots and other details of login.
  • This page is good if auth fails to figure out what is wrong


credentialed scan without a script (policy config)

  • New scan > web app tab
  • Choose "Scan"
  • Give the scan a name
  • Enter the URL
  • Click credentials and click 
  • Choose authentication method "login form"
  • Login page url: (the page where the username and password is entered)
  • You can give login paramaters in a .json file
  • simple example {'uid'.'admin','passw'.admin'}
  • Pattern to verify successful auth "Sign off"
  • url for active session
  • Pattern to verify active session "Sign off"
  • Save and run scan
  • check vulnerbilites
  • filter for authenticaiton
  • The info "Login form authenticaiton succeeded"
  • You will see details here
  • Filter for failed to see details of the login failed

Thursday, 31 July 2025

swap mem 100% used on palo 400 series 450, 455

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYzBCAU&lang=en_US%E2%80%A9


Palo on gave 400 series 1mb swap which is full when the device is on.

Swap (and other memory) can be cached/buffered for the kernel. Its not really used but ready to be used, it can be reclaimed by the system when needed.

Monitor physical memory instead (available memory is what you want to look at)


show system resources


Thursday, 17 July 2025

hardening anyconnect ssl on cisco secure firewall 7.7

 Hardening

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html


Service access object (geo block anyconnect):

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222810-configure-geolocation-based-policies-for.html


Auto shun (flex config)

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html#toc-hId--1375473333



Threat detection service remote-access-authenticaiton hold-down 15 threshold 5


hold down - how long after the last failed attempt when new failures are counterd

thresthold - number of failed auths, if we fail login with in 5 mins 3 times



Show commands:

show threat-detection service remote-access-authentication

show threat-detection service remote-access-client-initiations

show threat-detection service invalid-vpn-access


Logs locations in FMC:

Some of them change depending on version of interface 

Cog (top right) > monitoring > syslog

Monitoring → VPN → Remote Access (anyconnect)

Analysis → Connections → Events (won't show auth success/failure here)

Health → Events (shows cpu/memory issues)

There is a unified log as well


Log level

FMC GUI → Devices → Platform Settings

syslog > logging


Syslog messages:

%ASA-6-113004: AAA user authenticated successfully

%ASA-6-113005: AAA user authentication Rejected

%ASA-4-722051: Group <group> User <user> IP <ip> Session connected

%ASA-6-722041: Session disconnected (reason...)



***

Enable Access Control Logging for VPN User Traffic

On the rule that allows anyconnect in (log at start/log at end/ send to FMC) (still won't show login attempts)



search messsage *x.x.x.x*



Ok so lessons learned there:

You won't see anything in analysis > connections > events (doesn't show ssl rejected stuff, only successful https etc connections)

SAML (staff profile) rejection was not showing in the logs. I will ask cisco about this maybe it's a different event ID or Duo doesn't send anytning back to the firewall when SAML fails. He could see it in Duo logs so was happy enough there.

AAA/radius (contractors profile) was where we saw the issues coming in.

We needed to enable informational level logging under devices > platform settings. (we hit a bug there it didn't set first time not sure what happened, I watched him set it so watch out for that)

Once we had informational we could see some stuff under the cog > monitor > syslog.

Filter "message" for *x.x.x.x* where x.x.x.x is the IP you are looking for

We saw ssl denied for the German IP based on geoblock

We saw username ***** denied from my UK IP

The username was hidden in the logs

Added flex config "no loggin hide username" cisco said you have to leave off the "g" loggin is not a typo

Shun settings were 20 failed logins in 10 mins, he said he had to set it high because users were actually typing password wrong 10 times so that is something he will have to live with. Attackers can still try from the approved IPs for 20 tries then get shun'd but at this stage they can change IP address and try again


*** SAML

SAML failed logins won't show in the FMC log in the same way. Best to review these in the SAML provider dashboard/logs (Duo/Azure etc). These logs can be forwarded from there to a central SIEM. Duo have a tool called duo log sync.

filter to include class “vpnc”, which outputs logs like:

%FTD-6-611102: User authentication failed: IP = IP address, Uname: user


Tuesday, 1 July 2025

Palo alto PCNSA notes

Palo alto firewall

Palo alto is next gen firewall with user-id and app-id. Dynamic lists/feeds (EDL) for blocking malicious traffic and allowing trusted traffic like azure and CDNs etc.

It can do its inspections on north/south traffic and east/west traffic.

It has IPS, URL, wildfire (unknown threats).

DNS sinkhole (DNS protection)

Advanced logging with cortex datalake (take in multiple log sources and apply machine learning)


Platforms

  • Virtual machines for public and private cloud (you control the VM)
  • Prisma access (hosted cloud based firewall as a  service)
  • Physical devices (physical boxes to install on site)

https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations


SP3

Single pass simultaneous traffic inspection, classification and enforcement in one pass

Traffic 

Control plane

  • config 
  • logging 
  • reporting 

Data plane

  • Signature matching 
  • security and network processing 

Management options
  • Web interface HTTPS over the network or MGMT port
  • CLI via SSH over the network or via console cable
  • Panorama - centralized platform for managing multiple firewalls. Good for MSP. 6+ devices.
  • API - XML REST based API. Good for automation and network programming
The management GUI on box help
There is an onbox documentation, usually in the top right

ACC - Application Command Centre
Analytical tool to provide actionable intelligence about network activity. Shows trends etc.

Monitor tab
  • Live logs
  • Reports

Policies 
  • Firewall / NAT rules etc

Objects
  • Setup objects for use in policies

Network
  • data plane interfaces and zones
  • VPN related items
Device
  • General settings
  • Management interface
  • User accounts
  • Licenses
  • Config backup
Management port is part of the control plane
Default 192.168.1.1/24
HTTPS
default user: admin/admin
We can disable it if needed and use network interface
By default dataplane ports won't accept mgmt packets

Service routes
For all items we need to reach out of the firewall for eg radius / log forwarding etc. 
By default it will use the mgmt port
Device > Setup > Services > Service Router Configuration > Customize 

CLI modes
  • Operational - basic network commands: ping traceroute, show, debug
  • Configuration - configure command, now you can make changes
  • Similar to cisco in that regard
CLI enhancements
  • User find to figure out the command syntax
  • use ? to get help
  • User tab to autocomplete
  • Use | pipe with match or except for output filtering
ping "tab"
We will sett options with symbols
+ count - plus means it needs a value
* host - * means its required
> - means you will have more options after

ping host 1.1.1.1

tail - useful for log messages

set is how we do some config 
show is how we show the config

Find all the commands related to the network
find command keyword network

W can see ethernet is under interface under network. To change ethernet1/1 from cli we need to use:
set network interface ethernet1/1

CLI is good for checking and debugging but most config will be done via CLI now

Firewall maintenance

Config files

Running config (running-config.xml)
sits in the dataplane and this one controls the firewall behaviour
When the firewall reboots this config is loaded when it boots up 


Candidate configuration (snapshot.xml)
Separate file/space in memory to store temporary configuration in the control plane
Its config we have configured but have not deployed yet. 
When we do a commit its merged into running config.
Saving the candidate config doesn't commit the changes

Candidate config is the running config + the new changes
Commit command merges the changes from candidate config into running config
New updated running config has the new changes

We can revert to last saved conf
Replaces current candidate config with a saved candidate config file

We can revert to running config (probably will use this one most)
Get rid of un-commited changes

Load 
over writes with a file saved earlier (usually from a backup, used when restoring) 

Save
Can save a named config snapshot.

Export
Export a named config (backup)

Dynamic updates
  • Make sure these are enabled and auto downloading / installing 
  • Antivirtus / Wildfire 
  • Apps and threats 
  • Global protect HIP
  • PAN-DB URL filtering (may use umbrella instead)

Palo alto policy types
  • Security (firewall rules etc)
  • NAT (global NAT, NoNats, public NATs etc)
  • QoS (voice QoS)
  • Policy based forward (PBR)
  • Decryption (SSL)
  • Authentication ( radius / SAML etc)
  • DoS protection 
  • Tunnel Inspection
  • SD-WAN
Palo alto works like ASA
works from top to bottom
when rule is match traffic is dispatched 
it doesn't check any futther rules

Security policies
  • The primary traffic control tool
  • Block rules at top like block lists, implicit deny at the bottom.
  • Add the most specific rules at the top

IntERzone vs IntRAzone
  • IntRAzone (same zone)
  • IntERzone (lan to dmz)
  • Universal (interzone + intrazone combined)
Application/Service 
  • select (pick which ports)
  • any (allow HTTP on any port for example)
  • application-default (web-browsing only allowed on default ports 80/443 but not 8881)
Generally we don't want to allow apps on lots of ports but some custom applications run HTTP etc on non standard ports.
  • applicaiton-default - use this where we can as first preference
  • select - in edge cases we can config the specific ports. Second choice.
  • any - only for testing or we can't get it working any other way. Last resort.

Default rules can be changed by using the override button.

Policy objects / groups
Its efficient to group items into groups so later the groups can be updated but your firewall rules can remain unchanged.

Security profiles
ping command source from inside to host
ping source 192.168.10.100 host 192.168.10.50

however if the clients try to ping the firewall it will fail by default. We would need to create a management profile, allow ping and apply it to that interface.

ACLs can be found under
Policies > Security 

We can see applications ping and icmp
icmp is for the full protocol (except for ping)
ping is the ping app which is under icmp protocol

How to block web comms to a specific IP

NAT

  • Allows network devices to change source/destination of packets.
  • Main function for IPv4 depletion but has other uses.
  • In most orgs its used to hide all clients behind a single IP for internet access (NAT overload)
  • The other main use is to give servers a static public IP
  • NoNAT's are used for S2S VPNs

SNAT - source NAT
DNAT - destination
Some devices allow changing source and destination at the same time

Static NAT is to map one IP to one IP
Dynamic is IP that gets mapped can come from pool of IP's. Dynamic includes port translations

On palo alto we have a NAT policy
  • A NAT rule has 3 main sections:
    • General
    • Original packet
    • Translated packet
NAT type: IPv6 / IPv6

Original packet is how we select the original packet
Translated packet is what we want to change it to

Rules can refer to address objects instead of IPs
It's recommended to use objects in case the IP is updated later.

  • NAT Rule processing is top down
  • Applies regardless of NAT type
  • Most specific rules at top
  • More general NAT's at the bottom
  • No NAT rule can go at the top (exemptions)
IP addresses should always refer to the original IP's, pre-NAT
Use the original IP in the firewall rules as well.

Remember NAT does the translation but it doesn't allow or deny anything. That is the job of the security policy.

test routing fib-lookup virtual-router default ip 192.168.57.31
Will give you the interface it will go out.

show routeing route 
Shows all routes


Wednesday, 18 June 2025

VMware remote console VMRC

 https://knowledge.broadcom.com/external/article/368995/download-vmware-remote-console.html

Wednesday, 4 June 2025

Cisco RMA steps

open case 

request RMA

enter serial

chat now

Can I request RMA for this serial number : xxxxxxx

creates a RMA ticket

address needs to have customer name (your address / eircode)

or ship the RMA to the customer site

Friday, 7 March 2025

export user cert from windows cert store

Open MMC 

Add certs snap-in

user account and computer store

Check certificates > personal

exported the user cert from user store (use PKCS12 or DER base-64 encoded)

imported user cert into machine