sec stuff 2022

 CTF

pico ctf

tryhackme

hack the box

on the wire

ine - elearn cppt (watch videos no need to take cert)

oscp - PEN200 OSCP (cert to chase)

enable jumbo frame mtu 9000 on cisco nexus 5k

 policy-map type network-qos jumbo

class type network-qos class-default

mtu 9216

exit

exit

system qos

service-policy type network-qos jumbo

wr

Didn't need a reboot maybe a blip in connectivity

cisco webex softphone sign-in not working on cisco umbrella VA DNS servers

This is down to how cisco/webex resolves DNS. Depending on config it can be looking for external DNS records which need to resolve.

We already had an internal AD domain added (customer.com) in the umbrella dashboard as part of the internal domains.

On a working cap we saw it look for 

_collab-edge._tls.customer-ext.com which didn't resolve

Then it looked for

_cisco-uds._tcp.customer-ext.com

which did resolve to the customer ucm server IP's (this must have been resolve by internal DC/DNS)

On the "not working" capture

Wireshark showed a SRV record 

_cisco-uds._tcp.customer-ext.com was attempting to get resolved by the client but getting a "No such name" back from a public DNS server. It tried to resolve on the internet.

We needed to go into the DC and edit DNS on the external domain customer-ext.com

We also added the customer-ext.com to the internal domains in the umbrella dashboard.

Find DNS queries that didn't return an answer

(!(dns.flags.rcode==0))&&(dns.flags.response==1)  

control plane ACL ASA

control plane acccess lists on the ASA

If you want to stop an IP address from trying to access anyconnect, asdm, trying to form a VPN thats what you need

OUTSIDE_IN access list does not block it as the services itself is on the Firewall and does not pass through the interface

access-list cp-outside extended deny ip object-group BAD_IPS any log

access-group cp-outside in interface OUTSIDE control-plane

no implicit deny on these so you dont need a permit any any as that will cause the access list not to work

no logging hide username

find locked out accounts in windows

 Enable AD auditing on all the DC's

Search the event logs on their AD for event id 4771 in security section

Lockout tools may help

https://www.microsoft.com/en-us/download/details.aspx?id=18465

ManageEngine AD audit plus can help too (just parses event logs)

ftp passve mode issues

FTP passive mode not working

Some issues seen:

1 ftp inspect on ASA

2 sometimes the server transmits t he inside IP instead of public. Sometimes the FW's or the client are fixing this up but an old client might not and tries to connect to an inside IP.

https://www.ibm.com/support/pages/remote-ftp-client-doing-passive-mode-gets-internal-ip-address-returned-227-entering-passive-mode-message

Passive mode 

client connects to server on random source port  eg 55555  to destination port 21

connection goes back from server source port 21 to the destination port on client 55555

Active mode

they setup a data and a control connection on different ports

tftp transfer speed degrades or stops

 Had an issue where tftp transfer was good at the start then degraded.

The issue in this case was the exec-timeout was set to 5 minutes. I increased to 30 mins and all was good. Also worth looking at tftp block size

website not loading file is downloaded instead

Inside the file was some hex with nothing in it. It seems the headers were getting messed up so the client got some data from the web server, didn't know what to do with it so downloaded it.

This was an issue with https inspection on the firewall. A hotfix install fixed the issue. 

Check for any FW or IPS device in between client and server.

Check FW logs + web server logs (does traffic make it to inside server)

Check NAT -> inside IP

Is inside webserver up and working

Is inside web server getting the traffic

Took packet capture on outside could see the cert handshake trying over and over which indicates SSL issue.

Palo alto BPA

Log into your palo alto firewall

On Device -> Support 

In the Tech Support File section 

Click generate Tech support file (takes a while)

Then download the tech support file

Log into support web site:

https://support.paloaltonetworks.com/

Will have to login with google authenticator 

Login with your account.

Select the customer account in the top left drop down

On the left hand side go to tools -> Best Practice Assessment

Click on "Generate New BPA" in the top right

Select the downloaded tech support file

Select architecture classfications

Untrust = Internet etc

ikev2 s2s VPN on cisco ASA

Customer did an update and all the old IKEv1 and old cipher VPNs were not working due to security settings and SW update. I didn't have time to figure out which ciphers worked so switched VPNs to IKEv2

Enable IKEv2 on outside interface

crypto ikev2 enable OUTSIDE

Group policy for VPN peer (IKEv2 selected, always on settings)

You may have other settings you need to config here

group-policy GroupPolicy_x.x.x.x internal

group-policy GroupPolicy_x.x.x.x attributes

 vpn-idle-timeout none

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol ikev2

IKEv2 P1 policy

*NOTE* Saw an issue where a policy was selected even though the lifetimes didn't match (other settings did). The VPN came up but was having issues rekeying. Not coming back up on its own. Check the lifetimes match under "sh crypto isakmp sa" on both sides of the VPN. In my case the HQ already had an ikev2 pol with 86400 lifetime and other VPNs using that.

 crypto ikev2 policy 1

 encryption aes-256

 integrity sha256

 group 21

 prf sha256

 lifetime seconds 86400

IKEv2 P2 proposal

crypto ipsec ikev2 ipsec-proposal IKEV2_AES_256_SHA_256

 protocol esp encryption aes-256

 protocol esp integrity sha-256

Crypto MAP

crypto map MYMAP 10 match address CUST_VPN

crypto map MYMAP 10 set peer x.x.x.x

crypto map MYMAP 10 set ikev2 ipsec-proposal IKEV2_AES_256_SHA_256

crypto map MYMAP 10 set security-association lifetime seconds 3600

Encryption domain

access-list CUST_VPN extended permit ip object-group LOCAL-NETS object-group REMOTE-NETS

object-group network LOCAL-NETS

 network-object 192.168.10.0 255.255.255.0

 object-group network REMOTE-NETS

 network-object 172.30.10.0 255.255.255.0

NoNat

nat (INSIDE,OUTSIDE) source static  LOCAL-NETS  LOCAL-NETS destination static REMOTE-NETS REMOTE-NETS no-proxy-arp route-lookup

Tunnel group

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

 default-group-policy GroupPolicy_x.x.x.x

 tunnel-group x.x.x.x ipsec-attributes

 ikev2 remote-authentication pre-shared-key StrongPassWordHere

 ikev2 local-authentication pre-shared-key StrongPassWordHere

Find subdomains DNS

 https://dnsdumpster.com/

test authentication profile palo alto cli

 test authentication authentication-profile "AD Kerberos" username USERMAME password

script to gather network information on windows

.bat script to gather network information on windows, you can add or remove things as needed

Set > %userprofile%\downloads\_Set.txt

echo %logonserver% > %userprofile%\downloads\_logonserver.txt

whoami  > %userprofile%\downloads\_whoami.txt

hostname  > %userprofile%\downloads\.txt

ipconfig /all  > %userprofile%\downloads\_ipconfig_all.txt

ipconfig /displaydns > %userprofile%\downloads\_displaydns_post.txt

route print  > %userprofile%\downloads\_routeprint.txt

tracert -d 192.168.2.100  > %userprofile%\downloads\_tracert_2_100.txt

ping 192.168.2.100  > %userprofile%\downloads\_ping_2_100.txt

nslookup cust.url.com > %userprofile%\downloads\_nslookup.txt

wmic NIC where NetEnabled=true get Name,Speed  > %userprofile%\downloads\_NICSpeed.txt

gpresult /V >> %userprofile%\downloads\_gpresult.txt

can't ping SVI interface on remote switch across S2S VPN

 Had an issue could ping vlan1 (LAN) SVI but not vlan146 (VOICE)

The setup was

LAN client -> L2 VL1 -> L3 SVL VL1 -> Inside ASA -> S2S VPN -> HQ 

Phone client -> L2 VL146 -> L3SVI VL146 -> L3 SVI 1 -> Inside ASA-> S2S VPN -> HQ -> Phone server

I found some messed up NAT's

Removed the global

object network obj_any

 nat (any,outside) dynamic interface

The NoNat had a missing object in the destination

nat (voice,outside) source static obj-10.60.146.0 obj-10.60.146.0 destination static HQ-NET HQ-NETS no-proxy-arp route-lookup

Also needed this NAT on the INSIDE with the 146 networks to ping the SVI. This is becuase the route to the HQ network is through the inside interface of the ASA.

nat (inside,outside) source static obj-10.60.146.0 obj-10.60.146.0 destination static HQ-NET HQ-NETS no-proxy-arp route-lookup

Find the source of DNS request on windows client

 To tracks the DNS request back to a PC you can use cisco umbrella or watching the DNS debug logs on the DNS server. That will tell you the IP of the machine the DNS requests are coming from but you may want to know what process its coming from.

There are a few tools you can use

Microsoft Sysmon (sysinternals)

1 - Download sysmon

https://technet.microsoft.com/en-us/sysinternals/sysmon

2 - Download swift security profile

https://github.com/SwiftOnSecurity/sysmon-config

3 - Install sysmon with the swift security profile

Sysmon.exe -accepteula -i .\sysmonconfig-export.xml

4 - Open event viewer and check the sysmon logs

Eventvwr.msc

Applications and services logs -> Microsoft -> Windows -> Sysmon

Right click -> find  search for URL

You will see the process under image name.

Wireshark

Won't show you the process it came from but you should see when requests are happening

Useful capture filters

Show all dns traffic:

dns

Show DNS requests to the URL and also any connections to its IP, URL = x1.c.lencr.org, nslooked up to 23.72.154.199

(ip.dst == 23.72.154.199) or ((dns.qry.name == x1.c.lencr.org))

Look for all DNS requests coming from my PC 192.168.1.10

(dns.flags.response == 0) and (ip.src == 192.168.1.10) and (dns.qry.name == x1.c.lencr.org)

tcpview

Someuser report success using TCP view. Nslookup the URL -> IP then watch TCPview for connections to that IP. Usually a connection to the IP will happen straight after a DNS request

Uncheck TCPv6 etc if this is not your traffic. A good place to start is IPv4 only and then search for the IP, we should see a module/process

Windows transfer speed slow in one direction over VPN

Copy files A -> B was fine

but B-> A was slow

Checked all the devices, VPN all looking good. It sended up being a simple duplex issue. The link from the switch to the firewall on side B was auto'd to half-100. I hard coded it to 1000 full and all was good.

Steps to follow

Check the full network path from side A<->B is speed/duplex correct on switchports.

RAM+CPU good on each device that is moving the data

Run speed test to make sure internet connetions are ok

Run some ping -t to watchout for packet loss

smokeping or pingplotter several places local, across vpn, internet (1.1.1.1,8.8.8.8,4.2.2.2) for packet loss + latency

Check if Server is VM and check vmware for datastore for any issues

Check for arp issues, is there arp poisoning or static arp entry somewhere, is the mac address hopping around for one of the source/destination IP

Quickly generate dummy files for testing file copies on windows

 https://tweaks.com/windows/62755/quickly-generate-large-test-files-in-windows/

fsutil file createnew 1gb.test 1073741824

The key is to input the size of the file in bytes so here are some common file sizes to save you from math:

1 MB = 1048576 bytes

100 MB = 104857600 bytes

1 GB = 1073741824 bytes

10 GB = 10737418240 bytes

100 GB =107374182400 bytes

1 TB = 1099511627776 bytes

10 TB =10995116277760 bytes

test policy on palo alto similar to packet tracer

 I haven't had much luck with this, it doesn't seem to work as well as packet tracer. It's often returning that the traffic is blocked when in fact it is allowed.

Anyway you can give it a go, its down the bottom in the GUI "Test policy match"

On CLI:

test security-policy-match source 192.168.0.1 destination 8.8.8.8 destination-port 53 protocol 17

test security-policy-match source 192.168.0.1 destination 8.8.8.8 destination-port 443 protocol 6

Protocol 17 = udp

Protocol 6 = tcp

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/test-the-configuration/test-policy-matches

NAT on palo alto firewall

 I find switching from ASA to palo alto NAT confusing because they work in a different way and I've worked on ASA for so long.

nat rule (to nat traffic)

outside -> outside

Destination address is customer public IP: 100.200.200.114

Destination translations address is inside IP of the server: 192.168.0.1

policy rule (to allow traffic)

outside -> inside

Source IP is outside source public 8.8.8.8

inside destination IP is the public IP: 100.200.200.114

The main thing there is a public IP NAT is outside to outside on palo. On ASA its outside to inside for a public IP NAT.

• Source zone: outside
• Destination zone: outside
• Destination interface: eth1/1 (outside)
• Source add: any
• Destination address: 100.100.100.50 (public IP of server)
• Service: port 443
• Source translation: "none"
• Destination Translation:
• destination-translation (translation type "static IP")
• address: 192.168.100.50 (inside IP)
• port: 443

check when a S2S VPN established

 show vpn-sessiondb l2l filter ipaddress x.x.x.x

Connection   : x.x.x.x

Index        : 69987                  IP Addr      : x.x.x.x

Protocol     : IKEv1 IPsec

Encryption   : IKEv1: (1)AES256  IPsec: (2)AES256

Hashing      : IKEv1: (1)SHA1  IPsec: (2)SHA1

Bytes Tx     : 6629603                Bytes Rx     : 9801553

Login Time   : 07:20:46 UTC Wed Jul 13 2022

Duration     : 4h:12m:59s

Tunnel Zone  : 0

Some useful items we can see the login time (time of last rekey)

Duration, how long the VPN has been up since then.

You can check 

sh crypto isakmp sa detail | b x.x.x.x

IKE Peer: x.x.x.x

Type    : L2L             Role    : initiator

Rekey   : no              State   : MM_ACTIVE

Encrypt : aes-256         Hash    : SHA

Auth    : preshared       Lifetime: 86400

Lifetime Remaining: 70716

Here you can see the lifetime and lifetime4 remaining. You can use these values to work out when next rekey should be.

86400 / 60 /60 = 24 (hours)

70716 /60 /60 = 19.6 (hours

That matches up to the 4 hour duration so everything looks good there. If you keep checking in on it or are able to monitor the VPN you might spot that is rekeying randomly and that needs to be investigated.

how to look at office macros without running them

 olevba is a good linux tool to look at the macro code without opening the file in MS office tc.

powershell script to test ping http ports and and RDP

 Function TestPingAndRDP ($IP)

{

Write-Host ***********************************************************

Write-Host Checking ping

Write-Host ***********************************************************

ping $IP

Write-Host $IP, "PING", ([System.Net.NetworkInformation.Ping]::new().Send($IP)).Status

Write-Host ***********************************************************

Write-Host Checking RDP

Write-Host ***********************************************************

Test-NetConnection -ComputerName $IP -CommonTCPport rdp

Write-Host ***********************************************************

}

Function PingOnly ($IPING)

{

Write-Host ***********************************************************

Write-Host Checking ping ONLY

Write-Host ***********************************************************

ping $IPING

Write-Host $IPING, "PING", ([System.Net.NetworkInformation.Ping]::new().Send($IPING)).Status

Write-Host ***********************************************************

}

Function TestWeb ($IWEB)

{

Write-Host ***********************************************************

Write-Host Checking web port 80

Write-Host ***********************************************************

Test-NetConnection -ComputerName $IWEB -CommonTCPport http

Write-Host ***********************************************************

Write-Host Checking web port 443

Write-Host ***********************************************************

Test-NetConnection -ComputerName $IWEB -Port 443

Write-Host ***********************************************************

}

Function TestHTTPCode ($url)

{

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$date = Get-Date

Write-Host $url, "HTTP STATUS CODE" (Invoke-WebRequest -uri $url).StatusCode, $date

}

###############################

# Remove comment by removing the #, then the code will be run

###############################

#TestPingAndRDP 192.168.100.10

#PingOnly 192.168.100.50

#PingOnly 8.8.8.8

#PingOnly www.google.com

#TestWeb www.google.com

#TestHTTPCode www.google.com

check web server for weak SSL ciphers

We can use the namp command 

nmap -p 443 --script ssl-enum-ciphers 100.100.100.20

See if TLS1.0 / 1.1 is still enabled and looks for weak ciphers they will usually have a grade like C

These need to be disabled on the web server

Alternative test site can only test with URL for free:

https://www.ssllabs.com/ssltest/

global NAT on cisco FMC

Devices -> NAT

Edit NAT pol

Add rule button

NAT rule: Auto NAT rule

Type: Dynamic

Interface, set inside -> outside

Translated destination interface IP

domain controller ports

Needed some objects with the usual domain controller ports. I'm sure not all are required for all deployments for example some installs might be using LDAP (389) others LDAPS (636) or vice versa.

Taken from here:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

object-group service DC_PORTS_UDP udp

 port-object eq 389

 port-object eq 88

 port-object eq 445

 port-object eq 123

 port-object eq 464

 port-object eq 138

 port-object eq 67

 port-object eq 2535

 port-object eq 137

object-group service DC_PORTS_TCP tcp

 port-object eq 389

 port-object eq 636

 port-object eq 3268

 port-object eq 3269

 port-object eq 88

 port-object eq 53

 port-object eq 445

 port-object eq 135

 port-object eq 5722

 port-object eq 464

 port-object eq 9389

 port-object eq 139

cisco nexus 5k

Need to put the config in twice on 5k01 and 5k02

Don't forget you may need to add vlans to PortChannel vPC's on both sides too

Make sure to use the switchport trunk allowed vlan add command don't want to take out the port chan

*** add vlan 99 to the port channel

Create the vlan on both 5k01 and 5k02

interface port-channel10

switchport trunk allowed vlan add 99

Make same change on 5k01 and 5k02

This is because nexus are datacentre equipment

test outbound UDP traffic from citrix netscaler

I needed a way to test outbound UDP traffic from citrix netscaler to prove traffic was working.

Normally I would use telnet for a quick TCP port check or the "nc" command but nc was not available on NetScaler and I could not install. I was able to test like so

Log into citrix netscaller

"shell" to get into CLI mode

echo -n "Test from 192.168.0.10" > /dev/udp/172.30.50.50/514

This sent UDP traffic from 192.168.0.10 (citrix) to 172.30.50.50 (logserver) on UDP port 514 (syslog)

I was able to see it arrive in my wireshark capture on 172.30.50.50

Use windows DHCP server instead of IP pool for cisco anyconnect on cisco ASA

Connect to your anyconnect so you can see what tunnels/profiles are enabled

Use "show run tun" to see your tunnel config

Re-enable anyconnect

• Disable anyconnect (so pool is not in use)

webvpn

no enable OUTSIDE

• Remove the pool from the tunnel-group

tunnel-group STAFF general-attributes

no address-pool STAFF-POOL

• Install enntry in the ‘Tunnel-Group’ for your AnyConnect

dhcp-server 10.60.1.6 10.60.1.7

• Install entry in the AnyConnect ‘Group-Policy’ as well.

group-policy GP-STAFF attributes

dhcp-network-scope 10.60.6.0

• Remove pool if no longer in use

no ip local pool STAFF-POOL

https://www.petenetlive.com/KB/Article/0001050

post network change testing list

Customers don't test properly after network changes a general list which might help:

Test

• Internet
• Remote access (anyconnect etc)
• Email
• Phones (Internal->Internal, Int->Ext, Ext->Int)
• Teams/Webex/other IM
• Intranet / Other internal sites
• Windows file shares
• Core
• Wifi networks ?
• Printers
• other 3rd party web apps
• Other remote access via S2S VPN / Wireless radio / MPLS etc

Change the mgmt IP on FTD with minimal impact

Update mgmt IP on FTD


1. Disable management of the device in FMC. Do that via Device Management > edit the Device > Device tab > move slider next to management section.

2. Change the address on the device directly using "configure network ..." command from the cli.

3. Edit the management address in FMC from the same place you disabled management. Then move the slider back to enable management.

powershell script to ping multiple ip addresses

Taken fromhttps://social.technet.microsoft.com/wiki/contents/articles/52396.powershell-ping-list-of-ip-addresses.aspx 

Note that we're using System.Net.NetworkInformation.Ping in these examples. However, you could also use the Test-Connection Jump PowerShell cmdlet or some other command maybe

script----------------------------------

Start-Transcript -Path .\log.txt

(Get-Content .\IPAddresses.txt) | ForEach {Write-Host $_, "-", ([System.Net.NetworkInformation.Ping]::new().Send($_)).Status}

Stop-Transcript

script----------------------------------

input file--------------------------------

1.1.1.1

8.8.8.8

8.8.4.4

input file--------------------------------

pfsense

pfsense is open source firewall for linux

Can be run on any x86 machine with 2 (preferably intel) NICs 

It can be of interest to business because the company https://www.netgate.com/ creates hardware and can also provide support.

It can also be virtualised in VMware etc.

Sample business 7000 users 

Used pair of Netgate 7100 in HA

Each 7100 costs like $1200 so $2400 for the pair

Put that price up against similar setup from Cisco/Palo/Sonicwall

pfsense is the project

pfsense+ is a product a few hundred bucks a year for a support, can be increase for lower SLA

tnsr is a netgate product for faster routing at datacentre level. pfsense is all GUI, tnsr is all CLI.

Limitations

The main thing its missing the full SSL traffic inspection. It can do it but it doesn't work well. Not many firewalls can do the SSL inspection on

You need to put bypass in for cert pinning like google / paypal etc

How many customers running cisco/palo are actually doing full SSL decryption ?

Can't go bigger than 10gig interface but probably not an issue for the target SME's.

80-100 concurrent VPN users. 

Investigating high CPU usage on cisco ASA

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113185-asaperformance.html


http://www.tunnelsup.com/troubleshooting-high-cpu-on-a-cisco-asa

For FTD

show process cpu-usage sorted non-zero

show conn | include .*INSIDE .*DMZ

sh cpu usage

Generate TS file during issues, TAC said its ok to do but seems like it would push your CPU higher maybe there is a separate CPU for TS file generation.

awk commands

The awk action is inside braces {}

ps | awk '{print $1}''

Default separator is spaces

Change it to , for csv

awk -F ","

Change to : for passwd file

awk -F ":"

awk -F ":" '{print $1}' /etc/passwd

Print out multiple columns

awk -F ":" '{print $1 $6 $7}' /etc/passwd

Add some tabs between outputs to make it more readable

awk -F ":" '{print $1"\t"$6"\t"$7}' /etc/passwd

Change the field separator

Work on data that has : as field separator

But output the data with - as the field separator 

awk 'BEGIN{FS=":" OFS="-"} {print $1,$6,$7}' /etc/password

Print the last column

awk -F "/" '/^\//' {print $NF} /etc/shells | uniq | sort

the /'s need to be escaped \/dev

df | awk '/\/dev\/loop/' {print $1"\t"$2}

Find all the /bin/fish running

ps -ef | awk '{if ($NF == "/bin/fish") print $0}'

For loop

awk 'BEGIN {for 1=1; i<=10; i++) print "The square root of", i, "is", i*i';}'

Matching a pattern

awk '$1 ~ /^[b,c]/ {print $0}' .bashrc

awk 'match ($0, /mystring/' {print $0}'' numbered.txt

Print a section (NR number of records, line numbers)

between lines 7 and 11

df | awk 'NR==7, NR==11 {print NR, $0}'

Getting a line count

awk 'END {print NR}' /etc/shells

ruckus cloud controller AP install

 Was having issues getting AP's to join the cloud

Couldn't see any drops/blocks on firewall.

The AP's were trying to look up a DNS name RuckusController.customer-domain.com

Went onto the customer DC and added A record RuckusController.customer-domain.com and pointed it to the public IP of our cloud controller (virtual smart zone)

Also best to add mac addresses of the AP's to DHCP reservations

Make sure all is matching if you have 2 unsync'd DC setups 

Other URLs I saw the contorllers were trying to access

ap-registrar.ruckuswireless.com

ap-registrar.cloud.ruckuswireless.com

*.ruckuswireless.com

ocsp.entrust.net

It was access cloud controller IP on 

UDP 12223

Meraki switches

Make sure license in place which may in po/job folder

In dashboard add org you can paste in order number should add all devices and licenses.

Then we needed to give switch internet access with DHCP and it connected to the cloud about 15mins

Log into dashboard and config from there.

Keep in mind if you move switches to location with no internet you will lose config access

 

pscp file to cisco router

I was trying to copy files to a cisco ASR 1001x router.

I was having issues due to internal FW rules etc. I could SSH so probably SCP would work.

I needed to enable the following command on the ASR router

ip scp server enable

However it still wasn't working.

I needed to run the pscp command on my server with the files with the -scp switch to force the old protocol

pscp -scp filename.bin username@x.x.x.x:filename.bin

I had to fill in the second filename.bin for the destination otherwise it would not work

read in variable in windows .bat file

usage

test.bat MyUsername MYPW

script-----------------

 @echo off

set username=%1

set password=%2

echo %username%

echo %password%

pause

script-----------------

plink can be used to automate ssh tasks

cisco ftd/asa smart licensing strong encryption

Customer to setup smart licence account with cisco https://software.cisco.com/

Needs to be setup with user@customer-domain.com email

Once setup get them to add you as admin

When buying licenses specific the smart account with the disti/vendor. Often they mess it up and the smart license goes into limbo. You then need to open a case with licensing team licensing@cisco.com

Once you get the license appearing in the smart license console you need to assign it to the device.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/intro-license-smart.html#id_57013

Generate token in the cloud and copy to a notepad

On FTD/ASA

conf t

call-home

license smart

feature tier standard

feature strong-encryption

license smart register idtoken XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

license smart renew auth

show license summary

sh ver

Firepower hotfix and patch schedule info

 When cisco find an issue they sometimes release a hotfix as a small quick fix.

The real fix will be put into the next maintenance release.

6.6 last FMC that supports cisco user agent ID. If you want to go above you need to uninstall useragent and install Cisco ISE-PIC agent

6.7.0 removes support for old ciphers. If you are using FTD you need to make sure all VPNs have been migrated to IKEv2 and updated ciphers.

ASA55xx-X devices only support up to certain sensor patches at time of writing 6.6.5.2

When you upgrade to 6.7.0 for example you should also upgrade to the latest release of 6.7.x at the time of writing it was 6.7.3 this ensures you get all fixes in your branch.

Because branches are worked on by different dev teams just because its fixed in 6.4.0.14 does not mean the same issue is fixed in 6.7.0 so you need to make sure to go to 6.7.3 or what ever is that latest patch in that branch

fmc error after upgrading to 6.7.3 interface modified

You get a health warning that interfaces are modified after upgrade to 6.7.3

SSH into FMC

enter "expert" mode

enter "sudo su"

Run this command

OmniQuery.pl -db mdb -e "select status,category,hex(uuid),body from notification where status=11;"

For each UUID delete the notification

OmniQuery.pl -db mdb -e 'delete from notification where uuid=unhex("XXXXXXXXXXXXXXXXXXXXXXXX");'

OmniQuery.pl -db mdb -e 'delete from notification where uuid=unhex("YYYYYYYYYYYYYYYYYYYYYYYY");'

OmniQuery.pl -db mdb -e 'delete from notification where uuid=unhex("ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ");'

Check again, it should be blank

OmniQuery.pl -db mdb -e "select status,category,hex(uuid),body from notification where status=11;"

Check your FMC interface the alert should have cleared

show patch history on FMC CLI

 SSH to FMC

expert

cat /etc/sf/patch_history

This is useful for seeing hotfixes applied as they don't show in the version number in the web interface

find DNS sub domains

 https://geekflare.com/find-subdomains/

cisco asa 8.2 nat code examples

You combine the following commands in 8.2 code, in 8.3+ we are just using a NAT command

• nat
• global
• static

Global NAT for internet access

nat all 10.0.0.0/24 traffic from inside to NAT ID "1"

nat (inside) 1 10.0.0.0 255.255.255.0

On NAT ID "1" nat all traffic behind the outside interface

global (outside) 1 interface

Static nat for giving a server a public IP

static (inside,outside) 100.100.100.10 192.168.1.100

access-list 100 permit tcp any host 100.100.100.10 eq https

access-group 100 in interface outside

 

Create ACL to match traffic to be NAT'd for nat hide for VPN

access-list policy-nat extended permit ip 172.16.1.245 255.255.255.255 213.168.225.149 255.255.255.255

access-list policy-nat extended permit ip 172.16.1.245 255.255.255.255 217.114.160.101 255.255.255.255

Nat traffic matched with the ACL to NAT ID "2"

nat (public) 2 access-list policy-nat

Define what IP NAT id "2" should be nat'd to on the outside interface

global (outside) 2 172.16.1.242

select traffic, nat, define what IP to nat to 🤷

nessus scan

Scan box only has displayport + hdmi out so might need cables

Make sure time + date is set correctly

Make sure you have internet access on the scan box (may need FW rules and ssl exclusions)

Run software and plugin updates

Ask for AV/firewall logs not to log as it will create SIEM alerts

Copy from previous scan 

Don't use scheduled scans because it will just make alerts for the customer when it kicks off again in 1 months time

Config networks (get from firewall, LAN switch etc)

Don't forget anyconnect and WIFI pools / ranges

Watch out for citrix or other remote access global protect etc

Once you have list of networks email customer that list and ask if there is anything to add. Also get credentials for (windows / SSH / SNMP). Inform them the scan may set off alerts in their system logs (FW/SIEM/SOAR/SOC/EDR./AV etc). We will create some temp rules to allow it access.

Clear the log file and restart service before starting scan. (https://avleonov.com/2018/03/14/dealing-with-nessus-logs/)

Start scan just before 9am (Tuesday is good) to try catch as many point in time hosts. Scans can run for hours into days and users may connect/disconnect during this time.

After first scan check the scan to see how long it took to complete, were there any errors/notes. Were there any important networks missed.

Generate and write report

Nessus scan first setup

Choose advance scan

Give a name 

Discover -> turn off ping the remote host

Port scanning -> can use default or all 

T:1-65535,U:1-1024

Local port enumerators (leave as is)

Use syn scan

Turn on UDP

Service disover

probe al ports

search for SSL/TLS on all ports

Assessment -> tick perform through tests

Brute force -> Tick only user creds set by user

Web application -> don't scan if we are just doing an infra scan

Report -> untick show missing patches that have been superseded 

Tick designate hosts by their DNS name

Advanced -> usually can leave but if flat network can tick bot to slow down the scan.

For internal scan we want to add creds for windows / SSH / SNMP. Ask for a temp admin user to run the scan.

Enable schedule once a quarter etc

Network detector tool 

This is more MS and AD focused but can give good results like a list of users who have passwords set not to expire.

Run "RunNetworkDetective" as administrator

Give credentials

Give domain controller IP

Send output to R to run report from reporting tool

filezilla server quick setup

FileZilla server quick setup so you can transfer some files

Install the software

Setup FTP folder like C:\FTP and drop your files in there (in windows)

Create user and password in filezilla server

virtual path "/"

native "C:\FTP"

run a cmd "ftp localhost" and "dir" we should see your files

There can be a further step to make sure ports are open on windows firewall and any other firewall in-between your FTP server and client

FMC LDAP external auth

 Config -> Users -> External auth

LDAP

domain.int

MS ACtive directoryu

x.x.x.x (IP of DC)

389

dc=domain,dc=int

(memberOf=CN= NetworkAdmin,OU=IT,DC=domain,DC=int)

cn=ASA,OU= ServiceAccounts ,OU=IT,DC=domain,DC=int

****

***

sAMAccountName

sAMAccountName

(memberOf=CN= NetworkAdmin,OU=IT,DC=domain,DC=int)

There is a test button

check last reboot reason on cisco switch

Command may vary depending on device/sw

 sh ver | i reason

 sh ver | i Last

sh ver | i reload

could try sh ver | i reload|Last|reason

For ASA:

show failover history 

configure suppressions on security onion

First check the rule is triggering correctly

Confirm its legitimate

Gather network data decoded

source IP: 192.168.1.10

Destination IP : 192.168.1.65

rule uuid: 2102251 (aka SID)

Rules file location

/opt/so/rules/nids/all.rules

Count rules:

wc -l all.rules

Find your rule:

grep 2102251 all.rules

You can fully disable a rule if it does not apply 

sudo so-rule disabled add 2102251

grep 2102251 all.rules (should see # to show its commented out)

Using a regular expression to disable all rules related to STUN

sudo so-rule disabled add 're:STUN'

grep STUN all.rules

To do fine grain tuning with Source/Destination we need to edit the global.sls file

sudo su

cd /opt/so/saltstack/local/pillar

vi global.sls

The global.sls file is a yaml file so its spaces not tabs. If you have a standalone you can edit in one place but if you multiple sensors you will need to edit the file on each one.

Supress by source IP.

thresholding:

i   sids:

     2102251:

     - suppress:

         gen_id: 1

         track: by_src:

         ip: 10.4.8.1 (can use cidr here too)

Supress by threshold

thresholding:

   sids:

     2102251:

     - threshold:

         gen_id: 1

         type: threshold

         track: by_src:

         count: 10

         seconds: 3600

In this case if one source makes more than 10 alerts in 1 hour something is going on and i want to look into that

save the global.sls file

restart surricata

so-suricate-restart

ack the event in the alerts page in SOC

2FA on FMC ASA and ASDM

- FMC:

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/214756-configure-duo-two-factor-authentication.html#anc7

However, kindly know that this document is describing access for Web users only and not CLI, as CLI access using SSO is not supported for CLI users:

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/user_accounts_fmc.html#:~:text=SSO%20users%E2%80%94SSO%20users%20have%20web%20interface%20access%20only.

- ASA and ASDM:

Kindly know that ASA CLI and ASDM GUI authentication is only requiring the integration with an external party (e.g. ISE or NPS), however,  for ASA we can configure 2FA for VPN AnyConnect users as below:

https://community.cisco.com/t5/security-documents/configure-two-factor-authentication-on-asa-for-cisco-anyconnect/ta-p/3403768

https://duo.com/docs/sso-ciscoasa#:~:text=for%20each%20application.-,Configure%20Cisco%20ASA%20SSO,-Add%20Duo%20Single

But, if we want to use it for CLI access only without VPN, we could use RADIOUS with supposed to be previously configured:

https://community.duo.com/t/secure-cisco-asdm-with-mfa/7516/4

Accordingly, kindly note that directly configuration of 2FA is not yet supported over ASDM, and an enhancement request has been published to document this feature under bug ID (CSCvs85995):

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs85995

Duo service name and tests:

Duo Security Authentication Proxy Service

sc qc DuoAuthProxy

tasklist | findstr proxy_svc.exe

C:\Program Files\Duo Security Authentication Proxy\bin\proxy_svc.exe

Run a powershell as admin:

C:\Program Files\Duo Security Authentication Proxy\bin

.\authproxy_connectivity_tool.exe

renew internal ca cert on cisco firepower FTD FMC

 https://www.youtube.com/watch?v=tAIdcZ3EBiw

In our case the sub ordinate CA cert had expired and users were getting certificate errors opening emails etc.

Go to

Objects -> Object Management -> PKI -> Internal CA's ->

If you edit the old cert you can see when it expired "Not Valid After:"

Cancel from this screen

Click Generate CA buttion at the top

Fill in details

Name: firewall.customer.com

Common Name: firewall.customer.com

Click Generate CSR button

Copy the CSR into a notepad

Now go to your internal CA and request the cert

https://192.168.10.30/certsrv

Login with username and password

Request a cert

Advanced certificate request

Paste the CSR created earlier

Choose the certificate template for Subordinate CA. If its not there that is a separate issue which needs to be resolved on the CA server by windows team.

Click Submit

Choose DER encoded and download the signed cert

Go back to FMC

Install the signed cert, click browse and select the downloaded cert file.

Now go into your SSL policy and edit any decrypt/resign rules and change to the new cert and push the policy.

You can now delete the old cert.

switch FTD 1010 to ASA code

 https://www.petenetlive.com/kb/article/0001766

Its best to use a laptop with the ability to turn off windows firewall or add a firewall exception for the TFTP or ftp software

You can connect to the laptop via WIFI remote session

Connect laptop LAN -> MGMT interface on 1010

Connect USB to serial on laptop -> console port on 1010

You will need to factory reset back to the 192.168.x.x IP

Config 192.168.x.x IP on your laptop so you can talk to the FTD

You also have the option of putting the software on a fat32 formated USB drive and insert into 1010

I tried a rommon method from youtube but it didn't work the erase disk0 command was not there

remove whitespace in sumblime text 3

 Do ctrl + H

find all white space "\s+"

replace with newline "\n"

You may want CR "\r" or both "\r\n"

Simple way to find IP address

find digit 1-3

\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}

get network interface connection speed on windows CLI

cmd/wmi

wmic NIC where NetEnabled=true get Name,Speed

Powershell

 Get-NetAdapter | where Status -eq "Up" | select InterfaceDescription, LinkSpeed