No one good way to do this, depends on variables. Some commands may help
sh ip arp (only works if you have l3 interfaces in each vlan)
sh ip dhcp snooping binding (needs dhcp snooping)
sh ip device tracking interface gigabitEthernet
Tuesday 12 December 2023
Monday 11 December 2023
Good video explaining HSTS for customers
https://www.youtube.com/watch?v=Jx5NEOI_TPw&t=9s
Although some of it is specific to the company platform the explanation of the HSTS and why its an issue is good.
HSTS
HTTP Strict transport security
Any site that redirects from HTTP to HTTPS is vulnerable
Its medium severity usually but low hanging fruit for attackers, if they see the basics are not done they may probe further but if they see HSTS setup they may move on
HSTS is a protocol sets regulations for how user agents (web browsers) should handle their connection for a site running https
Its possible for attackers can downgrade https to http connections and read data
Thursday 30 November 2023
Thursday 23 November 2023
how to open big log files
needed to open a 5GB log file
tried a few different options but landed on notepad++ with bigfiles plugin
Thursday 16 November 2023
Tuesday 14 November 2023
mac address formats
default: 1234.5678.90AB
IEEE 802/IETF: 12-34-56-78-90-AB
Unformatted: 1234567890AB
One byte 12:34:56:78:90:AB
Two byte 1234:5678:90AB
IP addresses were using dots
One byte 12.34.56.78.90.AB
two byte 1234.5678.90AB
Xerox made it and got 00-00-00
Cisco 00-00-0C
Next (later apple) 00-00-0F
Samsung 00-00-F0
MAC addresses are the address at L2
MAC addresses are possible to spoof so MAB sec not great
Some devices can't do MFA or 802.1x so MAC rules will be needed until devices get smarter.
Tuesday 24 October 2023
csr attributes that are required or optional
CN | Common Name | This is the fully qualified domain name (FQDN) that specifies the server’s exact location in the Domain Name System (DNS). For example, a component with hostname webBridge1 and parent domain example.com has the fully qualified domain name webBridge1.example.com. The FQDN uniquely distinguishes the component from any other components called webBridge1 in other domains. | Required, see notes below |
O | Organization or Business name | Usually the legal incorporated name of a company. It should include any suffixes such as Ltd., Inc., or Corp. Use “” around the attribute if more than one word, e.g. “Example Inc.” | Optional |
OU | Organizational unit or Department name | For example, Support, IT, Engineering, Finance. Use “” around the attribute if more than one word, e.g. “Human Resources” | Optional |
L | Location | City or town. For example, London, Boston, Milan, Berlin. | Optional |
ST | Province, Region, County or State | For example, Buckinghamshire, California. | Optional |
C | Country | The two-letter ISO code for the country where your organization is located. For example, US, GB, FR. | Optional |
An email address | An email address to contact the organization. Usually the email address of the certificate administrator or IT department. | Optional | |
SAN | Subject Alternative Name | From X509 Version 3 (RFC 2459), SSL certificates are allowed to specify multiple names that the certificate should match. This field enables the generated certificate to cover multiple domains. It can contain IP addresses, domain names, email addresses, regular DNS host names, etc, separated by commas. If you specify this list you must also include the CN in this list. Although this is an optional field, the SAN field must be completed in order for XMPP clients to accept a certificate, otherwise the XMPP clients will display a certificate error. | Required for XMPP server certificates or if a single certificate is to be used across multiple components. See note below. Note: XMPP server is not supported from version 3.0 |
Friday 20 October 2023
ms autopilot URLs
https://ztd.dds.microsoft.com/
https://cs.dds.microsoft.com/
https://login.live.com/
lgmsapeweu.blob.core.windows.net/
time.windows.com/
*.msftconnecttest.com/
*.microsoftaik.azure.net/
https://ekop.intel.com/ekcertservice/
https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
https://ftpm.amd.com/pki/aia
https://go.microsoft.com/
http://go.microsoft.com/
https://login.live.com/
https://activation.sls.microsoft.com/
http://crl.microsoft.com/pki/crl/products/MicProSecSerCA_2007-12-04.crl
https://validation.sls.microsoft.com/
https://activation-v2.sls.microsoft.com/
https://validation-v2.sls.microsoft.com/
https://displaycatalog.mp.microsoft.com/
https://licensing.mp.microsoft.com/
https://purchase.mp.microsoft.com/
https://displaycatalog.md.mp.microsoft.com/
https://licensing.md.mp.microsoft.com/
https://purchase.md.mp.microsoft.com/
*.download.windowsupdate.com/
*.dl.delivery.mp.microsoft.com/
*.delivery.mp.microsoft.com/
*.prod.do.dsp.mp.microsoft.com/
emdl.ws.microsoft.com/
*.dl.delivery.mp.microsoft.com/
*.windowsupdate.com/
*.delivery.mp.microsoft.com/
*.update.microsoft.com/
tsfe.trafficshaping.dsp.mp.microsoft.com/
*.manage.microsoft.com/
manage.microsoft.com/
*.prod.do.dsp.mp.microsoft.com/
*.windowsupdate.com/
*.dl.delivery.mp.microsoft.com/
*.update.microsofthttps://ztd.dds.microsoft.com/
https://cs.dds.microsoft.com/
https://login.live.com/
lgmsapeweu.blob.core.windows.net/
time.windows.com/
*.msftconnecttest.com/
*.microsoftaik.azure.net/
https://ekop.intel.com/ekcertservice/
https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
https://ftpm.amd.com/pki/aia
https://go.microsoft.com/
http://go.microsoft.com/
https://login.live.com/
https://activation.sls.microsoft.com/
http://crl.microsoft.com/pki/crl/products/MicProSecSerCA_2007-12-04.crl
https://validation.sls.microsoft.com/
https://activation-v2.sls.microsoft.com/
https://validation-v2.sls.microsoft.com/
https://displaycatalog.mp.microsoft.com/
https://licensing.mp.microsoft.com/
https://purchase.mp.microsoft.com/
https://displaycatalog.md.mp.microsoft.com/
https://licensing.md.mp.microsoft.com/
https://purchase.md.mp.microsoft.com/
*.download.windowsupdate.com/
*.dl.delivery.mp.microsoft.com/
*.delivery.mp.microsoft.com/
*.prod.do.dsp.mp.microsoft.com/
emdl.ws.microsoft.com/
*.dl.delivery.mp.microsoft.com/
*.windowsupdate.com/
*.delivery.mp.microsoft.com/
*.update.microsoft.com/
tsfe.trafficshaping.dsp.mp.microsoft.com/
*.manage.microsoft.com/
manage.microsoft.com/
*.prod.do.dsp.mp.microsoft.com/
*.windowsupdate.com/
*.dl.delivery.mp.microsoft.com/
*.update.microsoft.com
*.delivery.mp.microsoft.com
tsfe.trafficshaping.dsp.mp.microsoft.com
emdl.ws.microsoft.com
*.do.dsp.mp.microsoft.com
*.emdl.ws.microsoft.com
*.notify.windows.com
*.wns.windows.com
devicelistenerprod.microsoft.com
devicelistenerprod.eudb.microsoft.com
login.windows.net/
payloadprod*.blob.core.windows.net/
time.windows.com
www.msftconnecttest.com
www.msftncsi.com
*.s-microsoft.com
clientconfig.passport.net/
windowsphone.com
approdimedatahotfix.azureedge.net/
approdimedatapri.azureedge.net/
approdimedatasec.azureedge.net/
euprodimedatahotfix.azureedge.net/
euprodimedatapri.azureedge.net/
euprodimedatasec.azureedge.net/
naprodimedatahotfix.azureedge.net/
naprodimedatapri.azureedge.net/
swda01-mscdn.azureedge.net/
swda02-mscdn.azureedge.net/
swdb01-mscdn.azureedge.net/
swdb02-mscdn.azureedge.net/
swdc01-mscdn.azureedge.net/
swdc02-mscdn.azureedge.net/
swdd01-mscdn.azureedge.net/
swdd02-mscdn.azureedge.net/
swdin01-mscdn.azureedge.net/
swdin02-mscdn.azureedge.net/
ekcert.spserv.microsoft.com
ekop.intel.com
ftpm.amd.com
*.itunes.apple.com
*.mzstatic.com
*.phobos.apple.com
5-courier.push.apple.com
ax.itunes.apple.com.edgesuite.net/
itunes.apple.com
ocsp.apple.com
phobos.apple.com
phobos.itunes-apple.com.akadns.net/
intunecdnpeasd.azureedge.net/
*.channelservices.microsoft.com
*.go-mpulse.net/
*.infra.lync.com
*.resources.lync.com
*.support.services.microsoft.com
*.trouter.skype.com
*.vortex.data.microsoft.com
edge.skype.com
remoteassistanceprodacs.communication.azure.com
lgmsapeweu.blob.core.windows.net/
fd.api.orgmsg.microsoft.com
ris.prod.api.personalization.ideas.microsoft.com
contentauthassetscdn-prod.azureedge.net/
contentauthassetscdn-prodeur.azureedge.net/
contentauthrafcontentcdn-prod.azureedge.net/
contentauthrafcontentcdn-prodeur.azureedge.net/
login.microsoftonline.com
*.officeconfig.msocdn.com
config.office.com
graph.windows.net/
enterpriseregistration.windows.net/
*.manage.microsoft.com
manage.microsoft.com.com/
*.delivery.mp.microsoft.com/
tsfe.trafficshaping.dsp.mp.microsoft.com/
emdl.ws.microsoft.com/
*.do.dsp.mp.microsoft.com/
*.emdl.ws.microsoft.com/
*.notify.windows.com/
*.wns.windows.com/
devicelistenerprod.microsoft.com/
devicelistenerprod.eudb.microsoft.com/
login.windows.net/
payloadprod*.blob.core.windows.net/
time.windows.com/
www.msftconnecttest.com/
www.msftncsi.com/
*.s-microsoft.com/
clientconfig.passport.net/
windowsphone.com/
approdimedatahotfix.azureedge.net/
approdimedatapri.azureedge.net/
approdimedatasec.azureedge.net/
euprodimedatahotfix.azureedge.net/
euprodimedatapri.azureedge.net/
euprodimedatasec.azureedge.net/
naprodimedatahotfix.azureedge.net/
naprodimedatapri.azureedge.net/
swda01-mscdn.azureedge.net/
swda02-mscdn.azureedge.net/
swdb01-mscdn.azureedge.net/
swdb02-mscdn.azureedge.net/
swdc01-mscdn.azureedge.net/
swdc02-mscdn.azureedge.net/
swdd01-mscdn.azureedge.net/
swdd02-mscdn.azureedge.net/
swdin01-mscdn.azureedge.net/
swdin02-mscdn.azureedge.net/
ekcert.spserv.microsoft.com/
ekop.intel.com/
ftpm.amd.com/
*.itunes.apple.com/
*.mzstatic.com/
*.phobos.apple.com/
5-courier.push.apple.com/
ax.itunes.apple.com.edgesuite.net/
itunes.apple.com/
ocsp.apple.com/
phobos.apple.com/
phobos.itunes-apple.com.akadns.net/
intunecdnpeasd.azureedge.net/
*.channelservices.microsoft.com/
*.go-mpulse.net/
*.infra.lync.com/
*.resources.lync.com/
*.support.services.microsoft.com/
*.trouter.skype.com/
*.vortex.data.microsoft.com/
edge.skype.com/
remoteassistanceprodacs.communication.azure.com/
lgmsapeweu.blob.core.windows.net/
fd.api.orgmsg.microsoft.com/
ris.prod.api.personalization.ideas.microsoft.com/
contentauthassetscdn-prod.azureedge.net/
contentauthassetscdn-prodeur.azureedge.net/
contentauthrafcontentcdn-prod.azureedge.net/
contentauthrafcontentcdn-prodeur.azureedge.net/
login.microsoftonline.com/
*.officeconfig.msocdn.com/
config.office.com/
graph.windows.net/
enterpriseregistration.windows.net/
*.manage.microsoft.com/
manage.microsoft.com/
install wildcard on IIS
Needs DNS name site.domain.com
Get your cert into PFX bundle format with password on the file
Import into IIS
Then edit the site bindings add 443 fill in domain and select cert
https://comodosslstore.com/resources/how-to-install-a-wildcard-ssl-certificate-on-iis-7-or-8/
Thursday 19 October 2023
cisco duo SSO cisco asa setup
You need a domain like vpn.domian.com
You need a cert for that domain installed and working on ASA
You need to setup SSO first
You will need to put in the email domain eg domain.com
It will ask you to create a TXT record in DNS
You will need to get DNS provider to set that up.
Once confirmed you will be able to download the IDP cert from the duo portal.
Now you can continue with doc
You will need to add mail attribute "UserPrincipalName"
https://duo.com/docs/sso-ciscoasa
Tuesday 17 October 2023
Cisco ISE notes
ISE
Test lab is quite involved
- Need windows AD
- ISE
- VMware
- Cisco anyconnect
- Cisco switch (supports 802.1x)
- Client PCs connected to the switch
- Wifi AP might also be useful
802.1.x intro
Don't allow any traffic on the port until we know who the client is
Authenticator
Authentication server RADIUS -> (ISE)
Supplicant (supply credentials)
Supplicant -> Authenticator -> Auth Server
We can also do posture assessment of the client
VM settings
Download .ISO or .OVA from Cisco
200GB thin provision
4 GB RAM (more better)
4 cores or more better
SSD hard drives faster
Logging into ISE after install
https://x.x.x.x (IP or Name)
username: admin
password: set during install
First steps
Download .ISO or .OVA from Cisco
Administration -> network device group
ISE is security product so needs to be kept patched.
In VMware vShpere
Right click on cluster -> Deploy OVF template
Choose upload
You can also try
New -> Virtual machine -> Deploy from Template
You can also browse into the datastores:
https://192.168.10.100/folder
Deploy OVA VM (set network adapters)
Console
setup (to run script)
hostname
ip address 10.4.9.21
subnet mask 255.255.255.0
default gateway 10.4.9.254
default dns domain corkcoco.localgov
DNS server 10.4.9.162 / 10.4.10.16
NTP server 10.4.253.1
Syslog server s.s.s.s
timezone
y to enable ssh
username
password
confirm password
Web interface
Check running version by clicking the cog in the top right -> about ISE and Server
Burger menu in the top left -> Administration -> deployment
Click on your ServerName / ISE node (our server)
You can click "Make primary" (it will need to reboot) to setup HA
Scroll down
Enable device administration service tickbox
RADIUS/TACACS are not encrypted by default
Profiling configuration
Burger menu in the top left -> Administration -> deployment
Go onto "Profiling Configuration" tab
Turn on HTTP (get the user agent)
Turn on DNS
Click Save
Licensing
We will use eval license.
For production you will need to purchase a license
Certificates
Managing digital certificates with ISE (video on youtube)
Resources:
ISE Webinars: https://cs.co/ise-webinars
ISE YouTube Channel: https://cs.co/ise-videos
ISE Resources: https://cs.co/ise-resources
ISE Community: https://cs.co/ise-community
ISE Security Integration Guides: https://cs.co/ise-guides
ISE API: https://cs.co/ise-api
ISE NAD Capabilities: https://cs.co/nad-capabilities
ISE Licensing & Evaluations: https://cs.co/ise-licensing
Logging
Burger menu in the top left -> Administration -> Logging
We can add syslog server(s)
old school syslog UDP
new TCP (more reliable)
secure syslog (TCP + encryption)
Syslog UDP 514 (clear text)
Syslog TCP 1468 (clear text)
Secure Syslog TCP 6514 (encrypted)
Facility code is like severity level (LOCAL6 is default / informational)
Maximum 8192
Include alarms
Comply with RFC 3164
Buffer messages when server down, buffer size 100MB
click Submit
Logging categories
Add your syslog server to the categories
AAA Audit
Failed attempts
Passed authentications
AAA diagnostics
Administrator authentication
Meraki
We can connect meraki APs
Edit settings is WIFI SSID
Configure the ISE server as the radius server + password and click test
input a domain username and password
We need to config it on the ISE end
Logging -> Message Catalog
To see more info on logs the ID's to messages
Can be exported to CSV
Filter on ID 5405 RADIUS request dropped
Logging -> Connection filters
We can filter out noisy clients here, a WIFI AP that is broken and keeps sending auth requests filling up logs for example
Maintenance -> Repository
Burger menu in the top left -> Administration -> Maintenance
Add LOCALDISK root path submit
Can add remote servers
FTP
SFTP
TFTP
NFS
CDROM
HTTP
HTTPS
Submit
Upload a patch to ISE server from web interface
Burger menu in the top left -> Administration -> Maintenance -> Localdisk Management
We can upload patch bundle file (downloaded from cisco)
Select hot patch file .tar.gz
We can appy later ISE will need to restart to install
Maintenance -> Operational data purging
You can select how long before you delete logs
The longer you keep logs the more disk space you need
Enable export repo will export the logs before they are deleted
Upgrade
On latest version so no need for upgrade but this is where you can do it
Check health check first
Health Checks
Burger menu in the top left -> Administration -> Health Checks
Run before upgrades
Upgrade readiness tool, worth running after fresh install for a base line.
Can download the report
Backup and restore
Burger menu in the top left -> Administration -> Backup & Restore
Config is light
Operational has logs
We can save to localdisk or remote server we configured
It does not backup your certs you will need to store them manually in a safe place
You can config a backup schedule
Admin access
Burger menu in the top left -> Administration -> Admin Access
Authentication (on left) -> Password policy (tab in middle) -> Password Lifetime
Turn off
Click save
RBAC
Role based access control policy
If you want to setup limited admins
ERS admin - API
Connect to AD (interactive help top right)
External identity sources
Active directory ->
join point name dcloud.cisco.com
ad domain dcloud.cisco.com
submit
Yes join nodes
Fill in AD username and password
Groups
Add groups from AD
Retrieve groups
If you have a big org this could take a long time
Select the groups we want to use for auth
You may want to make some AD groups
ISE-ADMINS
ISE-READ-ONLY
etc
Can change authentication to AD
Admin access -> Settings -> Access
Can set banner logs
Can set ASCII for the CLI login
Save
Session timeout default is 60
Session info shows whos logged in
Settings
Client provisioning (not on day1)
FIPS mode (strong security, turns off clear text protocols/old ciphers, can cause issues)
Security settings turn off TLS1.0 (may restart)
Alarm settings
Posture
Cover later
Profiling
Can leave default
Enable session resunme and fast reconnect
EAP-FAST
PEAP
RADIUS
Should be nothing to change day1
DTLS tunnels can be enabled
Proxy
For ISE internet updates
SMTP server
Email server for ISE to
Settings -> SMS gateway
NTP servers pool.ntp.org
time.nist.gov
Settings -> API settings
API service settings
enable ERS and openAPI
Deploy a patch on CLI
Example is log4j patch
SSH into ISE box
Show what patches have been applied
show logging application hotpatch.log
application install ise-apply-patch-name-SPA.tar.gz LOCALDISK
Deploy a patch via API
Use the rest API to install the patch with curl
curl --insecure --include --user admin:passw0rd -H "accept: applicaiton.jsopn" -H "Content-Type: applicaiton/json" -X POST https://ise.demo.com:443/api/hotpatch/install -d '{"hotpatchName": ise-apply-patch-name-SPA.tar.gz", "repositoryName:"LOCALDISK" }'
Task status
curl
--insure
--include
--user admin:passw0rd
-H "accept: application/json"
-X GET https://ise.demo.com:443/api/v1/task/[task-id]
One node we can update manually but if we have 50 nodes it would be useful to patch them all with one command.
Older version (300-208 SISAS)
Admin -> Network device groups
Create a group (test switch)
Admin -> Network device -> Add
ping between the switch and the ISE server and other direction
Radius 1812/1813
TACACS encrypts the whole session
RADIUS only encrypts the important parts like passwords
Give radius secret
submit
conf t
aaa new-mode
aaa authentication login default enable
radius server ISE
address ipv4 192.168.1100 auth-port 1812 acct-port 1813
aaa group server radius ISE-group
server name ISE
radius-server vsa send authenticaiton
radius-server vsa send accounting
ip device tracking
802.1x auth
EAP (clear text)
EAP TTLS (tunnelled some security)
PEAP (tunnelled so its secure) (protected EAP)
TLS implies we have certs, self signed, CA issued, vendor issued
Monitor mode first - lets all traffic through but we can see
Low impact - some ACLs on the port
closed - no traffic until authenticaiton
Bob user - may need to auth
BobPC - is a computer
We may want to auth the user and the hardware
We can have phone and then a PC, the PC can be running VMs so we can see multiple macs on one port.
Single host - 1 mac only will be authenticated
multi-host - don't use, use authenticated the port is open
multi-domain - voice + data. 1 mac from voice, 1 mac from data
multi-auth - each device will need to autenticate
MAB - old printers won't have a supplicant so we can allow by MAC when the other methods fail. This is not best practice but can get you out of a hole.
test aaa group ISE-GROUP bob p4ssw0rd new-code
User ISE server for dot1x
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius-server attribute 8 include-in-access-req
dot1x system-auth-control
switchport mode access
spanning-tree port fast
authentication host-mode multi-auth
authentication open
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
authenticaiton port-conrol auto
no shut
show dot1x all
Connect ISE server to AD
Policy set triggers if conditions are met
If yes the authentication polocys rules are checked
If device is wired 802.1 then use our DC for auth
If that passes go to authorization policy
If the user had a valid AD username and password then let them in
Default network access is that large set of EAP protocols
Authorization policies:
Policy elements (Policy -> Policy elements)
Policy -> Policy elements - > Authorization -> Downloadable ACLs
We can push an ACL down onto the switch (we can use allow all IPv4 traffic)
Policy -> Policy elements - > Authorization -> Authorization profiles
We can assign what VLAN
show commands:
show authentication sessions
show authentication sessions interface fa0/1
show authentication sessions mac xxxx.xxxx,xxxx details
show interface status
Live logs in ISE GUI:
Search for MAC
Click the details ICON to get a full report
Blue icon means we have a session
Sample ISE switchport with details:
switchport host
switchport access vlan 999 (this is a holding vlan / dead end)
authentication priority dot1x mab (use dot1x over mab)
authentication order dot1x mab (try auth with dot1x, if it fails then mab)
authentication event fail action next-method (if dot1x fails try next which is mab)
authentication event server dead action authorize vlan 10 (If ISE dead put them on vlan 10)
authentication event server alive action reinitialize (when the server comes back re auth)
authentication host-mode multi-domain (1 device in voice and 1 data vlan can get authorized)
single-host just one device gets authorised (good if you have single PC)
multi-host (once the first hosts auths everything after gets auth, usually bad)
multi-auth (everyone can get on but must be auth)
authentication violation restrict (send log message and block additional mac)
protect (Drops unexpected incoming MAC addresses. No syslog errors are generated.)
replace (Removes the current session and initiates authentication with the new host.)
shutdown (Error-disables the port or the virtual port on which an unexpected MAC address occurs.)
restrict (Generates a syslog error when a violation error occurs. Puts port in restricted mode ignoring the new mac)
authentication open (if doesn't have supplicant no 802.1x / mab it will allow it through)
mab (enable MAB)
dot1x pae authenticator (tells the switch on this port it should be the authenticator)
dot1x timeout tx-period 5 (how long to wait for dot1x answer before trying next [mab])
authentication port-control auto (lets use 802.1x and control this port based on the ISE rules)
Find out if you switch supports dot1x commands
cisco.com/go/fn
Check 802.1x services
services.msc
look for wired autoconfig
changed to started + automatic
If we take Wireshark we will see EAP requests
wireshark display filter "eap"
Looks for request
Properties on network card
authentication tab at the top
Enable IEEE 802.1x authentication
MS-PEAP
settings -> validate server cert is off (self signed cert)
configure
additional settings
user auth
save credentials -> fill in username and password
Installing an internal CA cert
Browse to your internal CA
http://192.168.1.50/certsrv
Download a CA certificate, chain or CRL
Select DER encoding
Download CA cert
Name it Root-Internal-CA.crt
Save
In ISE
System -> certificates
Import -> select the Internal CA cert
Give a friendly game
Trust for all
Create CSR
Local certs -> Add -> Generate a CSR
CN=ise.lab.com
2048
SHA256
Go to CSR
Export
Save -> CSR-from-ISE.pem
Open the file and copy all the CSR text
Go back to http://192.168.1.50/certsrv
Request a certificate
Advanced certificate request
Submit a certificate request
Paste the csr text
Click submit
Admin must approve
Server manger -> CA -> Pending requests -> right click and issue
Go back to http://192.168.1.50/certsrv
View the pending
Download DER encode
ISE-ID.cert
Back to ISE
Add "Bind CA certificate"
Selected the ISE-ID.cert
tick EAP and HTTPS
Save ok
Server will restart
MAB (MAC authentication bypass)
Some devices like phones, printers, ip cameras won't have 802.1x supplicant
We can hard code the MAC address
Printer tries dot1x
If that fails
Try MAB if the MAC is in the list then it will be allow
Source guard and DHCP snooping would be useful
We can re-order try MAB first the 802.1x. We can also try priority. If dot1x works we will use that. etc
Interface gig0/1
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Let the ISE server know its sending over the mac address
This switch might be enabled or not
radius-server attribute 6 on-for-login-auth
May need, check debugs
radius-server attribute 25 on-for-login-auth
Shows the authentication details on that port
show authentication sessions int gig0/1
Enable MAB
Try mab first then dot1x
Use dot1x first if both are available
Interface gig0/1
mab
authentication order mab dot1x
authentication priority dot1x mab
debug radius authentication
We need to setup the MAC addresses in the ISE
Admin -> identity management -> endpoints
add the MAC
xx:xx:xx:xx:xx:xx
We saw the server needed a reboot after adding the MAC addresses
Phones need the voice vlan domain permission
You can bulk import MAC's
Burger menu > Work Centres > Identities > import
It gives a template for MAC addresses
Interface range
To reconfig a log of ports into ISE conifg the interface range command can be useful to put in config and roll back
interface range g1/0/1 - 48, g2/0/1 - 48
Diagnostic tool
Menu > Operations > Troubleshoot > Diagnostic tools > Evaluate configuration validator
May need to add the ISE server to ACL so it can SSH in
Fill in IP of switch
username password and enable
Check for AAA/dot1x and just pick 1 port to see switch conifg
The aaa stuff all errored as the radius group name was already in use
error on auth and acct port
ip device tracking did not exist on my 9300
logging transport udp port did not either
Not sure about snmp-server host public (need more research, seem to work without)
Monday 16 October 2023
issue importing cert to palo alto firewall
When trying to import a cert with the private key bundled you get an error:
Import of certificate and private-key CERT-NAME failed. private key doesn't exist for csr.
Importing the signed cert with the same name as the CSR doesn't work. Panorama adds cert_ to the front of the name
You need to port cert_ in front for example if cert is called CERT-NAME you put cert_CERT-NAME
CSR import
Import the CA bundle if not done already
If you make duplicates will have to delete on CLI
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHyVCAU&lang=en_US%E2%80%A9
tick your pending CSR
click import
give the same name as your csr request
select the pem file
PEM file format
ok
commit
Tuesday 10 October 2023
sophos firewall linked nat
create linked
create your firewall rule
Choose create linked NAT rule
In translated source SNAT click the drop down and choose MASQ (apply, save save)
Monday 2 October 2023
find device by mac or IP
Manual way is to connect to each switch "sh arp" "sh mac address table"
If you have all cisco kit
"traceroute mac" or "traceroute mac ip"
Using an NSM will often poll and have this data available (libreNMS)
You also have the option to create some scripts with python/pexpect/paramiko/netmiko etc
Wednesday 27 September 2023
Friday 22 September 2023
Thursday 21 September 2023
cdn.devolutions.net and 152.199.21.175
Saw some strange traffic going to 152.199.21.175
After getting a capture saw it was looking up cdn.devolutions.net
Both IP and URL had good rep but was trying to tie it to a corp app
Used sysmon on the server to log DNS requests
Found it was coming from a manageengine process
C:\Program Files (x86)\ManageEngine\UEMS_DistributionServer\bin\dcreplication.exe
Wednesday 13 September 2023
info to collect during vuln
Make/model
SW version
output of one or more commands
conclusion
customer and contact email
Tuesday 29 August 2023
Monday 28 August 2023
create custom URL category on palo alto can be used for wildcard URLs
If you have FQDN then you can just add FQDN object in the rule
If you want to add a wildcard or multiple URLs in a group then you can create a custom URL category
Objects -> Custom objects -> URL categories - > Add
Add your URLs
*.mail.protection.outlook.com/
smtp.office365.com/
Always end with a / ending token
Blurb from the palo:
For domain entries, we recommend you use an ending token. Acceptable tokens are: . / ? & = ; +. If you choose not to use an ending token, you may block or allow more URLs than anticipated. For example, if you want to allow xyz.com and enter the domain as 'xyz.com,' you will allow xyz.com and URLs such as xyz.com.random.com. However, if you enter the domain as 'xyz.com/,' you will only allow xyz.com.
More info here:
https://docs.paloaltonetworks.com/advanced-url-filtering/administration/configuring-url-filtering/url-category-exceptions
CLI
set profiles custom-url-category URL-CC-OSCP-CRL description "Custom URL category for OSCP"
set profiles custom-url-category URL-CC-OSCP-CRL type "URL List"
set profiles custom-url-category URL-CC-OSCP-CRL list [ crl.globalsign.net www.d-trust.net cdp1.public-trust.com crl.cnnic.cn crl.entrust.net crl.globalsign.com crl.globalsign.net crl.identrust.com crl.thawte.com crl3.digicert.com crl4.digicert.com s1.symcb.com www.d-trust.net isrg.trustid.ocsp.identrust.com ocsp.digicert.com ocsp.entrust.net ocsp.globalsign.com ocsp.omniroot.com ocsp.startssl.com ocsp.thawte.com ocsp2.globalsign.com ocspcnnicroot.cnnic.cn root-c3-ca2-2009.ocsp.d-trust.net root-c3-ca2-ev-2009.ocsp.d-trust.net s2.symcb.com aia.startssl.com apps.identrust.com cacert.omniroot.com ]
Monday 14 August 2023
CyberSec - eJpt
Information gathering
Collecting info about what we are targeting (company, website/URL/IP, app, servers, people etc)
The scope can be wide or narrow.
People info gathering
Names and email format is what we usually want for a phishing attack
We can also look at social media, linkedin, facebook, instagram etc
Passive info gathering aka OSINT (open source intelligence)
We don't need permission because its publicly available information
Get as much as we can without actively engaging opensource intel
Publicly available information.
Visit public websites
examples:
- IP ranges and DNS info
- Domain names and ownership info
- Sub domins
- Email and social media
- Web tech being used on target sites (IIS, nginx etc)
Penetration testing method
Passive info gatherin (OSINT, DNS IP recon, social media, google)
Active info gathering (network/app/port scanning, calling up asking for info)
Enumeration (service/user/share enumeration)
Vulnerability scanning
Exploitation (use existing, modify or develop exploit)
Post exploitation
- Local enumeration from the inside
- Privilege escalation
- Credential access
- Persistence
- Défense evasion
- Lateral movement
Reporting (writing of report / recommendation on remediation)
Active info gathering
We need permission
Scanning IP ranges
Scanning IP's for open ports (nmap/nessus)
Ports can tell us about services and we can look for vulns
Discovering open ports
examples:
- nmap scan to discover open ports
- Nessus scan to discover vulnerabilities
- Enumerating info from target systems
Website recon and foot printing
IP addresses
Directories hidden from search engines
Host command (in kali)
host website.com
website.com has address 10.10.10.10
website.com has IPv6 address 2axx:4xx:1xx:4xxx::2
website.com mail is handled by 5 esa.website.com.
website.com mail is handled by 10 esa2.website.com.
website.com mail is handled by 15 esa3.website.com.
Often we might see a website hosted by a proxy like cloudflare
Robots.txt
Robots.txt is read by search engines and we can tell them directories not to crawl.
Browse to www.website.com/robots.txt
User-agent: *
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-admin/
Sitemap: https://www.website.ie/sitemap.xml
Sitemap: https://www.website.ie/sitemap.rss
We can see they disallow /wp-admin/ that wp-admin folder tells us its a word press site.
Sitemap.xml
Sitemap is again for search engines to index the site.
Firefox plugin BuiltWith
This plugin will give whats running on this site
Will see widgets and plugins
Whatweb (kali)
whatweb website.ie
Download the full website with HTTrack
HTTrack (windows and linux) to look at the source code offline.
Whois (kali also many websites) - looking up registration details of websites
Main info to gather from the whois output:
What registrar the domain was registered with
Updated Date: When the domain was renewed
Created Date: When it was created
Registry expiry: (when the domain will expire)
Name server: can point to a proxy like cloud flare
DNSSEC: we might see the owner of the domain unless DNSSEC is enabled
whois zonetransfer.me
https://who.is (useful website for running who.is)
whois x.x.x.x (where x.x.x.x is public IP)
Website footprinting with netcraft
netcraft.com is a web tool with gather lots of the passive recon information for us in one location
DNS recon
dnsrecon -d domain.com
dnsdumpster.com - free website which organises the same information nicely
We can see name servers, SRV, TXT, mx records and subdomains
WAF with WAFW00f (kali)
WAF is a web application firewall
WAFw00f is WAF fingerprinting tool
wafwoof https://zonetransfer.me
Subdomain enumeration with sublist3r (kali)
Sublister checks the search engines to see if a subdomain was indexed at some stage
subliust3r -d domain.com -e google,yahoo
subliust3r -d domain.com (this will search with all search engines)
Keep in mind results won't be 100% but very useful.
It will make lots of requests to the engines so you may need a VPN to change connection to get it to work.
Google Dorks aka google hacking
site:domain.com
site:domain.com inrul admin (look for an admin panel)
site:domain.com inrul forum (look for a forum)
site:*.domain.com (show all the subdomains)
Sometimes subdomains are publicly available that shouldn't be
site:*.domain.com intitle admin (look for admin page)
site:*.domain.com filetype:pdf (look for pdf files)
site:*.domain.com employees
site:*.domain.com team
intitle: index of
Looking for older versions of the website for information like names, email addresses etc.
cache: domain.com
Thewaybackmachine.com
Looking for leaked usernames and passwords
inurl:auth_user_file.txt
inurl:passwd.txt
Google hacking database (https://www.exploit-db.com/google-hacking-database)
look up google dorks for wordpress for example
email harvesting with theHarvester (kali)
Searches on search engines and sites like linkedin and several other websites
Spyse - paid site worth considering
Leaked password databases
When we find emails addresses, check if their data has been leaked at some stage
Quick way to check if an email you found is in a data breach
https://haveibeenpwned.com/
DNS zone transfers
DNS servers is like a phone directory a list of URLs to IP addresses
Cloud flare: 1.1.1.1
Google: 8.8.8.8
DNS record types
A - Resolves hostname to IPv4 address
AAAA - Resolves hostname to IPv6 addreess
NS - The domains name server
MX - Where the email server is
CNAME - Aliases
TXT - text info often used to auth ownership of a domain
HINFO - host information
SOA - Domain auth
SRV - Service rexords
PTR - resolves IP to hostname
DNS Interrogation
Probe the DNS server for more info
DNS zone transfer
Admins may want to copy or transfer zone files from one DNS server to another. The process is known as a zone transfer.
If left misconfigured we can attempt a zone transfer from the primary DNS server to another server
A DNS zone transfer can provide pentesters with a holistic view of an organizations network layout.
Internal network addresses may be found on the orgs DNS servers
dnsrecon -d zonetransfer.ie
Active action:
dnsenum zonetransfer.ie
Zone transfer with dig
dig axfr [name-server] [domian]
dig axfr @ns2cm1.digi.ninja zonetransfer.me
Brute force domains with fierce
fierce -dns zonetransfer.me
Host discovery with nmap
-sn
ping sweep
The idea is to gather IP's with a ping sweep, then run port scans on the IPs we see are up.
Netdiscover
namp uses ping/icmp and netdiscover uses arp
sudo netdiscover -i eth0 -r 192.168.3.0/24
Port scanning with nmap
nmap -Pn x.x.x.x
nmap -Pn -p- x.x.x.x (scan all ports will take a long time)
nmap -Pn -p 80 x.x.x.x (scan port 80)
nmap -Pn -p1-10 x.x.x.x (scan a range)
nmap -Pn -F x.x.x.x (fast scan of commonly used ports)
nmap -Pn -sU x.x.x.x (use UDP)
Find IPs
Scan for open ports
Look for services
Look for service versions
Look for vulnerabilities
service version detection
nmap -Pn -F -sV x.x.x.x (service version detection, takes longer)
-O OS detection
nmap -Pn -F -sV -0 x.x.x.x -v
-sC (script scan to get more info)
We may need to speed up/slow down scans to avoid detection. We can use -T. Lower value is slower, higher value is faster (more chance to be detected by IPS etc).
-T
0 paranoid
1 sneaky
2 polite
3 normal
4 aggressive
5 insane
We can output nmap to files
-oN scan.txt
-oX scan.xml (can be imported into Metasploit)
Assessment Methods: footprinting + scanning
Mapping a network
define the scope
what is the most useful use of your time
physical access
VPN S2S, or dial in
Or totally no help you must gain physical or digital access
Get on the network (physical or remote access)
sniffing
Passive recon, watch the network, learn
ARP - resolves IP to MAC address, can arp the full subnet to learn about the network
ICMP (ping and traceroute)
type 8 is echo request (ping) we can ping the subnet to see what responds.
Nework Tools
Wireshark
ArpScan
ping
Fping
nmap and zenmap
Arpscan CLI
Sudo arp-sscan -i eht0 -g 192.168.3.0/24
Fping CLI
fping -i eth0 -g 192.168.3.0/24 -a 2> /deb/null
Good idea to arp and ping the subnet.
Nmap CLI
nmap -sn 192.168.3.0/24
nmap also sends a TCP SYN
Wireshark
Run a capture
Run all your scans
Check hosts
Zenmap is gui version of nmap
Nmap OS and service detection
We can find OS and service versions with NMAP, below is how it works
Standard TCP 3WHS
open port
SYN >
SYN--ACK <
ACL >
RST+ACK >
closed port
SYN >
RST+ACK <
Stealth scan
SYN>
SYN+ACK
RST >
In the stealth scan we close the 3WHS as soon as we get the SYN+ACK back we know the port is open and a server responding.
Service detection
SYN >
SYN+ACK <
ACK >
BANNER < (service info here eg openssh v1.0)
RST+ACK >
In service detection we read data provided by the server.
NMAP basic switches
nmap -H (help, lots of options here)
-sV Service detection
-sC Scripts default
-A aggressive mode (loud) does all the scans
-0 OS detection
-exclude (exclude certain hosts from scanning)
-A will does OS detect, version detect, Script Scan and traceroute
Scan targets from a file
nmap -iL ip-list.txt
Other scan tools
Masscan - Fast scanner for big networks
Rutscan - low level language so fast
AutoRecon - keeps scanning / doing recon
Nmap Scan Techniques
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sS | nmap 192.168.1.1 -sS | TCP SYN port scan (Default) |
| -sT | nmap 192.168.1.1 -sT | TCP connect port scan (Default without root privilege) |
| -sU | nmap 192.168.1.1 -sU | UDP port scan |
| -sA | nmap 192.168.1.1 -sA | TCP ACK port scan |
| -sW | nmap 192.168.1.1 -sW | TCP Window port scan |
| -sM | nmap 192.168.1.1 -sM | TCP Maimon port scan |
Host Discovery
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sL | nmap 192.168.1.1-3 -sL | No Scan. List targets only |
| -sn | nmap 192.168.1.1/24 -sn | Disable port scanning. Host discovery only. |
| -Pn | nmap 192.168.1.1-5 -Pn | Disable host discovery. Port scan only. |
| -PS | nmap 192.168.1.1-5 -PS22-25,80 | TCP SYN discovery on port x. Port 80 by default |
| -PA | nmap 192.168.1.1-5 -PA22-25,80 | TCP ACK discovery on port x. Port 80 by default |
| -PU | nmap 192.168.1.1-5 -PU53 | UDP discovery on port x. Port 40125 by default |
| -PR | nmap 192.168.1.1-1/24 -PR | ARP discovery on local network |
| -n | nmap 192.168.1.1 -n | Never do DNS resolution |
Port Specification
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -p | nmap 192.168.1.1 -p 21 | Port scan for port x |
| -p | nmap 192.168.1.1 -p 21-100 | Port range |
| -p | nmap 192.168.1.1 -p U:53,T:21-25,80 | Port scan multiple TCP and UDP ports |
| -p | nmap 192.168.1.1 -p- | Port scan all ports |
| -p | nmap 192.168.1.1 -p http,https | Port scan from service name |
| -F | nmap 192.168.1.1 -F | Fast port scan (100 ports) |
| -top-ports | nmap 192.168.1.1 -top-ports 2000 | Port scan the top x ports |
| -p-65535 | nmap 192.168.1.1 -p-65535 | Leaving off initial port in range makes the scan start at port 1 |
| -p0- | nmap 192.168.1.1 -p0- | Leaving off end port in range makes the scan go through to port 65535 |
Service and Version Detection
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sV | nmap 192.168.1.1 -sV | Attempts to determine the version of the service running on port |
| -sV -version-intensity | nmap 192.168.1.1 -sV -version-intensity 8 | Intensity level 0 to 9. Higher number increases possibility of correctness |
| -sV -version-light | nmap 192.168.1.1 -sV -version-light | Enable light mode. Lower possibility of correctness. Faster |
| -sV -version-all | nmap 192.168.1.1 -sV -version-all | Enable intensity level 9. Higher possibility of correctness. Slower |
| -A | nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
OS Detection
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -O | nmap 192.168.1.1 -O | Remote OS detection using TCP/IP stack fingerprinting |
| -O -osscan-limit | nmap 192.168.1.1 -O -osscan-limit | If at least one open and one closed TCP port are not found it will not try OS detection against host |
| -O -osscan-guess | nmap 192.168.1.1 -O -osscan-guess | Makes Nmap guess more aggressively |
| -O -max-os-tries | nmap 192.168.1.1 -O -max-os-tries 1 | Set the maximum number x of OS detection tries against a target |
| -A | nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
Timing and Performance
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -T0 | nmap 192.168.1.1 -T0 | Paranoid (0) Intrusion Detection System evasion |
| -T1 | nmap 192.168.1.1 -T1 | Sneaky (1) Intrusion Detection System evasion |
| -T2 | nmap 192.168.1.1 -T2 | Polite (2) slows down the scan to use less bandwidth and use less target machine resources |
| -T3 | nmap 192.168.1.1 -T3 | Normal (3) which is default speed |
| -T4 | nmap 192.168.1.1 -T4 | Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network |
| -T5 | nmap 192.168.1.1 -T5 | Insane (5) speeds scan; assumes you are on an extraordinarily fast network |
Timing and Performance Switches
| SWITCH | EXAMPLE INPUT | DESCRIPTION |
|---|---|---|
| -host-timeout <time> | 1s; 4m; 2h | Give up on target after this long |
| -min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> | 1s; 4m; 2h | Specifies probe round trip time |
| -min-hostgroup/max-hostgroup <size<size> | 50; 1024 | Parallel host scan group sizes |
| -min-parallelism/max-parallelism <numprobes> | 10; 1 | Probe parallelization |
| -max-retries <tries> | 3 | Specify the maximum number of port scan probe retransmissions |
| -min-rate <number> | 100 | Send packets no slower than <number> per second |
| -max-rate <number> | 100 | Send packets no faster than <number> per second |
NSE Scripts
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sC | nmap 192.168.1.1 -sC | Scan with default NSE scripts. Considered useful for discovery and safe |
| -script default | nmap 192.168.1.1 -script default | Scan with default NSE scripts. Considered useful for discovery and safe |
| -script | nmap 192.168.1.1 -script=banner | Scan with a single script. Example banner |
| -script | nmap 192.168.1.1 -script=http* | Scan with a wildcard. Example http |
| -script | nmap 192.168.1.1 -script=http,banner | Scan with two scripts. Example http and banner |
| -script | nmap 192.168.1.1 -script "not intrusive" | Scan default, but remove intrusive scripts |
| -script-args | nmap -script snmp-sysdescr -script-args snmpcommunity=admin 192.168.1.1 | NSE script with arguments |
Useful NSE Script Examples
| COMMAND | DESCRIPTION |
|---|---|
| nmap -Pn -script=http-sitemap-generator scanme.nmap.org | http site map generator |
| nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000 | Fast search for random web servers |
| nmap -Pn -script=dns-brute domain.com | Brute forces DNS hostnames guessing subdomains |
| nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1 | Safe SMB scripts to run |
| nmap -script whois* domain.com | Whois query |
| nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org | Detect cross site scripting vulnerabilities |
| nmap -p80 -script http-sql-injection scanme.nmap.org | Check for SQL injections |
Firewall / IDS Evasion and Spoofing
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -f | nmap 192.168.1.1 -f | Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters |
| -mtu | nmap 192.168.1.1 -mtu 32 | Set your own offset size |
| -D | nmap -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1 | Send scans from spoofed IPs |
| -D | nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip | Above example explained |
| -S | nmap -S www.microsoft.com www.facebook.com | Scan Facebook from Microsoft (-e eth0 -Pn may be required) |
| -g | nmap -g 53 192.168.1.1 | Use given source port number |
| -proxies | nmap -proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1 | Relay connections through HTTP/SOCKS4 proxies |
| -data-length | nmap -data-length 200 192.168.1.1 | Appends random data to sent packets |
Output
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -oN | nmap 192.168.1.1 -oN normal.file | Normal output to the file normal.file |
| -oX | nmap 192.168.1.1 -oX xml.file | XML output to the file xml.file |
| -oG | nmap 192.168.1.1 -oG grep.file | Grepable output to the file grep.file |
| -oA | nmap 192.168.1.1 -oA results | Output in the three major formats at once |
| -oG - | nmap 192.168.1.1 -oG - | Grepable output to screen. -oN -, -oX - also usable |
| -append-output | nmap 192.168.1.1 -oN file.file -append-output | Append a scan to a previous scan file |
| -v | nmap 192.168.1.1 -v | Increase the verbosity level (use -vv or more for greater effect) |
| -d | nmap 192.168.1.1 -d | Increase debugging level (use -dd or more for greater effect) |
| -reason | nmap 192.168.1.1 -reason | Display the reason a port is in a particular state, same output as -vv |
| -open | nmap 192.168.1.1 -open | Only show open (or possibly open) ports |
| -packet-trace | nmap 192.168.1.1 -T4 -packet-trace | Show all packets sent and received |
| -iflist | nmap -iflist | Shows the host interfaces and routes |
| -resume | nmap -resume results.file | Resume a scan |
Helpful Nmap Output examples
| COMMAND | DESCRIPTION |
|---|---|
| nmap -p80 -sV -oG - -open 192.168.1.1/24 | grep open | Scan for web servers and grep to show which IPs are running web servers |
| nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt | Generate a list of the IPs of live hosts |
| nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txt | Append IP to the list of live hosts |
| ndiff scanl.xml scan2.xml | Compare output from nmap using the ndif |
| xsltproc nmap.xml -o nmap.html | Convert nmap xml files to html files |
| grep " open " results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | less | Reverse sorted list of how often ports turn up |
Miscellaneous Nmap Flags
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -6 | nmap -6 2607:f0d0:1002:51::4 | Enable IPv6 scanning |
| -h | nmap -h | nmap help screen |
Other Useful Nmap Commands
| COMMAND | DESCRIPTION |
|---|---|
| nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn | Discovery only on ports x, no port scan |
| nmap 192.168.1.1-1/24 -PR -sn -vv | Arp discovery only on local network, no port scan |
| nmap -iR 10 -sn -traceroute | Traceroute to random targets, no port scan |
| nmap 192.168.1.1-50 -sL -dns-server 192.168.1.1 | Query the Internal DNS for hosts, list targets only |
| nmap 192.168.1.1 --packet-trace | Show the details of the packets that are sent and received during a scan and capture the traffic. |
Enumeration (learn more)
Before any attack we just look around. Maybe there is misconfig or default passwords.
SMB - Server Message Block (windows file shares)
Runs on port 445
nmap -sV -sC 192.168.3.10 will find SMB details
Can map drive in windows with "net use"
net use Z: \\192.168.3.10\c$ smbpw /user:admin
Nmap scan be used to enumerate SMB
nmap -p 445 --script smb-protocols x.x.x.x smb-security-mode
SMBv1 is dangerous and default usernames/passwords are bad
smb-enum-sessions (see when a user logged in)
smb-enum-shares (IPC$ null session anonymous)
print$ for sharing printers
smb-enum-users
look for default and guest accounts and try the default passwords
smb-enum-domains
smb-enum-groups
Sometimes important doc's are left on print$
smbmap -u guest -p "" -f . -H x.x.x.x
We expect guest account to be read only on IPC$ and pinrt$ and NO access on anything else
With an account with rights
-x 'ipconfig'
--upload /backdodr.txt C:\backdoor.txt
--download 'c$:\loot.txt'
Other linux tools for SMB
nmap x.x.x.x -sV -p 139,445
msfconsole (metasploit)
use auxiliary/scanner/smb/smb_version
show options
set Rhosts x.x.x.x
run
exit
use auxiliary/scanner/smb/smb2
show options
set Rhosts x.x.x.x
nmblookup -A x.x.x.x
Uses netbios <20> means we can connect
smbclient -L x.x.x.x -n
rpcclient -u '' -N x.x.x.x.x
enum4linux -o x.x.x.x
Enumeration is all about finding information to use again later, for example we can find out who has access to a certain folder and then target that user.
Connecting with word lists when we don't have passwords
use auxiliary/scanner/smb/smb_login
info
show options
set Rhosts x.x.x.x
set pass_file /user/share/wordlist.txt
set smbuser bob
run
Hydra
gzip -d /user/share/rockyou.txt.gz
hydra -l admin -p /rockyou.txt x.x.x.x smb
smbmap -H x.x.x.x -u admin -p Password01
Other services and pipes
Lots of other services use SMB and they connect via "pipes"
IF we know what to look for we can get info from the other services
use auxiliary/scanner/smb/pipe_auditor
info
show options
set Rhosts x.x.x.x
set smbuser bob
set smbpassword
options
run
Named pipes returned
\netlogon
\lsarpc
\samr
\eventlog
\initshutdown
\ntsvcs
\srvsvc
\wkssvc
Maybe we can use this info later
FTP (TCP port 21)
nmap -p 21 -sV -0 192.168.1.100
ftp in cmd prompt
ftp 192.168.1.100
Try nothing for username and password (anon login)
Hydra
hydra -l /usr/share/metasploit-framework/data/monlists/unix_passwords.txt 192.168.1.100 ftp
nmap 192.168.1.100 --script ftp-brute --script-args userdb=/root/users -p 21
The file in /root called users contains a usersname list
FTP anon login with nmap
nmap 192.168.1.100 -p 21 --script ftp-anon
username ananymouse
password: (blank)
SSH (TCP 22)
nmap 192.168.1.100 -sV -0
You may see SSH ver and hosting server ver
ssh root@192.168.1.100
nc 192.168.1.100 22
You may get a banner/welcome message
Check algo's
nmap 192.168.1.100 -p 22 --script ssh2-enum-algos
some other scripts
ssh-hostkey
--script-args ssh-hostkey=full
--script ssh-auth-methods --script-args="ssh.user=student"
(can try username admin, root, etc)
SSH brute force
Unzip the rockyou pw list
gzip -d /usr/share/wordlists/rockyou.txt.gz
Run hydra
hydra -l student -p /root/rockyou.txt
Hydra may return a password found in the list
echo "administrator" > user
nmap 192.168.1.100 -p 22 --script ssh-brute --script-args userdb=/.../user
msfconsole
msfconsole
use auxiliary/scanner/ssh/ssh_login
show options
set rhosts 192.168.1.100
set userpass_file /usr/share/.../root_userpass.txt
set STOP_ON_SUCCESS true
set verbose true
options (to show all options)
run
ssh root@192.168.1.100
ls
whoami
HTTP
Lets say the scan returns port 443 we know https is running
Can check for a site in the web browser
nmap 192.168.1.100 -sV -0
MS IIS 10.0
MS RPC
MS Netbios
whatweb 192.168.1.100
http-py sends https request and returns header and other info in the output
browsh --script-url http://192.168.1.100/home.aspx
You can enum a lot of stuff with dirb
dirb http://192.168.1.100
dirb will run for a long time check for any directories with access
Enumerate http with nmap
nmap 192.168.1.100 -sV -p 80 --script http-enum http-headers
Msfconsole
use /auxiliary/scanne/http/http_version
set rhosts 192.168.1.1000
options
run
curl
curl 192.168.1.100 | more
curl http://192.168.1.100/cgi-bin | more
Text based browsers
browsh -- lynx are very similar text based browsers
Brute force directories
msfconsole
use auxiliary/http/brute_dirs
show options
set rhosts 192.168.1.100
options
exploit
will look for directories
Robots.txt
msfconsole
use auxiliary/scanner/http/robots.txt
set rhosts 192.168.1.100
options
run
MySQL
Say our nmap scan returned 3306
mssql port is 1433
nmap 192.168.1.100 -sV -p 3306
mysql -h 192.168.1.100 -u root
show databases;
use books;
select count from authors;
select * from authors;
help
mysql commands end with ;
msfconsole
use auxiliary/scanner/mysql/mysql_writetable_dirs
show options
set rhosts 192.168.1.100
set dir_list /usr/share/...dirs.txt
set verbose false
set password ""
options
run
msfconsole
use auxiliary/scanner/mysql/mysql_login
options
Get hashes for users
msfconsole
use auxiliary/scanner/mysql/mysql_hasdump
options
exploit
nmap
nmap --script=mysql-empty-password
more scripts
mysq-info
mysql-users
mysql-databases
mysql-variables
data dir /var/lib/mysql
mysql-audit
mysql-query
hydra -l root -p passwords.txt mysql
Enumeration recap
Spot common ports/apps
Find all the info publicly available
Subscribe to:
Posts (Atom)