issue with palo alto expedition tool

 Palo Migrations tool kept failing without an explanation

The tool seems to have an issue with psks on the VPNs

When you load the config from the migration you need to change / update the psks and it will load correctly

nessus M365 scan

Get the customer to give you MS account global admin on their tenant

Nessus doc's don't quite match up to MS interface as MS interface is changing all the time:

https://docs.tenable.com/integrations/Microsoft/Azure/Content/ConfigureAzureComplianceAudit.htm?Highlight=microsoft%20365

Log into portal.azure.com (azure.microsoft.com)

Setup on OTP portal and update boost

Log into the customer tenant

Copy tenant ID from Home -> MS entra ID > overview into a notepad

Click on active directory (entra ID triangle icon)

Manage > App registrations on the left

Click the + New App registration button

Client credentials -> Add a certificate or secret

+ New client secret

Give name

Set expire 

Copy value and secret ID *** IMPORTANT it will disappear and you will have to start again

ID looks like 7777701d-xxxx-yyyy-zzzz-6b6a1c969999 (don't think you need this but record anyway)

secret value is the secret key which we will need later (record everything so you have it)

Get the app ID from the app registrations and search Nessus

put them in a safe notepad with tenant ID (will need later)

To find the app reg again

Click app registrations, all applications and search your app reg name "Nessus"

Home -> Entra ID -> customer -> roles and administrators -> all roles -> 

Search Global Reader

Right click description 

Assignments on the lef

+ Add assignments 

Add to NessusScan app reg

Create new app

Get app ids + keys 

Create a new client secret

You need to save the secret when it appears as it only displays once

Microsoft Graph

Home -> Microsoft Entra ID > App Registrations > Your Application > API Permissions

Permissions -> applications -> read all (reader role)

Expand all and tick Read.All

Config in Nessus

https://docs.tenable.com/integrations/Microsoft/Azure/Content/ConfigureAzureComplianceAudit.htm?Highlight=microsoft%20365

Add scan -> compliance > choose template "audit cloud infrastructure" (or copy from previous scan)

credentials (key method, fill in tenant, app ID, secret)

MS 

Fill in

• select key
• Tenant ID (get from home overview)
• app id (app registrations page)
• Client secret (secret value)

CIS Microsoft add:

L1 

L2 

To export do report button in top right

tick html

select compliance 

generate report

sec stuff 2022

 CTF

pico ctf

tryhackme

hack the box

on the wire

ine - elearn cppt (watch videos no need to take cert)

oscp - PEN200 OSCP (cert to chase)

enable jumbo frame mtu 9000 on cisco nexus 5k

 policy-map type network-qos jumbo

class type network-qos class-default

mtu 9216

exit

exit

system qos

service-policy type network-qos jumbo

wr

Didn't need a reboot maybe a blip in connectivity

cisco webex softphone sign-in not working on cisco umbrella VA DNS servers

This is down to how cisco/webex resolves DNS. Depending on config it can be looking for external DNS records which need to resolve.

We already had an internal AD domain added (customer.com) in the umbrella dashboard as part of the internal domains.

On a working cap we saw it look for 

_collab-edge._tls.customer-ext.com which didn't resolve

Then it looked for

_cisco-uds._tcp.customer-ext.com

which did resolve to the customer ucm server IP's (this must have been resolve by internal DC/DNS)

On the "not working" capture

Wireshark showed a SRV record 

_cisco-uds._tcp.customer-ext.com was attempting to get resolved by the client but getting a "No such name" back from a public DNS server. It tried to resolve on the internet.

We needed to go into the DC and edit DNS on the external domain customer-ext.com

We also added the customer-ext.com to the internal domains in the umbrella dashboard.

Find DNS queries that didn't return an answer

(!(dns.flags.rcode==0))&&(dns.flags.response==1)  

control plane ACL ASA

control plane acccess lists on the ASA

If you want to stop an IP address from trying to access anyconnect, asdm, trying to form a VPN thats what you need

OUTSIDE_IN access list does not block it as the services itself is on the Firewall and does not pass through the interface

access-list cp-outside extended deny ip object-group BAD_IPS any log

access-group cp-outside in interface OUTSIDE control-plane

no implicit deny on these so you dont need a permit any any as that will cause the access list not to work

no logging hide username

find locked out accounts in windows

 Enable AD auditing on all the DC's

Search the event logs on their AD for event id 4771 in security section

Lockout tools may help

https://www.microsoft.com/en-us/download/details.aspx?id=18465

ManageEngine AD audit plus can help too (just parses event logs)