Windows 10 KB3163018 Breaks CCM 9.0.1 SSL

After installing the Windows 10 KB3163018 update, you are no longer able to load Call Manager 9.0.1 web interfaces that use a self signed certificate.

There’s a bit of talk on the KB here: https://community.spiceworks.com/topic/1666286-windows-10-kb3163018-breaks-stuff

And similar issues here for Viewmail on 11.5 – https://supportforums.cisco.com/discussion/13051441/cisco-viewmail-error

I haven’t been able to check whether this is resolved with a properly signed certificate, or whether it’s a limitation in the tomcat library.

Interestingly it doesn’t impact 7.1.5 clusters. I will check against 11.0.1 shortly.

UPDATE: 11.0.1 works fine, just the usual self signed certificate warning.

A Very Brief Overview of Secure IM Services

After the recent release of the TOR messenger beta it triggered me to look back into secure IM clients. I have tried a bunch of these in the past but most were in early dev and hadn’t reach the maturity I was looking for.

Below is a very brief overview of the major secure IM services at the moment. NOTE: this is a very brief rushed list so I may have the details wrong – please let me know if so.

TOR Messenger

TOR Messenger Link

  • Uses Instantbird Client
  • Routes messages via TOR
  • Supports OTR (Encryption, PFS etc)
  • Supports existing transports (XMPP, IRC, Google Talk, Facebook, Twitter etc)
    • NOTE: All these methods require a centralised registration server for Metadata.
  • Supports Windows, Linux, Mac

Ricochet

Ricochet Link

  • Uses the Ricochet Client
  • Routes messages via TOR
  • Encryption is done via the TOR hidden service – not inherently built in via OTR
  • Supports only the ricochet transport
  • Supprots Windows, Linux, Mac

TOX

TOX Link

  • Supports a number of open source clients
  • Routes messages via DHT
  • Implements their own version of OTR
  • Encryption is done via NaCl
  • Supports only the TOX transport
  • Supports Windows, Linux, Mac, Android

Bleep

Bleep Link

  • Uses the Bleep client
  • Routes messages via DHT
  • Uses ephemeral keys but cannot find details on crypto
  • Supports Windows, Mac, Android, iOS

Bleep – Secure, Direct Communication

In the recent search for encrypted direct messaging and voice solutions I’ve come across Bleep. It’s been developed for iOS, Android, PC and MAC by BitTorrent.

bleep2

The free platform touts direct connections between client endpoints, encrypted messages and calls and a snapchat like mode called Whisper. The marketing states that endpoint connections use P2P technology and when adding friends you use a private key like system. This feels very similar to how the BT Sync client works by using DHT and it’s friends. Here’s an except from their support site:

Bleep tries to connect users directly and that means that a user’s friends (and only them) will have his/her IP address. Bleep is currently not using any onion routing to hide users’ IPs from their friends. This may change in the future. In cases that a direct connection is not possible because of network conditions, the peers use a relay server to connect to a friend. The relay server does not know the identity of the users that it connects to nor it can read the content of the messages that it forwards.

Bleep doesn’t mention what type of encryption it uses but does say that it implements PFS.

Currently multiple devices aren’t supported but there are suggestions that they are working on this as well as offline messages. This would be critical to gain acceptance by mobile users to compete with iMessage and Facebook Messenger, which have also been a sticking point with similar encrypted, distributed messenger platforms.

bleep

 

Other solutions that I’ve used before like TOX based clients don’t have nice support for all platforms so it’s good to see a solid charge into the space to get users relying on the platform.

http://www.bleep.pm/

http://bleep-help.bittorrent.com/

 

SSH Bruteforce IP Offenders List and Common Usernames – April 2013

This is the computed list of SSH bruteforce IP’s and commonly used usernames for April 2013.

Top 50 SSH bruteforce offenders IP’s.

Failed Attempt Count IP
479633 223.4.147.158
389495 198.15.109.24
354877 114.34.18.25
324632 118.98.96.81
277040 61.144.14.118
118890 92.103.184.178
113896 208.68.36.23
110541 61.19.69.45
102587 120.29.222.26
98027 216.6.91.170
87315 219.143.116.40
71213 200.26.134.122
68007 38.122.110.18
65463 133.50.136.67
65187 121.156.105.62
57918 210.51.10.62
55575 10.40.54.5
52888 110.234.180.88
51473 61.28.196.62
46058 223.4.211.22
45495 183.136.159.163
45363 61.28.196.190
41791 1.55.242.92
40654 223.4.233.77
39423 61.155.62.178
39360 61.28.193.1
39296 211.90.87.22
38516 119.97.180.135
35799 221.122.98.22
35077 109.87.208.17
31106 78.129.222.102
29505 74.63.254.79
28676 65.111.174.19
28623 116.229.239.189
28092 81.25.28.146
26782 223.4.148.150
26493 218.69.248.24
25853 210.149.189.6
25241 223.4.27.22
25231 221.204.252.149
25089 125.69.90.148
23951 69.167.161.58
22912 202.108.62.199
22433 61.147.79.98
22372 111.42.0.25
22068 218.104.48.105
21988 120.138.27.197
21914 14.63.213.49
21882 60.220.225.21
20780 195.98.38.52

Top 50 SSH bruteforce usernames.

Failed Attempt Count Username
2407233 root
45971 oracle
40375 test
26522 admin
22642 bin
20586 user
18782 nagios
17370 guest
13292 postgres
11193 www
11088 mysql
10281 a
10228 webroot
10061 web
9143 testuser
8946 tester
8708 apache
8611 ftpuser
8442 testing
8095 webmaster
7379 info
7112 tomcat
6826 webadmin
6309 student
6255 ftp
6254 ts
5947 backup
5688 svn
5314 test1
5127 support
4743 temp
4378 teamspeak
4335 toor
4149 test2
4046 www-data
3944 git
3907 webuser
3852 userftp
3637 news
3626 cron
3594 alex
3581 amanda
3535 ts3
3397 ftptest
3378 students
3360 test3
3283 mail
3243 games
3132 test123
3093 test4

Download the top 50 offenders IP list: april2013top50ips

Download the top 50 usernames list: april2013top50users

SSH Bruteforce IP Offenders List and Common Usernames

I maintain a radius server that proxies requests from publicly accessible SSH servers which, unfortunately must run on port 22.

There are over 140 SSH servers that proxy all requests through this server and due to the logging which is configured I am able to capture all failed attempts including username password and IP address. I frequently scan these logs to find the top offending IP addresses and common usernames so I can add them to a blacklist for the radius server to drop straight away.

There are many public projects that compile sources of such information, however these logs are easy for me to divulge for others to incorporate into similar lists.

I will throw some old stats of interest and work on this to become a monthly release.

October 2012
Failed Attacks: 19,969,074

November 2012
Failed Attacks: 11,335,220

December 2012
Failed Attacks: 5,277,817 <- I guess everyone went quite over the holiday period?

January 2013
Failed Attacks: 6,786,138

February 2013
Failed Attacks: 17,375,929

March 2013
Failed Attacks: 16,437,020

April 2013
Failed Attacks: 5,542,223

May 2013
Failed Attacks To Date: 3,347,659

Rolling Your Own Security Distro – Package Installation

WARNING: This will be a very long (hopefully) and comprehensive series on rolling your own security distribution from picking hardware to installation and exploitation.

NOTE: This page will be most likely edited every time a change is committed so as to keep the information up to date in the real world. If anything major changes (new version of breaking WPA/WPA2 etc a new post will most likely be made to feature the tool/method). Check the modified date on the post to find the latest updates.

As mentioned in the first part of the series, any of these steps can be completed in either a virtual or physical environment. In fact, I have done the below in both environments and everything is working as well as can be expected.

Just to re-iterate my requirements were:
– VMware Workstation/Physical install.
– Ubuntu 12.04 base.
– Alfa AWUS036H wireless adapter.
– Ability to audit wireless networks (aircrack, reaver etc).
– Ability to audit generic network devices (metasploit, openvas etc).
– Ability to audit VoIP networks (ucsniff etc) .

Therefore this guide will show you how to install and configure:
– Ubuntu 12.04 i386 (explained as a note).
– VMware tools for those inside VMware workstation.
– Patched rtl8187 drivers to fix the channel -1 issue in airodump-ng.
– Nmap.
– Kismet.
– Aircrack-ng with Wesside-ng.
– Reaver.
– Gerix Wifi Cracker.
– UCSniff.
– Metasploit.
– TeamViewer.
– Chrome.

NOTE: As mentioned, I’m installing the i386 version of 12.04. Typically I would stick with the amd64 version, however the installation notes on UCSniff mention that 64bit 12.04 is not supported. I have yet to test UCSniff under 64bit (because perhaps 1 or 2 functions fail to work?) however, just for now, I have opted for the safe option in going i386.

As the post defines this is how to roll your own distro, I’m going to assume that everyone know how to install Ubuntu, but just in case, I’ve thrown a screenshot for every step along the way. As the screenshots for just the OS install are self explanatory there is no text to go with these steps.

NOTE: The screenshots were taken when installing into a VM. There are slightly different steps when installing to an external HDD or a different partition. If you want to try something else, watch out for step 3.

Installing Ubuntu 12.04

Installing VMware Tools

Obviously this is only applicable to those inside a VM.

A rough outline of steps:
1. Mount the VMware tools .iso.
2. Copy the tar to the desktop.
3. Open a shell as root.
4. execute tar zxvf <vmwaretoolsfilename>.
5. cd <vmwaretoolsfilename>.
6. execute ./install.pl.
7. Enter on all defaults.
8. Say yes to configure.
9. Enter on all defaults.
10. Reboot the machine by executing shutdown -r now.

NOTE: Most of the below steps require root for installation, file editing etc. I’m going to leave out the sudo on most commands but if you run into problems, just use your head and su or sudo.

Patching The RTL8187

There is a bug in the rtl8187 drivers that are distributed with the 12.04 distribution. Injection works straight out the box, but when trying to explicitly run an airodump-ng on a particular channel, airodump complains that the channel your card is bound to is -1. Luckily there is still an old patch for this driver which fixes the issue. For anyone wanting to dig into the details you can follow the process here: http://www.aircrack-ng.org/doku.php?id=compat-wireless

Here is the process I used:

wget http://www.orbit-lab.org/kernel/compat-wireless-3-stable/v3.5/compat-wireless-3.5-rc5-1.tar.bz2
tar -jxf compat-wireless-3.5-rc5-1.tar.bz2
cd compat-wireless-3.5-rc5-1
wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch
patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch
make
make install
make wlunload
modprobe rtl8187

wget http://www.orbit-lab.org/kernel/compat-wireless-3-stable/v3.5/compat-wireless-3.5-rc5-1.tar.bz2tar -jxf compat-wireless-3.5-rc5-1.tar.bz2cd compat-wireless-3.5-rc5-1wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patchpatch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patchmakemake installmake wlunloadmodprobe rtl8187

Nmap

The next is an easy one. Nmap just install directly from the ubuntu repository.

apt-get install nmap

Kismet

I still love using Kismet for wireless mapping. I’m sure there are more fancy graphical tools for wireless (which I don’t know about – so please let me know about them!) but at the moment, I’m still preferring Kismet. Kismet also installs from the ubuntu repository which is nice. After installation we will edit the source interface to capture from. Obviously if you’re using a different card type or interface number adjust accordingly.

apt-get install kismet
nano /etc/kistmet/kistmet.cfg
edit line 28
source=rt8187,wlan0,wlan0

Aircrack-ng with Wesside-ng

I am still yet to review pyrit properly, but for a while now aircrack-ng has been the default standard for wireless auditing. We need to install some decencies first and then compile from source.

NOTE: I have yet to have success with wesside-ng on 12.04, however I still have hope as it has to be the easiest way to break WEP encryption. If you don’t want to try wesside (or easside for that matter) then don’t build unstable=true.

apt-get install build-essential
apt-get install libssl-dev
wget  http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz
tar zxvf aircrack-ng-1.1.tar.gz
cd aircrack-ng-1.1
nano common.mak
at line 70 replace
CFLAGS ?= -g -W -Wall -Werror -O3
with
CFLAGS ?= -g -W -Wall -O3
make
make install
airodump-ng-oui-update
make install unstable=true
make install
cp src/wesside-ng /usr/local/sbin

Reaver

Reaver is our next tool, which is an interesting vector attack on WPA2 devices. Reaver attempts to bruteforce the WPS auto-provisioning feature of the router to gain access and expose the PSK. For Reaver we will install some dependencies then compile from source. The details for this install were originally found here: http://nakedproof.blogspot.com.au/2011/12/installing-reaver-12-on-ubuntu.html

apt-get install libpcap-dev aircrack-ng sqlite3 libsqlite3-dev
Download the latest Reaver from: https://code.google.com/p/reaver-wps/downloads/list
tar zxvf <reaverfilename>
cd <reaverfilename>
cd src
./configure
make
make install

Gerix Wifi Cracker

I first stumbled across Gerix whilst in Backtrack. Gerix is neat python based tool for automating the process of aircrack/airodump commands. There is a fair bit of information on the net/youtube videos on how to use Gerix (which I have yet to nail down) but for now just having it on the system is good enough. There is a python dependency for Gerix before downloading and moving the app.

apt-get install python-qt3
wget https://github.com/TigerSecurity/gerix-wifi-cracker/zipball/master
mv master gerix.zip
unzip gerix.zip
mv <gerixfilename> /opt/
cd /opt/<gerixfilename>
ln -s gerix.py /usr/local/sbin

UCSniff

As mentioned in my previous posts from ages ago, UCSniff is an awesome tool for testing VoIP security. It is heavily focused on the Cisco Call Manager arena, but it works on other platforms too. In recent versions, they’ve wrapped a pretty easy to use GUI around the app and have pretty good video support. As mentioned earlier, the UCSniff team mentioned that they only support UCSniff under i386, so that’s what I’m working with. As from their site, we need to install some dependencies from the ubuntu repository and then compile from source.

apt-get install zlib1g-dev liblzo2-dev libpcap0.8-dev libnet1-dev libasound2-dev libbz2-dev libx11-dev libxext-dev libfreetype6-dev vlc libvlc-dev libavformat-dev libavdevice-dev libswscale-dev libavfilter-dev libx264-dev libav-tools
apt-get remove pulseaudio
wget http://downloads.sourceforge.net/project/ucsniff/ucsniff/ucsniff-3.2%20src/ucsniff-3.20.tar.gz
tar -zxvf ucsniff-xxx.tar.gz
cd ucsniff-xxx
./configure –enable-libvlc –enable-gui
make
make install

Metasploit

No security distro would be complete without Metasploit. Back in the day Metasploit was a little difficult to install, but now it’s dead simple. Nothing too hard here just download, chmod, run and do as the screenies say.

download metasploit for linux (either 32 or 64bit)
chmod 775 metasploit-latest-linux-installer.run
sudo ./metasploit-latest-linux-installer.run

TeamViewer & Chrome

Even though this is a security distro, I’m personalising it with my own apps. There’s nothing worse than being stuck in an environment waiting for something to happen with no niceties from a normal distro.

Chrome can be installed via the Ubuntu Software Centre while TeamViewer can be installed by opening the .deb that you download from their website.

Keep in mind that this page will be added to when more software is needed/discovered/remembered.

Rolling Your Own Security Distro – Physical Hardware

WARNING: This will be a very long (hopefully) and comprehensive series on rolling your own security distribution from picking hardware to installation and exploitation.

NOTE: This page will be most likely edited every time a change is committed so as to keep the information up to date in the real world. If anything major changes (new version of breaking WPA/WPA2 etc a new post will most likely be made to feature the tool/method). Check the modified date on the post to find the latest updates.

The reason that this has come about is I was messing with the latest Backtrack 5 R2 in a VM. I’m not sure whether it is only a problem with the prebuilt live VM distro or 5R2 as a whole, but I could not for the life of me get OpenVAS reports to export. After digging around the closest I came to solving the issue was to find that the user running OpenVAS could not write the temporary report to /tmp. In the log files I could see:

/bin/bash /usr/local/share/openvas/openvasmd/global_report_formats/b993b6f5-f9fb-4e6e-9c94-dd46c00e058d/generate /tmp/openvasmd_OHKB4T/report.xml > /tmp/openvasmd_OHKB4T/report.out 2> /dev/null

When I tried to run the command from the commandline it reported “No such file or directory found”. After trying to contact OpenVAS via IRC and not getting any response, reading through multiple sites and blog posts I came to the conclusion that OpenVAS would not work under BT5 and that if I wanted it to work I would have to roll my own.

So I concluded to roll my own security distro, one that I could build how I wanted with the tools that I needed. This would also give me a good insight into the tools that are available for different exploits etc.

For anyone wanting to follow this process, these are the requirements that I was working with – and I will post the details using these requirements – so your mileage may vary depending on your requirements.

– Ubuntu 12.04 base. The BT5 apps have had good support running an Ubuntu base for the last 2 iterations and this is my distro of choice for every day use.
– VMware Workstation/Physical install.
– Alfa AWUS036H wireless adapter.
– Ability to audit wireless networks (aircrack, reaver etc).
– Ability to audit generic network devices (metasploit, openvas etc).
– Ability to audit VoIP networks (ucsniff etc) .

Any of the below processes outlined will work in either a virtual or physical environment, however, 2 things to note is that any form of wired NIC manipulation (macchanger, ucsniff, VLAN hopping etc) will NOT work in a virtual machine. Also, when trying to run aircrack-ng against a wordlist, or pyrit for CUDA based cracking is very slow and limited inside a VM. It was due to this that I explored the variables in installing the new security distro to an external drive.

External Installation Variables

Installing a distro to external harddrive is nothing new. In fact I blogged about doing a persistent install for BT4 to a 500GB USB HDD. However, my recent research at work has led me to explore other options that I would not have though about.

In a blanket statement, for Operating System installs, you want the highest number of read and write IOPS that you can get your hands on. In a nutshell, you can test for IOPS by reading and writing 4kb packets randomly to a disk. This is much different than testing sequential read/writes which most disk types are quite good at these days.

Obviously, different disk types will give you different IOPS readings. When exploring installing Cisco Call Manager to a SAN, Cisco advised us that the SAN must support 100 IOPS per operating system you wanted to host. Obviously in a SAN using 15K SAS disks the IOPS will be in the thousands but this was good starting point for me.

I started off by wanting to test a SD card, USB thumbdrive, USB harddrive and a SATA attached 2.5″ drive. Obviously anyone will undoubtedly say that the SATA drive will be the best option. True. However, I didn’t have the luxury of re-partitioning my internal disk.

I fired up HDTune to test the disks that I had on hand. As a warning, different disk types, manufacturers and individual disks will give you different mileage so don’t take this as gospel.

I have posted a photo of each device that I remembered to, so that anyone can match up the results if they have the same drive. The first screenshot shows sequential read time and drive access time. The second screenshot show sequential read/write times and 4k read/write IOPS.

USB – Toshiba TransMemory 1GB

USB – SanDiskCruzer Edge 8GB

NOTE: I would love to do this test again, perhaps on a brand new Cruzer. The IOPS far outweigh any others that I tested, so I’m not sure whether this is an anomaly or not.

USB – Toshiba USB Drv 16GB

SD – Sandisk Class 2 SDHC Card

USBHDD – Seagate Portable USB2 500GB

USBHDD – Seagate FreeAgent GoFlex USB3 500GB

USB HDD – Seagate FreeAgent GoFlex USB3 1TB

SATA HDD – Western Digital WD3200BEVT-22ZCT 320GB

From these tests you will notice that:
– Sequential read for all the drives are actually quite good.
– The old, cheap USB thumbdrives had quite poor sequential write, but I’m sure newer drives would be much better.
– Any flash based memory has excellent access speeds
– Most flash based memory has excellent 4kb read speeds creating a high IOPS read rate.
– Most flash based memory has absolutely shit 4kb write speeds creating very a low IOPS write rate.
– External USB harddrives are “ok” at everything.
– Internal SATA or any physically attached disks are where you want to be at.

The option that I opted for was to use the 500GB USB3 Seagate GoFlex HDD. Mainly because IOPS and sequential read/writes are quite OK, I have enough storage space to hold rainbow tables (unlike small USB thumbdrives), it was relatively cheap, and I’m a sucker for the GoFlex interface.

Wireless NIC’s

Unfortunately, I do not have much information on the wireless NIC front. A while ago I opted to buy the Alfa AWUS036H 1000Mw. Anyone who does some sort of research on the backtrack forums etc will pick up that the Alfa cards are highly powerful and capable of injection. There are newer cards available like the AWUS036NH 2000Mw, but I have not tried these, nor know whether they are capable of injection as they use newer RTL chipsets.

The Running System

Hopefully this gives you somewhere to start when building your own distro, or searching for answers around hardware like I was. Hit up the second part of this series to install os & apps.

Linux Radiator to Server 2008 Authentication

A while ago I was working on a project to decommission the old TACACS server and we chose to replace it with Radius for Cisco router authentication.

After trying a few different radius packages (on Linux) one of our engineers said that he had luck in the past with Radiator – a closed source radius package for Linux. The Radiator software http://open.com.au/radiator/index.html is probably under-utilised for basic authentication, but has been rock solid in our production environment for 6 months+.

What we now have is a radius server that accepts authentication requests from our Cisco devices, checks whether the username or Calling-Station-Id is in a blacklist, authenticates them against LDAP to our Domain Controller and then checks the users group membership to allow them to authenticate. All failed and accepted attempts are also logged.

Whilst the documentation is huge and detailed (376 pages) I couldn’t find any specific examples on the net to tie everything we wanted together. So below is a sample configuration for what we are running as detailed above. Essentially we make a Radius user on the domain who can read LDAP (because we don’t allow anon ldap queries right?). We also make a RadiusSG security group which will contain the users that we want to allow login to our devices (because we don’t want to allow a terminal login for all our other AD users).

Note, I have also included a clients-group1.cfg file to specify each NAS into nice groups. I use this option to create multiple includes to split devices by region/country.

file: /etc/radiator/radius.cfg

#Foreground
LogStdout
LogDir          /var/log/radius
DbDir           /etc/radiator
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace           3
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
# INCLUDE OUR REGION SETTINGS
include %D/clients-group1.cfg
<Realm DEFAULT>
# LOG ALL FAILED REQUESTS TO /var/log/radius/<YEAR>-<MONTH>-attempts-failed.log
<AuthLog FILE>
Filename %L/%Y-%m-attempts-failed.log
LogFailure 1
LogSuccess 0
FailureFormat %d/%m/%Y %H:%M:%S FAIL Username: %U Password: %P from %{Calling-Station-Id} on %{NAS-IP-Address}
</AuthLog>
# LOG ALL ACCEPTED REQUESTS TO /var/log/radius/<YEAR>-<MONTH>-attempts-ok.log
<AuthLog FILE>
Filename %L/%Y-%m-attempts-ok.log
LogSuccess 1
LogFailure 0
SuccessFormat %d/%m/%Y %H:%M:%S  OK  Username: %U Password: <hidden> from %{Calling-Station-Id} on %{NAS-IP-Address}
</AuthLog>
# CHECK BAD USERNAMES THEN BAD IP’S THEN LDAP FOR AUTHENTICATION
<AuthBy GROUP>
# FLOW THROUGH OUR BLACKLIST MODULES
AuthByPolicy ContinueUntilReject
#CHECK FOR BAD USERNAMES
<AuthBy FILE>
Blacklist
Filename %D/reject-usernames
</AuthBy>
#CHECK FOR BAD IP’S
<AuthBy FILE>
Blacklist
AuthenticateAttribute Calling-Station-Id
Filename %D/reject-ip
</AuthBy>
#CHECK AGAINST OUR AD VIA LDAP
<AuthBy LDAP2>
# SPECIFY THE DOMAIN CONTROLLER ADDRESS AND LDAP PARAMS
Host <INTERNALIPOFDOMAINCONTROLLER>
SSLVerify none
UseTLS
Port 3268
# OUR DC WONT ALLOW ANON READING SO WE HAVE TO AUTH AS A VALID USER
AuthDN cn=Radius, OU=Service Accounts, DC=<DOMAINHERE>, DC=prd
AuthPassword <RadiusUSERPASSWORDHERE>
# USE THE CACHE FOR MULTIPLE ATTEMPTS WHICH SAVES LDAP QUERIES
CachePasswords
# START SEARCHING LDAP FROM THIS DN FORWARDS
BaseDN DC=<DOMAINHERE>, DC=prd
UsernameAttr sAMAccountName
ServerChecksPassword
# REQUIRE GROUP MEMBERSHIP
SearchFilter (&(%0=%1)(memberOf=CN=RadiusGroup SG,  OU=Security Groups, DC=<DOMAINHERE>, DC=prd))
</AuthBy>
</AuthBy GROUP>
</Realm>

I have also created some scripts to poll for top IP offenders (bruteforce attempts etc) so I will most likely post these details soon.

Chrome Anti DNS Hijacking in IPv6

Two weeks ago I was fortunate enough to attend Cisco Live (previously networkers).

Part of my goal there was to get clued up on IPv6 transition methods, addressing and all related matter. One of the breakout sessions I attended was on IPv6 security threats and mitigation. All in all very informative, but the major advice for networks not currently running IPv6 was to monitor your IPv6 flows to see what applications and operating systems were doing. Technologies like ISATAP are bound to break security boundaries by tunneling via IPv4 and this is something you should be aware of on your network.

Today I started this quest just by running a regular wireshark session filtering via IPv6. Without a tap or a port span I could only observe multicast traffic, but I picked up on the below packets.

My immediate thought was a users PC was infected with a virus that was acting as part of a botnet and that this PC was using IPv6 to perform its DNS lookups. I went searching for 10 character IPv6 DNS lookups. Luckily what I found meant it wasn’t part of a botnet but I definitely wasn’t expecting what I found. This case has been documented before, so this is definitely nothing new and the fact that this happens in both IPv4 and IPv6 isn’t a suprise. Here are the references I found:
http://code.google.com/p/chromium/issues/detail?id=47262
http://groups.google.com/a/chromium.org/group/chromium-discuss/browse_thread/thread/17bd3e93f3c68448?pli=1
https://isc.sans.edu/diary.html?storyid=10312
http://groups.google.com/a/googleproductforums.com/forum/#!category-topic/chrome/report-a-problem-and-get-troubleshooting-help/dQ92XhrDjfk

As the reports suggest it’s a feature of Chrome to perform fake DNS lookups to determine if your ISP is performing DNS hijacking. In my case our DNS suffix provided by our DHCP server did not get appended, nor was the request a truncation of a proper URL nor was it over IPv4 – but it is most definitely the cause of the events I saw on the network.

As the quest for IPv6 and related security problems goes on I’m sure to throw more stuff up here.

Cisco IOS Hardening

This is the list of IOS hardening suggested by Cisco as per the CCNP2 curriculum. This combined with the common security ACL in the last post should be a good basis for keeping the network boundary tight.

BootP
Default: enabled
Description: This service permits the router to act as a BOOTP server for ther network devices. Such a service is rarely needed in modern networks, and should be disabled.

(config) no ip bootp server

CDP
Default: enabled
Description: CDP periodically advertises information between Cisco devices, such as the type of device and Cisco IOS version. Such information could be used to determine vulnerabilites and launch specific attachsl. Unless needed inside the network, this service should be disabled globally or disabled on unneccessary interfaces.

(config) no cdp run
(config-if) no cdp enable

Configuration auto-loading
Default: Enabled (globally and interfaces)
Description: This service permits a router to automatically load a configuration file from a network server upon boot. This service should remain disabled when not needed

(config) no service config

FTP Server
Default: Disabled
Description: This service permits the router to act as an FTP server for specific files in flash memory. It should remain disabled when not needed.

(config) no ftp-server enable

TFTP Server
Default: Disabled
Description: This service permits the router to act as a TFTP server for specific files in flash memory. It should remain disabled when not in use.

(config) no tftp-server file-sys:image-name

NTP service
Default: Disabled
Description: This service both receives a time-of-day clock from an NTP server and allows the router to act as an NTP server to NTP clients. Correct time is necessary for accurate time stamps when logging messages. This service should be disabled if not needed, or restricted to only devices that require NTP services.

(config) no ntp server ip-address

Packet assembler/disassembler (PAD) service
Default: enabled
Description: This service allows access to X.25 PAD commands in an X.25 network. Such a service is rarely needed in modern networks and should be disabled

(config) no service pad

TCP and UDP minor services
Default: Enabled before 11.3 disabled after 11.3
Description: These services execute small servers (daemons) in the router, typically used for diagnostics. They are rarely used and should be disabled.

(config) no service tcp-small-servers
(config) no service udp-small-servers

Maintenance Operation Protocol (MOP) service
Default: Enabled (most ethernet interfaces)
Description: This service is a Digital Equipment Corporation (DEC) maintenance protocol. Such a service is rarely needed in modern networks and should be disabled.

(config-if) no mop enable

Simple Network Management Protocol (SNMP)
Default: Enabled
Description: This service permits the router to respond to queries and configuration requests. If not used, this service should be disabled. If needed, restrict access to the router via access controls lists (ACL) and use SNMPv3 for additional security features.

(config) no snmp-server enable

HTTP Configuration and Monitoring
Default: Device dependent
Description: This service allows the router to be monitored and configured from a web browser. SDM uses secure HTTP (HTTPS). If not used, this service should be disabled. If needed, restrict access to the router via ACLs and use HTTPS for encrypted data transfer.

(config) no ip http server
(config) no ip http secure-server

Domain Name Service (DNS)
Default: Enabled (client services)
Description: Cisco routers use 255.255.255.255 as the default address to reach a DNS server for name resolution. If not used, this service should be disabled. If needed, explicitly set the address of the DNS server.

(config) no ip domain-lookup

ICMP Redirects
Default: Enabled
Description: This service causes the router to send an ICMP redirect message when a packet is forwarded out the interface it arrived on. An attacker can use such information to redirect packets to an untrusted device. This service should be disabled when not needed.

(config) no ip icmp redirect
(config-if) no ip redirects

IP Source Routing
Default: Enabled
Description: This service allows the sender to control the route that a packet travels through a network. Such a service can permit an attacker to bypass the normal forwarding path and security mechanisms in a network. Because most network devices should not attempt to dictate their preferred path through the network, this service should be disabled.

(config)no ip source-route

Finger service
Default: Enabled
Description: The finger protocol (port 79) retrieves a list of users from a network device, which includes the line number, connection name, idle time and terminal location. Such information is also seen in the show users Cisco IOS command and can be used for reconnaissance attacks. This service should be disabled when not needed.

(config) no service finger

ICMP unreachable notification
Default: Enabled
Description: This service notifies a sender of invalid destination IP subnets or specific addresses. Such information can be used to map a network . This service should be disabled.

(config-if) no ip unreachables

ICMP mask reply
Default: Disabled
Description: This service sends the IP subnet mask when it is requested. Such information can be used to to map a network. This service should be disabled on interfaces to untrusted networks.

(config-if) no ip mask-reply

IP directed broadcasts
Default: Enabled (Enabled Cisco IOS prior to 12.0, disabled Cisco IOS later than 12.0)
Description: A directed broadcast can be used to probe or deny service to (via a DoS attack) an entire subnet. The directed broadcast packet is unicast until it reaches the router that is responsible for the segment. At that time, the packet becomes a broadcast for the specific segment. This service should be disabled.

(config-if) no ip directed-broadcast

IP identification service
Default: Enabled
Description: The identification protocol (RFC 1413) reports the identity of the TCP connection initiator. Such information can be used in reconnaissance attacks. This service should be disabled.

(config) no ip identd

TCP keepalives
Default: Disabled
Description: TCP keepalives help clean up TCP connections when a remote host has stopped processing TCP packets (such as after a reboot). This service should be enabled to help prevent certain DoS attacks.

(config) service tcp-keepalives-in
(config) service tcp-keepalives-out

Gratuitous ARP
Default: Enabled
Description: This service is the primary means used in ARP poisoning attacks. Unless needed, this service should be disabled.

(config) no ip arp gratuitous

Proxy ARP
Default: Enabled
Description: This service permits the router to resolve layer 2 addresses. This feature is only useful if the router is acting as a layer 2 bridge. Because this is unlikely in modern networks, this service should be disabled.

(config) no ip arp proxy