Tuesday, October 17, 2017

HOWTO find certificates issued against your domain

CT certificate transparency is a means for the CA issued certificate to be logged  indirectly for transparency. This can be used to alert for  certificate issued against your domain without knowledge.

e.g

A rogue site installed  masking as yourdomain.com



A cool means for finding any certificates issue against your domain is to use crt.sh  site.

Here's a quick snippet of certificates issued against fortinet.com

NOTE: use the % sign before the domainname for a any search






You can even used this when doing PKI audit and forensic. Here's a site that had a certificate revoke




If you drill-in on id 165913200 you can get the revocation date  & when it was logged


crt.sh is very simple to use,  and can help provide  information for tracking , incident investigate and plain auditing for your domain(s) and x509 certificates.

You can find out details that  include

  •  previous/current certificates
  • the CAissuer that was used
  • lifetime-expiration details
  • revocation details and type
  • cert details ( sha fingerprint, pubkey,key size,etc......)


It's very hard to hide anything from certification-transparency


Ken

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Friday, October 13, 2017

F5 DTLS edgeclient sslvpn

In this blog we will look at  DTLS setup for a F5 APM access-policy &  for remote-sslvpn clients.

To enable DTLS, you need to craft virtual-server and enabled  the  protocol UDP. Also within the Access Policy you have to enable the DTLS option.  The port you enable in the access-policy network-access  settings,  must match the virtual-server configuration for the destination-address.


Here's a simple Virtual-Server for support DTLS using the  connection profile

Notice: protocol UDP  and port 4433











The apm policy network resource needs the DTLS check box enabled and the defined service port which should match the ltm virtual server  service-port.  { access-policy > network-access > setting  }




If you monitor the  client access details from  the tmsh,  you will see no reference to  DTLS v1.0 being used directly.

e.g










But  to validate DTLS usage ,    monitor  the  statistics for the  ltm  profile  client-ssl profile, use the  grep to-match on DTLS.


or;



When the edeg-client connect you will see the   edge-client statistics listing the connect as DTLS and the  cipher that's  in use for the session.




And the apm log message will display a output that's similar  when a client negotiates  a DTLS v1.0 connection.






  • if the client can't negotiate DTLS the  client will falback to  TLS.
  • beware of any forward proxies preventing   DTLS negotiation for port  4433 and udp
  • any local and remote firewall could prevent access to port udp.port == 4433
  •  initial contact is via  TLS but if the APM and client negotiate  DTLS the  data path will be switched to DTLS.





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \




Monday, October 2, 2017

HOWTO disable CBC ciphers in JunosSRX for SSH

JunOS
Version 15.1X49-D50.3

Here's how to disable chain-block mode ciphers for SSHv2 in JunOS. This quick howto will show you how to disable  sshv2 cipher  in JunOS SRX


You can disable these in  the cli using the following commands.

 



And then test  for allowance of CBC after re-configuring.







That's all that's required to locked down the JunosSRX firewall  from weaker SSH ciphers. You would think by now the security vendors would set the default to be CTR based ciphers and require you to actually enable CBC mode if so desired.

read more here in one of my previous blog;

http://socpuppet.blogspot.com/2013/04/ssh-and-ciphers-tipstricks.html



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

how to use unix sleep in IOS-XE

In order to pause { sleep } you have to enable the term shell option in the IOS-XE terminal


e.g

term shell
sleep 30 ; show clock ; dir bootflash:

The above would wait 30sec  before execution of  the show clock  and dir bootflash cmds

You can use these command to execute certain function at a set time or with a delay.




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

FortiOS FQDN address objects blues

Playing around with long DNS name and  FQDN objects I found  a issue.

1> when trying to delete a FQDN object under 5.2.11, the appliance would NOT allow me to delete it


2>  the cache-tty value in the address book was set to a low number;


3> The NS hosting this   FQDN was change and the update was pushed but the fortigate cache-ttl did not refresh immediately.



So the  address.object should have picked up the 1.1.1.12 address.



Ken



 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \




HOWTO eliminate CBC ssh ciphers cisco IOS-XE

In order to locked down SSH accesss here's a few tips for execution. CBC ciphers should be eliminate and replaced with  CTR ciphers.

In various  cisco IOS devices this is quite easy todo;

( sample   cfg )


config term
ip ssh logging events
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
!
ip access-list standard SSHACCESS
 permit 10.13.1.0 0.0.0.255
 permit 10.12.22.0  0.0.0.255
 remark " PLACE MANAGEMENT NETWORKS HERE"
!



line vty 0 97
 session-timeout 10
 access-class SSHACCESS in vrf-also
 exec-timeout 30 0
 logging synchronous
 length 0
 transport input ssh
 transport output none

~                    


     Use the  vrf-also if you are running  VRFs.


Run  a open ssh client with the verbose  -v  switch and supply inferiors CBC ciphers and ensure they are not allowed.


e.g  testing a ASR  for  support of a CBC cipher








 
 
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

Tuesday, September 26, 2017

DTLS forticlient fortios v5.4.

In this blog I will show you how to enable  DTLS for FortiClient. In this example we have  the following

FORTIGATE = 900D
FortiOS = v5.4.5
FortiClient  = v5.6.0
OS =  windows10


1st, 

DTLS is only support in  the windows FortiClient versions ( sorry.... no support for macosx !)

2nd, 

you need 5.4.x code or higher to enable   DTLS on the fortigate

3rd,

you must enable the DTLS preferred in the client xml  ( download the cfg and edit the highlight light to a value of 1 }



4th

Ensure you have access to udp port. In  this example I'm using my  macosx host to check that udp.port 443 is available &  via gnutls-cli ( use the -u switch for udp )






The mode of operation is very  simple,

The FortiClient talks tcp over the designated port and then switched to  udp if the client prefers udp. 

Keep in mind that going thru a http-forward-proxy might break the renegotiation to udp , but if the DTLS setup fails,  the  Client will fallback to just  tcp.port 443

Here's a dump of  traffic showing a windows std and 1200 byte pings





Here's snippet of a wndows10 forticlient exported logs.





One cool thing you can do. You can run a diagnostic session  from the cli and see the client > Be advise the  SSLVPN session is terminate to a "pseudo firewall policy# "





     valid firewall policies numbers are 1 thru 4294967294



This is where the ciscoASA has a advantage, the  cisco ASA has support DTLS for over  5+  years with webvpn.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \