Saturday, November 30, 2013

Why namecheap should be avoided

I registered one of my domain to namecheap to checkit out. I heard alot about namecheap but never really used them.  They had a simple to use DNS manager and that's about the only positive thing I can say.

All support is via a web chat channel and some times that could be as  1 -5 min wait.  You can't  speak to anybody via any voice call or directly via email. Which plain out sucks. How can a  name registrar can claim "making customers happy" is beyond me.




And their webchat is not all that cool, here's snippets of a dialog that I execute while on the road traveling & via a webchat support person name Olga, for attempts to recover a  email-password on my account  &  after I sent both  photos of driver and passsport identification to  namecheap staff.

This is what you should expect




and



and



and



And the kicker , I 've sent 2 emails to namecheap both a  director and CEO  officers, and they don't even have the professionalism to respond to customer issues.


So I'm sorry to say ,   Namecheap.................. is  just that..... CHEAP!




Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \


Friday, November 29, 2013

how to convert a image from raw to qcow2 format with qemu-img

Qemu-img  is a tool within kvm that allows you convert  a image  to qcow2 format. Qcow format vm-image  are needed  in  order to  create snapshot. These  quick steps will allow you create  a qcow2  image that you can  install  in a server for loading.



1st  let's review  the raw image 

2nd now you can use the qemu-img convert  option to convert the  images for later use


3rd after conversion you can review the images



Note the  virtual disk file size is has not been changed? And a quick review of the new qcow2 image will show the diskspace.




Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \



Wednesday, November 20, 2013

ASR1K and non cisco transceivers

In this post we will look at using a huawei badge 1gig sfp transceiver in a ASR1002.

If you  recall the NHR-T copper transceiver ( GLC-T )  not working within a ASR1K, will a huawei 1GIGE 1310nm SM transceiver does work in the cisco ASR1K. Let's see how we made this happen.



1st you have to deploy the hidden service command;  service unsupported-transceiver

And now for the port configurations. In this case I ran these back2back in 2 unique vrf for testing and evaluation;

( onboard integral gige ports )


!
interface GigabitEthernet0/0/2
 ip vrf forwarding test1
 ip address 192.0.2.1 255.255.255.0
 negotiation auto
end


and

( SPA 10x1gige )

!

interface GigabitEthernet0/1/0
 ip vrf forwarding test2
 ip address 192.0.2.2 255.255.255.0
 negotiation auto
end



Now before I continue. Cisco/TAC will swear this would not work, and if so would not support  the transceivers, so your on your own with this.


As you can see, the transceivers do work and provides optical connectivity. I also check these same  transceiver in a WS-X6724-SFP card and they worked flawlessly.  




One more word of advice, you will not get optic power statistics,  that you would commonly received when issuing the  show hw-module commands 




( look here )






Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \





Tuesday, November 19, 2013

sending a cisco config via email but securing your passwords ( openssl and type 5 )

If you haven't been using  a type5 ( secret ) in your configurations and sending copies of your config via a unsecured channel ( aka  email ),  than your passwords are mostly likely compromised.


By using openssl, you can install type5 hashed passwords within the cisco ios configuration files for most IOS based routers. This will allow you to deliver a configuration file for installation and trust that the password is hashed and secured.

e.g

A ios configuration with the following lines in the cfg;


!
!
enable password socdude
!
enable secret socgal
!
!
!

Would not be as secured as ;
!
!
enable secret $1$6XXp$YXBalUFqXfY0Ui4mn9lZx0
!
!


btw: When I review or pass cfg files around, I typically hash out  enable password if they are present and before sending back to the originator or to another colleague if he/she is reviewing the config file. This good practices or better yet sanitized the configuration file of all confidential data ( radius/tacacs keys, snmp community, username, etc.....)


Now, with openssl we can easily replicate the same type5 hash that cisco deploys.

The following screenshot shows this function  & with two crafted  type5 hashes



Here's me using the highlight blue  hash that was generated from  openssl from the above image ;


And finally, don't forget that all username can be secured using a type5 hash. In this example, the user socpuppets has a type5 hash vrs the plain old password




Okay one might argue that you could just login into any old cisco router and generate the type5 password and then copy it down &  into the configuration file that you are sending.

Well yes you could do exactly this, but if you the need for automation script building & for generation of type5 type of hashes, don't over look the capabilities that  openssl has in regards to generation of type5 hashes.


Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

followup: Unsupported transceivers ( cisco ASR routers )

I would like to follow up on an earlier post with regards to my  GLC-T and our ASR1Ks. NHR came back with some good information. Per cisco own documentation, the GLC-T are not a supported transceivers on a  ASR1K.






Now what's a big surprise;  all of the ASR1K I'm  currently working with,  all supports the cisco GLC-T without the need for the service un-support transceiver hidden command.

NHR did offer to exchange these, but  we are on a time crunch and couldn't wait for shipping these back or executing a RMA. So we moved some other cisco OEM GLC-T around to  use in our ASR.



Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \



Password length and time to brute-force

The Password length will be a big  factor in the strength against a brute force attacks.

It's not uncommon to see attempts against a server or other systems & via a brute-force or dictionary based password attack. In a lot of scenarios, a combination of the two (  aka hybrid attacks ) , is most likely deployed.

In this quick short blog, we will look at  a common unix hash crack tool know as john the ripper.

http://en.wikipedia.org/wiki/John_the_Ripper

I've load a unix password file  and attempted to crack 3 hashes. The tool has ran for nearly a year and I've only managed to cracked one account that consisted of a 3 letter password ( yeap , a very weak password on a major backbone router, btw  ),  and that was done probably in the first minutes of running john. If not the within 1st few seconds.

btw: I had a vm-server crashed,  so I've probably  have been cracking this password file , for over 1 year for sure now.




The Google  minutes to days calculator,  shows this  has been running uninterrupted for 321+ days now.



Now let's look at what password length does for protection from brute forces attacks. I'm referencing the following site,  to give you an ideal of the average times. YMMV based on hardware  type and if you deploy and GPU based password cracking technologies.



( please see my arrow below  )


The  common practice has been; " a minimum of  8 character password,  a-z with at least one # and symbol & uppercase letter  ". That would take  approx 8-10years of continual computing power to break a password, or that's what they say.

Other ( tinfoil hat types ) believe NSA can hack this in 2 mins & all ciphers and hashes can be cracked with a  D-Wave.  But who really knows what the US biggest intelligence community could really do & I'm sure they will not disclose what they can and can't do  :)

So remember to use a 8 character password and a good strong one at that. Just as  important to the password length, & strength, you should change that good strong password on a regular schedule. Password strength and expiration is a must in today's world, & for securing systems.

And lastly, another favorite reference of mine. Passwords of all types needs to be evaluated and reviewed. We commonly forget about static data ( files ) ,  and simple passwords that we commonly use with regards to them. Read this link below on some very useful tips when it comes to passwords and hacking around.


 I just did some work over the weekend & with retrieval of a  zip file password,  using a crack tool.  And this particular  file, had a list of other systems username/passwords. In this case, I was helping a colleague retrieve an old systems account from a unix server that they didn't changed the password on for nearly 4 years.

Oh btw here's a hash you can try to crack if your bored :)


$2a$06$P6do8dcuWfmDSbwL4Clice10tsOTcqJC5O.8fnXofS9




Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \