Tuesday, October 17, 2017

HOWTO find certificate issued against your domain

CT certificate transparency is a means for the CA issued certificate to be logged  indirectly for transparency. This can be used to alert for  certificate issued against your domain without knowledge.

e.g

A rogue site installed  masking as yourdomain.com



A cool means for finding any certificates issue against your domain is to use crt.sh  site.

Here's a quick snippet of certificates issued against fortinet.com

NOTE: use the % sign before the domainname for a any search






You can even used this when doing PKI audit and forensic. Here's a site that had a certificate revoke




If you drill-in on id 165913200 you can get the revocation date  & when it was logged


crt.sh is very simple to use,  and can help provide  information for tracking , incident investigate and plain auditing for your domain(s) and x509 certificates.

You can find out details that  include

  •  previous/current certificates
  • the CAissuer that was used
  • lifetime-expiration details
  • revocation details and type
  • cert details ( sha fingerprint, pubkey,key size,etc......)


It's very hard to hide anything from certification-transparency


Ken

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Friday, October 13, 2017

F5 DTLS edgeclient sslvpn

In this blog we will look at  DTLS setup for a F5 APM access-policy &  for remote-sslvpn clients.

To enable DTLS, you need to craft virtual-server and enabled  the  protocol UDP. Also within the Access Policy you have to enable the DTLS option.  The port you enable in the access-policy network-access  settings,  must match the virtual-server configuration for the destination-address.


Here's a simple Virtual-Server for support DTLS using the  connection profile

Notice: protocol UDP  and port 4433











The apm policy network resource needs the DTLS check box enabled and the defined service port which should match the ltm virtual server  service-port.  { access-policy > network-access > setting  }




If you monitor the  client access details from  the tmsh,  you will see no reference to  DTLS v1.0 being used directly.

e.g










But  to validate DTLS usage ,    monitor  the  statistics for the  ltm  profile  client-ssl profile, use the  grep to-match on DTLS.


or;



When the edeg-client connect you will see the   edge-client statistics listing the connect as DTLS and the  cipher that's  in use for the session.




And the apm log message will display a output that's similar  when a client negotiates  a DTLS v1.0 connection.






  • if the client can't negotiate DTLS the  client will falback to  TLS.
  • beware of any forward proxies preventing   DTLS negotiation for port  4433 and udp
  • any local and remote firewall could prevent access to port udp.port == 4433
  •  initial contact is via  TLS but if the APM and client negotiate  DTLS the  data path will be switched to DTLS.





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \




Monday, October 2, 2017

HOWTO disable CBC ciphers in JunosSRX for SSH

JunOS
Version 15.1X49-D50.3

Here's how to disable chain-block mode ciphers for SSHv2 in JunOS. This quick howto will show you how to disable  sshv2 cipher  in JunOS SRX


You can disable these in  the cli using the following commands.

 



And then test  for allowance of CBC after re-configuring.







That's all that's required to locked down the JunosSRX firewall  from weaker SSH ciphers. You would think by now the security vendors would set the default to be CTR based ciphers and require you to actually enable CBC mode if so desired.

read more here in one of my previous blog;

http://socpuppet.blogspot.com/2013/04/ssh-and-ciphers-tipstricks.html



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

how to use unix sleep in IOS-XE

In order to pause { sleep } you have to enable the term shell option in the IOS-XE terminal


e.g

term shell
sleep 30 ; show clock ; dir bootflash:

The above would wait 30sec  before execution of  the show clock  and dir bootflash cmds

You can use these command to execute certain function at a set time or with a delay.




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

FortiOS FQDN address objects blues

Playing around with long DNS name and  FQDN objects I found  a issue.

1> when trying to delete a FQDN object under 5.2.11, the appliance would NOT allow me to delete it


2>  the cache-tty value in the address book was set to a low number;


3> The NS hosting this   FQDN was change and the update was pushed but the fortigate cache-ttl did not refresh immediately.



So the  address.object should have picked up the 1.1.1.12 address.



Ken



 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \




HOWTO eliminate CBC ssh ciphers cisco IOS-XE

In order to locked down SSH accesss here's a few tips for execution. CBC ciphers should be eliminate and replaced with  CTR ciphers.

In various  cisco IOS devices this is quite easy todo;

( sample   cfg )


config term
ip ssh logging events
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
!
ip access-list standard SSHACCESS
 permit 10.13.1.0 0.0.0.255
 permit 10.12.22.0  0.0.0.255
 remark " PLACE MANAGEMENT NETWORKS HERE"
!



line vty 0 97
 session-timeout 10
 access-class SSHACCESS in vrf-also
 exec-timeout 30 0
 logging synchronous
 length 0
 transport input ssh
 transport output none

~                    


     Use the  vrf-also if you are running  VRFs.


Run  a open ssh client with the verbose  -v  switch and supply inferiors CBC ciphers and ensure they are not allowed.


e.g  testing a ASR  for  support of a CBC cipher








 
 
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

Tuesday, September 26, 2017

DTLS forticlient fortios v5.4.

In this blog I will show you how to enable  DTLS for FortiClient. In this example we have  the following

FORTIGATE = 900D
FortiOS = v5.4.5
FortiClient  = v5.6.0
OS =  windows10


1st, 

DTLS is only support in  the windows FortiClient versions ( sorry.... no support for macosx !)

2nd, 

you need 5.4.x code or higher to enable   DTLS on the fortigate

3rd,

you must enable the DTLS preferred in the client xml  ( download the cfg and edit the highlight light to a value of 1 }



4th

Ensure you have access to udp port. In  this example I'm using my  macosx host to check that udp.port 443 is available &  via gnutls-cli ( use the -u switch for udp )






The mode of operation is very  simple,

The FortiClient talks tcp over the designated port and then switched to  udp if the client prefers udp. 

Keep in mind that going thru a http-forward-proxy might break the renegotiation to udp , but if the DTLS setup fails,  the  Client will fallback to just  tcp.port 443

Here's a dump of  traffic showing a windows std and 1200 byte pings





Here's snippet of a wndows10 forticlient exported logs.





One cool thing you can do. You can run a diagnostic session  from the cli and see the client > Be advise the  SSLVPN session is terminate to a "pseudo firewall policy# "





     valid firewall policies numbers are 1 thru 4294967294



This is where the ciscoASA has a advantage, the  cisco ASA has support DTLS for over  5+  years with webvpn.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

Saturday, September 9, 2017

Determining OSPF.interface mtu byte sizes via a packet capture

When using OSPF, the need can arise to validate the OSPF-interface-value amongst   OSPF neighbors.

If md5 authentication is not deploy the OPSF database descriptor will carry the  OSPF_interface_MTU value in the clear. A tool like  tshark/wireshark will easily display that value.


e.g



In a proper OSPF topology all interfaces attached to the LAN would use the same value. By dumping the  OSPF packets you can easily find the  Interface MTU value and ospf neighbors that are not configured correctly.






By using  a packet.capture you can easily  gather statistics without login into numerous routes or devices  for gathering ospf show  collections



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

Friday, September 1, 2017

securing mysql with SSL/TLS

With databases and application  servers, we find  that most org do NOT  deploy SSL/TLS encryption. This post will demo  how easy it's to  set a  mysql server up for   SSL/TLS. Most  DBAs I've  meet thinks;


  •  its hard to setup and configure
  •  are just plain lazy
  •  feels it's offer zero-security benefits
  •  or a combination of ALL thee above :)




You will need the following for the server;

CA-cert
Server-cert
Server-key

You will need the following for the client(s);

CA-cert
Client-cert
Cient-key


1st here's my simplified  my.cnf cfg  ( this is very basic lean down conf )


[mysqld] 
bind-address = *
ssl-ca=/etc/ssl/ca.pem
ssl-cert=/etc/ssl/server-cert.pem
ssl-key=/etc/ssl/server-key.pem


Now to check for SSL support you need to  show global variables and match on SSL. If your  successful upon a restart the  DISABLE will be ENABLE and SSL support will be included in the mysql server services








Now we can test for basic  access with the root account and by specifying  SSL;






To lock this down for just a  database user account, you will grant  ( them  )  permission and set  required SSL for that user(s).








And now compare a SSL and non_SSL  access 



If a user that's required  SSL tries without  SSL certificates ( he/she ) will  get a reject message similar to  the below;





Yes it's really that simple. 


In a real professional environment, you will craft unique client-certificates  & 1 per  users  and ensure that the user has secured and protected his  key via a passphrase. 

If you  want to revoke his access revoke the cert and  remove his access.


  For  the   mysql services ensure the mysql  user that runs the daemon can read the server-private-keyfile .... I seen this  issue being the #1 problem when setting up  mysql w/SSL-TLS. chown and chmod the permission  for the priv-key   and  just for the mysql-services account



Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \




Thursday, August 24, 2017

Get a caddy ( web server )

The needs typically arises sometime for a simple & lite-weight   http daemon. The caddy  webserver which is simple and very easily to manipulate  has  been available.

https://caddyserver.com

The cool thing about the caddy is; "  you can customize build it for your OSversion and defined  various plugins of interest  or required ".

Here's a macosx  build where I have selected 9 of the  available plugins. By hovering over each plugin you can get a summary  detail on what that plugin does.




















Here's how to check what plugins you have installed in a build binary.


macbook:caddy kfelix$ sudo ./caddy -plugins
Server types:
  net
  http

Caddyfile loaders:
  short
  flag
  default

Other plugins:
  http.basicauth
  http.bind
  http.browse
  http.datadog
  http.errors
  http.expires
  http.expvar
  http.ext
  http.fastcgi
  http.gzip
  http.header
  http.index
  http.internal
  http.ipfilter
  http.limits
  http.log
  http.markdown
  http.mime
  http.nobots
  http.pprof
  http.proxy
  http.proxyprotocol
  http.push
  http.realip
  http.reauth
  http.redir
  http.request_id
  http.rewrite
  http.root
  http.status
  http.templates
  http.timeouts
  http.webdav
  http.websocket
  net.host
  shutdown
  startup
  tls
  tls.storage.file

 A simple caddy conf file can be crafted for  defined various webserver details and upon launch you can use  cUrl to validate






The above gives a simple example as to  what ou can do from defining   certificate+key or even  custom X headers.

The access.log follows the  simple  Apache Style





If your ever in a crunch and need a simple  webserver, do not over look caddyserver

Ken Felix





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \