Tuesday, January 31, 2017

NXOS howto change between routing vrf contexts

In NXOS,  and within  switches that have tons of interfaces that are spread across multiple VRF, it's  sometime easier to just  use the  routing-context command when issuing commands for showing certain items in that VRF.



Take a look at these 3 VRF and the  output of the command show ip interface brief



To get back to the default vrf just execute the command and specify default

e.g

routing-context  vrf  default 


Here's another example of command execution in  the VRF management.







To determine in what context  your in, you just look at the cli %<VRF_NAME>#



Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
  

Friday, January 27, 2017

finding traffic logs fortiOS

The fortigate device allows for disk logging when you have  disk. One of the issues Sec_Engineers has pertains to lack of disk_logging in the smaller units ( i.e SOHO units or anything from a 100 or smaller )


So a quick to know that your disk_logging is actually working is to  query  the disk via the fnsysctl ls hidden command

1:

The files are store in a /var/log/root/<name with "log" >

e.g ( traffic logs )



2:  now  the format of this  directory structure is simple

The  tlog.time-index  is a file that provide indexing information for transaction.

All logs are symbolic unix links

tlog.oldest will always match the  oldest logfile

tlog will always match  the newest file and current log file

fnsysctl cat /var/log/root/tlog  will display and confirm disklogging

critical logs files to beaware of

elog == system events  ( VPN auth, system auth, link monitors,etc....)

tlog ==  trafficlog   ( Fwpolicy traffic status )


3:  You can copy down the logs file by using a usb_mount device  and you will need super admin access todo this



4: Finally, you can roll logs via the execute log command


execute  log  roll  

5: to determine if the logs did roll and what logs, set a display filter and execute  the cli cmd



execute  log   filter reset
execute  log   filter cat 1
execute  log   filter field  logdesc "Disk log rolled"
execute  log   display










Ken Felix


NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, January 18, 2017

Playing around with route-registeries  & on how you can find   what ipv6  routes are carried by a AS. Keep in mind , this only is applicable if that AS use a RR.
http://www.irr.net/

options 1

( search for the ipv6 prefix using host.net & lvl3  RR src for queries  )


options2

( search by the maintainer object and grep for route6  )


  NOTE : output truncated



option 3

( search origin AS# )




Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

Wednesday, January 11, 2017

python http server

I was in a datacenter a few days ago and had a host of issues with access to my SSH server for upgrade a cisco appliance.

How I got around this issues was by setting up a simple HTTP server using python and hosting the file that I want to  download on that server.


Here's a quick http server if you ever are being  blocked or filter by a local firewall rule for  scp/ssh/ftp but you have  HTTP open

you need sudo for  binding to port 80 or any port under 1024




















the directroy that you start the server under is your "webRootDirectory" make sure the file(s) you want to host are in that path







Ken Felix

 

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

HOWTO: bulk interface gathering details FortiOS

In this post, I will show you how to gather bulk interface gathering details.

For example, you have a  firewall model that has numerous interface, it can be slow and time consuming to  execute diag cmd per interface.

Take this FGT3240, we will build a script that allow us to run thru all 28ports and drop the diad commands of interest.

Than I will show how you can gather  the status using a unix ssh client.

1: here's the script.

(  this unit runs multi-vdom ...drop the globla cfg  if your single vdom )


for ((a=1; a <=  28; a++))
do

echo -e "config global"
echo -e "diagnose hardware deviceinfo nic port$a | grep _drop \n"
echo -e "diagnose hardware deviceinfo nic port$a | grep _dp_  \n"
echo -e "diagnose hardware deviceinfo nic port$a | grep err   \n"
echo -e "diag hardware deviceinfo nic  port$a  | grep over \n"
echo -e "end\n"




done


2: Now the fun part to execute this you could do the following;

./<scriptname.sh>  | ssh <username>@firewall.address > myoutput.`date +%Z%T_%F`


3: Here's a netlink  script and statistic collection plus clearing;

SOCKET01>cat looper1.sh
for ((a=1; a <=  28; a++))
do

echo -e "config vdom \n"
echo -e "edit root \n"
echo -e  "diag netlink interface list port$a   \n"
echo -e  "diag netlink interface clear port$a   \n"
echo -e "end \n"

done


YMMV but you can get very creative and use this in  custom "Expect" scripts or in nagios  | syslog-ng for alert triggers when a condition exists.


e.g 



and syslog-ng with source and destination filters






sendmestatus.sh  would be a simple  bash script  that  runs the  looper1.sh and directs the output into sendmail


.looper1.sh | socfwmongrp1@192.168.192.110 | mail -s " ALERT ME  ` date +%F_%T`  -c kenn1.felix@socpuppets.com SOCSUPERVISION@socpuppets.com












Just ensure you have the correct syslog message for the trigger 










Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Tuesday, January 10, 2017

how to find vlan-id fortiOS

If you have created sub-interfaces on a fortigate for 802.1q  and need to find the vlan-id  you can use the   diag sys vlan  command to list the   interface names


After you have the output, you can now convert the  "vid" from hex to dec.


e.g a list of named subinterfaces







e.g converting the names interfaces hex value to dec

 




Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Monday, January 9, 2017

bad travel advise ( security when away )

My corporate break room has this posted on  the wall for a security tip or advise.





This is very bad practice if you ever go away on long winded trip.  Here's why;


1: a luggage handler or anybody that handles the luggage now know where you live at

2: they know your on a vacation/business trip or travel

3: they have your  phone#. So if it's house,  the potential thieves could called to validate your actually NOT at home before arriving to break in.


What you should do;

1:  place your name and maybe your business address

2: place you cell-phone number or a temporal number ( dropbox, goog-voice, call forwarder, a cellphone# of a friend/relative who can relay to you if required ....)


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Tuesday, January 3, 2017

TIP SSL auditing F5 ltm virtual-servers

In a pinch and to find or prove a F5 LTM is NOT  negotiating  SSL protocols, you can run the following command from the TMSH



If you build a list of  SSL_profiles you could run these thru a ssh session and against each profile to find what profile is negotiating SSL v2 or v3

e.g

 echo -e "show ltm profile client-ssl | grep ClientSSL" |  ssh <username@ltmaddress>  | awk ' { print$3}' > listofprofiles.txt


show ltm profiles client-ssl <profilename> | grep Proto



for p in ` cat file.txt`; do  do echo -e "checking profile $p\n"; echo -e "\n"; echo -e "show ltm profile client-ssl $p | grep Proto" | ssh username@ltm_address ;done




Doing  this approach  is a quick sure way for finding  SSL enable virtual-servers client-ssl profiles that are using SSL protocols.





Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Why DV ssl certifcates are frown upon

The Domain Validate  ( DV ) ssl certificates are typically looked at as a less security and a weaker validation process.

The DV base ssl certificates that are regularly  issued  does nothing to ensure the domain contact is  the proper contact to begin with.

Because of  this, a rogue site could be craft  and ultimately trusted by the "trusting"  web end-user.  These site are also  wrongly labeled as  the "evil twin" ,  as in a site that  portray a legit site and with a trusted webserver certificate installed.

The best analogy I can come up.

" As a kid we are  taught to trust the police office  who has the badge , uniform and gun. We most likely will not question a person holding badge, gun, has a uniform on,  and car that looks like a police car  "

**Just like the city of  troy trusted a wooden horse, we should  always be skeptical of what we see**


The same holds true when we access a site with HTTPS,  and  see the secured "lock" button in the web-browser input box.




So again, when you access a web site https://www.paypal.com are you  really secured? Do you know for a fact that the site has no MiTM device ( aka forward or a reverse proxy ) in your path ?

Because our browsers and the human element  have been wean in thinking that with HTTPand the S means secure , that we are  actually secured. This is a big lie, fraud, misleading,   etc....

 here's a clue .


Image result for clue

 

!!!! Nothing is 100% ( when we are on the internet and HTTPS )  secured and we have no ready means to id if a MiTM appliance is actually between you and the  webserver !!!!



 







Add on the  DV certificate process , and the fact it's not as stringent upon issuance , &  you now have a situation that is just bad advertisement from a "security aspect"



The folks at anti-phishing  consortium & ssl pulse have been  tracking  rogue sites for a while https://apwg.org/ and  https://www.trustworthyinternet.org/ssl-pulse/ . The data collected  should be studied by all in the IT security arena. imho


Enjoy and be safe ;)


 
Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \