Friday, December 28, 2018

Generic SSL analyze website for web-clients

The follow  website allows low usage  checks for SSL/TLS support for your webbrowser

https://www.howsmyssl.com/

The output is in a very easy to  follow layout with explanations and hints



So if you suspect your browser or web-proxy or HTTPS websites, and want to know what is being  present, test to how's my ssl  with and without the web-proxy in the path.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Sunday, November 18, 2018

Junos SRX RPM

RPM { RealTime Probe Monitor } is  Juniper equal to the cisco IPSLA. It's supported in  various Junos devices. In this post we will look at the   icmp RTM that was setup for gathering uplink statistics

[edit]
kfelix@MANHATTAN# show | display set | match rpm                               
set services rpm probe ICMP test icmp1 probe-type icmp-ping
set services rpm probe ICMP test icmp1 target address 8.8.4.4
set services rpm probe ICMP test icmp1 probe-count 1
set services rpm probe ICMP test icmp1 probe-interval 120
set services rpm probe ICMP test icmp1 test-interval 120

[edit]




And dump of any active probe;



 "show services rpm probe-results owner ICMP test icmp1"
    Owner: ICMP, Test: icmp1
    Target address: 8.8.4.4, Probe type: icmp-ping, Test size: 1 probes
    Probe results:
      Response received
      Sun Nov 18 13:12:55 2018
      Sun Nov 18 13:12:55 2018, No hardware timestamps
      Rtt: 9893 usec, Round trip jitter: 140 usec, Round trip interarrival jitter: 4996 usec
    Results over current test:
      Probes sent: 1, Probes received: 1, Loss percentage: 0.000000
      Measurement: Round trip time
        Samples: 1, Minimum: 9893 usec, Maximum: 9893 usec, Average: 9893 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 9893 usec
      Measurement: Positive round trip jitter
        Samples: 1, Minimum: 140 usec, Maximum: 140 usec, Average: 140 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 140 usec
    Results over last test:
      Probes sent: 1, Probes received: 1, Loss percentage: 0.000000
      Test completed on Sun Nov 18 13:12:55 2018
      Measurement: Round trip time
        Samples: 1, Minimum: 9893 usec, Maximum: 9893 usec, Average: 9893 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 9893 usec
      Measurement: Positive round trip jitter
        Samples: 1, Minimum: 140 usec, Maximum: 140 usec, Average: 140 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 140 usec
    Results over all tests:
      Probes sent: 3995, Probes received: 3980, Loss percentage: 0.375469
      Measurement: Round trip time
        Samples: 3980, Minimum: 9442 usec, Maximum: 134912 usec, Average: 11707 usec, Peak to peak: 125470 usec, Stddev: 7648 usec, Sum: 46592163 usec
      Measurement: Positive round trip jitter
        Samples: 1994, Minimum: 0 usec, Maximum: 125086 usec, Average: 3567 usec, Peak to peak: 125086 usec, Stddev: 10224 usec, Sum: 7112597 usec
      Measurement: Negative round trip jitter
        Samples: 1985, Minimum: 1 usec, Maximum: 125069 usec, Average: 3583 usec, Peak to peak: 125068 usec, Stddev: 10229 usec, Sum: 7112336 usec


So the  last lines would be our collective count for all test and for the number of probes sent. I bold out a few lines of interest.



Keep in mind that various probe types exists and your not limited to just icmp types.


Possible completions:
  http-get             Perform HTTP Get request at target URL
  http-metadata-get    Perform HTTP Get request of metadata at target URL
  icmp-ping            Send ICMP echo request to target address
  icmp-ping-timestamp  Send ICMP timestamp request to target address
  icmp6-ping           Send ICMP6 echo request to target address
  tcp-ping             Send TCP packets to target
  udp-ping             Send UDP packets to target
  udp-ping-timestamp   Send UDP packets with timestamp to target
[edit]


These problems can be called out and used to help ensure and measure service availability. If you define  thresholds, you can  set traps on fails.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \


Thursday, November 15, 2018

ICMP timestamp request examples

Here's a few examples of a ICMP  timestamp request. In reality you should not allow this from the untrusted internet.

linux  "TS and addr"




linux  "TSonly"




MS windows10








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
 

Wednesday, November 14, 2018

URL category Fortiguard

In the web category the  fortiguard  web URL look has a feature for selecting  5.4/5/6 and the lookups results could be very different.

Take these two lookups for the following and the various  fortios versions






So be advise that   specific  fortiOS  version categorize URLs differently.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
 

top firewall vendors

This youtube  explains some of the  top 5 firewall vendors in today's market.

https://www.youtube.com/watch?v=MvNYdxap0AY








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

Tuesday, November 13, 2018

Junos SRX API interface is so easy

In this  post, I will show you some  means for  making very simple API calls using curl.


The Junos API is probably hands down, one  of  the  best API interface for  firewalls. And quickest imho to learn and pickup on.


To make a rpc call you need to know the  cmd equal. The quickest way to find this is to  execute the display xml rpc on the cli for know cli cmds. The output will be in xml and with the  corresponding  "rpc" string.



e.g { show system uptime )

kfelix@NYCMANCOURTDC> show system uptime | display xml rpc 
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/15.1X49/junos">
    <rpc>
        <get-system-uptime-information>
        </get-system-uptime-information>
    </rpc>
    <cli>
        <banner></banner>
    </cli>

</rpc-reply>


Now to make a rpc call, you will use curl and call the  GET strings with the proper  rpc string. 



curl http://x.x.x.x:3000/rpc/get-system-uptime-information -u username:yourpassword 


Here's a few  working examples and with authentication, BUT 1st if your WWW basic authentication fails, you will always get a 401 message  " unauthorized "


< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm="Need basic auth header"
< Content-Type: text/html
< Content-Length: 351
< Date: Mon, 12 Nov 2018 21:41:58 GMT
< Server: lighttpd/1.4.32




 { dump the route table for a junosSRX  device  }

 
> GET /rpc/get-route-information HTTP/1.1
> Host: 10.1.1.1:3001
> Authorization: Basic a2ZlbGl50kdFVEVTQTI0MHpjYXIwMQ==
> User-Agent: curl/7.59.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: application/xml; charset=utf-8
< Transfer-Encoding: chunked
< Date: Mon, 12 Nov 2018 21:42:17 GMT
< Server: lighttpd/1.4.32
< 
<route-information xmlns="http://xml.juniper.net/junos/15.1X49/junos-routing" xmlns:junos="http://xml.juniper.net/junos/*/junos">
<!-- keepalive -->
<route-table>
<table-name>inet.0</table-name>
<destination-count>12</destination-count>
<total-route-count>13</total-route-count>
<active-route-count>12</active-route-count>
<holddown-route-count>0</holddown-route-count>
<hidden-route-count>0</hidden-route-count>
<rt junos:style="brief">
<rt-destination>0.0.0.0/0</rt-destination>
<rt-entry>
<active-tag>*</active-tag>
<current-active/>
<last-active/>
<protocol-name>Static</protocol-name>
<preference>5</preference>
<age junos:seconds="43081">11:58:01</age>
<nh>
<selected-next-hop/>
<to>192.124.194.97</to>
<via>ge-0/0/0.0</via>

</nh>



 { dump arp table }



% curl 10.1.1.1:3001/rpc/get-arp-table-information -u kfelix
Enter host password for user 'kfelix':
<arp-table-information xmlns="http://xml.juniper.net/junos/15.1X49/junos-arp" xmlns:junos="http://xml.juniper.net/junos/*/junos" junos:style="normal">
<arp-table-entry>
<mac-address>20:fd:f1:64:ab:81</mac-address>
<ip-address>10.1.0.25</ip-address>
<hostname>10.1.0.25</hostname>
<interface-name>ge-0/0/2.0</interface-name>
<arp-table-entry-flags>
<none/>
</arp-table-entry-flags>
</arp-table-entry>
<arp-table-entry>
<mac-address>10:c3:7b:92:d2:59</mac-address>
<ip-address>10.1.0.26</ip-address>
<hostname>10.1.0.26</hostname>
<interface-name>ge-0/0/2.0</interface-name>
<arp-table-entry-flags>
<none/>
</arp-table-entry-flags>
</arp-table-entry>
<arp-table-entry>
<mac-address>00:16:e0:32:e8:a1</mac-address>
<ip-address>10.1.0.27</ip-address>
<hostname>10.1.0.27</hostname>
<interface-name>ge-0/0/2.0</interface-name>
<arp-table-entry-flags>
<none/>
</arp-table-entry-flags>
</arp-table-entry>
<arp-table-entry>
<mac-address>64:9a:be:cb:1a:0c</mac-address>
<ip-address>10.1.0.28</ip-address>
<hostname>10.1.0.28</hostname>
<interface-name>ge-0/0/2.0</interface-name>
<arp-table-entry-flags>
<none/>
</arp-table-entry-flags>
</arp-table-entry>
<arp-table-entry>

<mac-address>d8:38:fc:38:25:40</mac-address>

NOTE: output  cut


{  review policy hit counts  }

% curl 10.1.1.1:3001/rpc/get-security-policies-hit-count -u kfelix
Enter host password for user 'kfelix':
<policy-hit-count xmlns="http://xml.juniper.net/junos/15.1X49/junos-security-policy">
<logical-system-name>root-logical-system</logical-system-name>
<policy-hit-count-entry>
<policy-hit-count-index>1</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>trust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>trust-to-trust</policy-hit-count-policy-name>
<policy-hit-count-count>623</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>2</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>trust2untrust</policy-hit-count-policy-name>
<policy-hit-count-count>7839</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>3</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>COMMON</policy-hit-count-policy-name>
<policy-hit-count-count>31049</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>4</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>ALLOWCUST53</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>5</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>VPN</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>6</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>ALLOWDNS</policy-hit-count-policy-name>
<policy-hit-count-count>917</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>7</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>ALLOWCUST222</policy-hit-count-policy-name>
<policy-hit-count-count>3599</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>8</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>ALLOWCUST220</policy-hit-count-policy-name>
<policy-hit-count-count>22524</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>9</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>DENYDNS</policy-hit-count-policy-name>
<policy-hit-count-count>895</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>10</policy-hit-count-index>
<policy-hit-count-from-zone>untrust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>trust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>policy_in_wizard_dyn_vpn</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>11</policy-hit-count-index>
<policy-hit-count-from-zone>untrust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>trust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>VPNn</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>12</policy-hit-count-index>
<policy-hit-count-from-zone>untrust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>APIACCESSS</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>


{ system uptime }


% curl 10.1.1.1:3001/rpc/get-system-uptime-information  -u kfelix
Enter host password for user 'kfelix':
<system-uptime-information xmlns="http://xml.juniper.net/junos/15.1X49/junos" xmlns:junos="http://xml.juniper.net/junos/*/junos">
<current-time>
<date-time junos:seconds="1542059265">2018-11-12 21:47:45 UTC</date-time>
</current-time>
<time-source> LOCAL CLOCK </time-source>
<system-booted-time>
<date-time junos:seconds="1542015547">2018-11-12 09:39:07 UTC</date-time>
<time-length junos:seconds="43718">12:08:38</time-length>
</system-booted-time>
<protocols-started-time>
<date-time junos:seconds="1542015547">2018-11-12 09:39:07 UTC</date-time>
<time-length junos:seconds="43718">12:08:38</time-length>
</protocols-started-time>
<last-configured-time>
<date-time junos:seconds="1542016213">2018-11-12 09:50:13 UTC</date-time>
<time-length junos:seconds="43052">11:57:32</time-length>
<user>kfelix</user>
</last-configured-time>
<uptime-information>
<date-time junos:seconds="1542059265">9:47PM</date-time>
<up-time junos:seconds="43748">12:09</up-time>
<active-user-count junos:format="2 users">2</active-user-count>
<load-average-1>0.50</load-average-1>
<load-average-5>0.21</load-average-5>
<load-average-15>0.11</load-average-15>
</uptime-information>
</system-uptime-information>



And finally , NOT all cli cmds  have a rpc  equal , and if you try to find the equal and none exist, the  junos will display the following output.




apiuser@SRX3400> show system processes | display xml rpc 
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/15.1X49/junos">
    <message>
        xml rpc equivalent of this command is not available.
    </message>
    <cli>
        <banner></banner>
    </cli>
</rpc-reply>


Enjoy and don't hesitate  with using Junos API.

lastly keep in mind the output is in xml by default. You have two ways to display the output in json










NOTE: All examples where done on Junos versions 15.1X49-Dxxxxxx







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Monday, November 12, 2018

Howto find bad linux login attempts



The files  wtmp and btmp are  typically  for tracking  successful and bad logins. To find  bad logins just run the  last or lastb commands. The former  requires you specify the  file "btmp" and the later does it automatically.




It's good to monitor btmp  since it can  give clues that a brute force login attack is under way or some one is having major login problems.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
 

FTNT stock is growing

Pictures says a thousand words








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \