Friday, January 31, 2014

How to verify or build a BOGON list


The folks at cymru has a DNSbased BOGON listing that's available to anybody that can execute a AXFR against their DNS-server;

e.g

dig @ns1.cymru.com. axfr bogons.cymru.com. | grep bogons | grep 127.0.0.2


A entry in this DNS listing can then be used to check your BOGON list or you can take the reverse output and convert it to to either a cisco wildcard or cidr format.

e.g




So you can write a ACL listing with confidence to meet your needs;

e.g

deny 169.254.0.0/16

deny 169.254.0.0 0.0.255.255
deny 169.254.0.0 255.255.0.0

 NOTE: great if you need to check the format for a BOGON entry


Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^   ^  )=
          o
       /     \
.



Advance MACOSX network controls & tip/tricks

In this post, I will share a few interesting things  you can do within MACOSX


1: disabling ipv6 mountain-lion +

1st you have to  get a list of the interfaces either from the gui or the cli cmd
"networksetup -listallnetworkservices"

will show you all network interfaces by service name, this will match the names shown in the gui




2nd now to disable the ipv6 services, type the name  with the setv6off option, & you will be challenge for the admin login



You can re-validate via the  netstat command




2: disabling ipv6 snow-leopard

Snow Leopard 10.6.x and older typically allow you to  use the ipv6 -x option to disable all ip6 interfaces.


3: disassociating a  Wifi interface

Some times  the need will arises for changing  a interface  mtu  settings,  changing a ether_mac_address  or  for  using a airpacket injector or 802.11 capture monitor. This will require you to dis-associate the wifi interface;




4: Changing interface MTU for a interfaces 

With mt-lion or newer the getMTU and setMTU commands will allow you to  validate and change the mtu setting for a interface




OR 

You can also just use the ifconfig command in the following example;




5: ether_address changing

 For network pen-testing, we can also change the ether address that's defined for our network interfaces. I like to use  aaaa.aaaa.aaaa  ,  but pick a proper  mac address.


To do this, the ether address can be changed via the ifconfig cmd. Keep in mind you need root access and you must have the  wifi interface disassociated after poweron via the overhead tool bar.



NOTE: You might want to use a valid ether_address due to some enterprise networks have IDS/WIDS or Network Idenitiy engines,  that can triggers on unknown  vendor mac_address

Sites like http://www.coffer.com/mac_find/  or  http://www.iana.org/assignments/ethernet-numbers/ethernet-numbers.xhtml  will help test for a recognized mac_address that registered.


5: removing ipv6 from  lo0 ( loopback )

The commands ;  ip6 -x  networksetup,  or  the WebGUI as described earlier  , " WILL NOT LET you  disable the loopback ipv6 address".

To disable ipv6 on a loopback you have to  revert back to classic BSD  option   -alias and with the ifconfig command

(e.g)



NOTE: Doing this break most browser capability of browsing. You still have  dns resolving capabilities from the cli tho.


You can disable ipv6 in your browser or apply the  ipv4only for the domains you want.

e.g




Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^   ^  )=
          o
       /     \

Tuesday, January 28, 2014

Using USB Storage Devices Under Cisco IOS-XE

IOS-XE supports a limited number of usb-devices for storage.

These are mainly  USB thumb drives. I don't know if there's a hard limit on the size of the usb storage device that's supported, but I have  used up to 32gig-sized devices & on various ASR1K  devices.

Cisco has finally got inline with other network hardware vendors, who have always allowed active FileSystem mounting  ( e.g  what the folks at  Juniper, Arista, etc...... have done )


To mount the  usb device,  just stick it in  the USB slot. ( yes,   it's really that easy ! )


You don't have to worry about any un-mount options, but if you  are in fear of FileSystem corruption, you can enable  shell access,  and use the linux unmount command

( enabling  shell access  YMMV use at YOUR OWN RISK , CISCO strongly suggest you don't enable shell access!)

config t
   service  internal
   platform shell
end

You can use the following  cisco commands to validate it's mount;
  • dir usb0:
  • show usb0:
  • show usb-device 

or by executions of a combination of show_cmds or  linux  commands ( df , mount, ls ,etc.....)

 Examples;

IOS-XE show commands )




listing files on the usb0: device;



NOTE1: logging is NOT ALWAYS  output under 15.1.x code to show that the device was removed, which really sucks btw





  ( sample log entry  via syslog )


NOTE2:  a stand-alone cdrom will typically draw too much current and will NOT mount. This will generate a log message btw



NOTE3:  a stand-alone ext-USB-HDD will typically draw too much current and will NOT mount.  


( using linux via a shell )







( 32gig device  and our   proc entry for usb device )


So keep in mind, you have very limited capabilities within IOS-XE , and for the use of  usb-storage-devices.

Mounting a device to the linux kernel, give you greater access for log collections, gather ios-xe files, backups, and host of other hacks.


Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^   ^  )=
          o
       /     \

Thursday, January 23, 2014

S/MIME and PGP differences


For email security , we are faced with 2 common methods. I will provide a One on One comparison of some of the differences between there two.

S/MINE
chain of trust via CA ( the trusted-body approach )
easier to intergrated into most mail systems ( windows for example )
if any part of the CA chain is compromised, the  whole chain is compromised
certicates based on x.509
lifetime is based on certificate expiration ( you will have to buy and renew certificates )
no such thing as  certification distribution , it  uses the CA root model ( hierachical )
cost money ( MTA server, certificates ,etc…..)
secured
supports for MIME attachment only
RSA public-key
cipher supported is less than Gpg
PGP ( GNUpg )
not centralize to any one CA  or root-authority 
not as easy to implement in most mail systems
not an issue with PGP
non x509 compliant 
PGP  by earlier implementations, had a  lifetime of forever
public-key  distribution via manual distribution,  or keyservers
with GPG is 's 100%  free
more secured due to be decentralized ( <-- my opinion )
does mail encryption,  and much more ( e.g disk encryption )
supports RSA, DH,Elgamal,etc….
cipher support is slightly more than what  s/MIME clients support



Both methods provides the end-user  with  security,  and  closes the gap within the SSL/TLS island, as mention before in some of my earlier  postings.

How secure one over the other, really depends on if you believe in the CA model or web-of-trust. Since the CA models builds  reputation  & trust via  a selected authority, it places all security risk within that authority & delegation.

e.g


  • What-if a CA is compromised
  • What-if a CA has a forged certificate 
  • What-if they are working being the scenes with the gov and selling you and me out ;)




Past history has seen problems within a central CA root authority. ( look at past incidents with google, comodo, dignotar   ....for examples ) 

In conclusion;

Mail security show not be taken lightly. With email still being a main method for the delivery of information along with data.We should always think of security & within our daily email practices. 

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^   ^  )=
          o
       /     \