Thursday, October 30, 2014

Fortimail upgardes to 5.1.4b286

We are pushing FortiMail 5.1.4 code into our 100C fortimail appliances. Nothing really new in the firmware, but it's been out for a few days now. So I  said " what the heck, let's roll it out "




TIP: As usual you should read  the release notes.



The code has been out for a week now.

After backing up the FortiMail config. You can now grab the new code.



The upgrade is straight forward and simple. If you don't have a 2nd or redundant  fortimail, schedule the upgrade during low load utilization periods.

TIP: Always md5 hash compare the download software for corruption to the available online hash.






Sit back and wait for the uploaded file to complete and your fortimail unit to reboot. This can take anywhere from 5 to 10mins depending on bandwidth , latency,  and link utilization.




The last final steps


  • send test mail inbound
  • send test mail outbound
  • validate  if server mode webmail , pop and imap are working as required
  • monitor mail log
  • test admin logins
  • us mxtoolbox to revalidate your not an openrelay
  • it's also a good time to check your spf record and to see if your on any blacklists

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^    ^
 =( #  # )=
      @
      /   \

Monday, October 27, 2014

SHA1 keysize checker

I was following a post on a public support forum about  the SHA1 and the collisions probabilities and this got me thinking about the SHA1 checker website

http://www.sha2sslchecker.com

This site allows you  to query SSL information on "public" facing sites. It 's very useful with looking at SSL information and from a hierarchical   standpoint.

Take my website. SHA ssl checker shows;


NOTE: Information to include keysize and lifetime ( expiration )

This site is useful for those that don't know how to use openssl for gaining the same information. It also provide a full-tree view of all intermediates to include the rootCAs

Example, using the sslchecker website , we can easily find the  key size and type and  expirations.


NOTE: a child at the bottom of the tree will NEVER have an expiration longer than the parent above

To find out more about SHA1 and collisions please review  the wiki link

http://en.wikipedia.org/wiki/SHA-1

The new crowd of website admins falls into we must must must change our keysize (  which could be a good thing ). The ole saying of; " the lock is only as good as the key " does truly apply.

You will find out that the  root CAs typically are still signing off a SHA1 key at 1024bits.  So they don't seem to phased by the sky is falling crowd.

e.g

hp.com
yahoo
bing
microsoft
att
google
att
ebay
thawte.com
twitter


But don't get too caught up on these numbers, till you pull and validate the cert in details & understand what technologies they are using.


for example sha checker and  facebook



But in reality this is a mililtary grade of encryption & protection.
ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256)


You can read more about Elliptic Curve from guess who?  Our friends at the NSA :)

https://www.nsa.gov/business/programs/elliptic_curve.shtml


[QUOTE]
However, unlike the RSA and Diffie-Hellman cryptosystems that slowly succumbed to increasingly strong attack algorithms, elliptic curve cryptography has remained at its full strength since it was first presented in 1985.
[/QUOTE]


and

[QUOTE]
For protecting both classified and unclassified National Security information, the National Security Agency has decided to move to elliptic curve based public key cryptography.  
[/QUOTE]


So a 256bit  Elliptic Curve Key Size is in the same order as a 3K bit key based on RSA.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \


Friday, October 24, 2014

Tip for rebooting "Redundant Supervisor" modules cisco 6500x

Under cisco software version 15.1.x,  you  have a few ways for resetting line cards. The older reload module cli command is no longer available. So you have to  be creative.

To reset any linecard that's not a supervisor module, you can issued the following command from global configuration mode;


no power enable module  X
( where X = the slot # )

followed by a;

power enable module  X
( where X = the slot # )

But this command is not available for a supervisor  linecard  ( standby or active ). If you try to use the above command against a supervisor linecard, you will be present with the following error

( example )

So if you have a supervisor linecard hung-up, or didn't boot correctly like this standby;



Than your only option outside of physically being on site, and pulling the linecard,  is to do a hw-module reset

This tip can save time and effort for remote DataCenters or eliminates the need for  "remote hands" & for physically resetting a  supervisor linecard.

The hw-module module X reset command pretty much works for ALL card types ( supervisors, NAMs, interface linecards,  NAMS, etc....)


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer
kfelix  --- a----t ---- socpuppets --- dot --- com

     ^      ^
=( @   @ )=
         o 
        /  \

Monday, October 20, 2014

The CloudCrack online password cracker

In this post we will look at how to use the cloudcrack services. CloudCrack is available at the following url  https://www.cloudcracker.com

To use this service you have a few steps.


1st you want to select the type of password cracking that you desire. I will demostrate a md5 unix password



Next, you will need to supply a salt+md5 hash. Here's my hash;


Now if you  supply the wrong format or too many entries, you will be challenge with an error;

examples;





Next, you must select a dictionary size. The bigger the dictionary size = more time and more cost $$$.

Next,  we select the payment type and make the payment 




 
After you have submit payment, you will monitor your email inbox. You should 1st see a receipt and then a status showing that your job has started.







Now sit back and wait for any results. The time duration will be determine by the  dictionary size and how busy the cloudcracker, or any earlier queued jobs.



In summary;

  • cloudcrack is a cheap solution for password hacking (e.g  2hrs of work @ 136.00 usd is cheap )
  • it 's simple to use
  • only allows one md5 hash entry
  • billing payment for bitcoin can be unreliable
  • if you use a credit card from overseas, the validation could fail 
  • does not provide strong details on dictionary type ( words manipulation, type of dictionary "common, english, words, etc...."  https://www.cloudcracker.com/dictionaries.html
Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( #  # )=
      @
      /   \

BGP unicast ipv6 prefixes count breakdown

Here's a graph showing the current BGP prefix breakdown. Keep in mind the smallest prefix length = /19 and the longest  = /48

Slash 32s and 48s where the  highest number of prefixes distributed in  the global ipv6 bgp table.

And at the time of this graph, we had over 19K prefixes in the bgp ipv6 unicast table and using 3981 KiB of memory for 36k+ RIB entries.



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  --- a----t ---- socpuppets --- dot --- com

     ^      ^
=(  X   X )=
         o 
        /  \

Friday, October 17, 2014

ASR fpd upgrades

In this post, we will look at upgrading  linecards  using the fpd process under  IOS-XR.

The abbr fpd stands for " Field-programmable devices" . These devices would be hardware in your slot or subslots and between  IOS-XR release you may have new firmware to push to these devices.

The upgrading should be non service impacting, but you will need to restart the card for the software upgrades to take effect or reload the chassis.

Cisco had made this process simple and quick. A typical  9K chassis could take anywhere from  10-30mins depending on the number of cards and number of fpd upgrades images that needs to be pushed.


> The 1st step should be to make a configuration backup

> Next, ensure no changes or other upgrade are taking place or have been scheduled

> Next, show the existing  fpd packages

admin show fpd package

> Next, query to see what's the current installed  version on a linecard after determining what cards you have ( the execution of a show platform maybe helpful )

admin show hw-module fpd loc 0/0/CPU0

>You can now start the upgrade for the linecard


admin upgrade  hw fpd all location  0/0/CPU0
  1.  Do not interrupt the process
  2.  Do not restart the linecard until the upgrade process have completed
  3.  Do not make any systems changes
  4.  If the card does not need any  new updates, the process will terminate and generate  message such as;


If you want to do all devices, you can  use the following command;

     admin upgrade  hw fpd all location  all

Monitor the process, but be patient it could take some time. After the upgrade you will get a completion notice.





















During a IOS-XR software upgrade, you may find new fpd images are released. Theses images are not pushed to the linecard automatically, but requires the above described  manual process. It best to always ensure you are running the latest version, due to incompatibilities between software releases.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer
kfelix  --- a----t ---- socpuppets --- dot --- com

     ^      ^
=(  *    * )=
         o 
        /  \

Sunday, October 5, 2014

A few examples of how to do dependency checks fortigates

One of the biggest challenges with  the fortigate , is the task of find cross-linked tables , policies or address or groups.  When deleting these items you will have to be aware of any linking and follow all linked items. Here's a means for doing this from the cmd line.

Take a VIP, if we want to find what's linked to a VIP,  we can use the diag sys checkused firewall.vip.name  command


As you can see, we have three linked  fwpolicies #s 123,137,145

How about a interface? The same logic applies, take a 3g modem on my local firewall.
 diag sys checkused system.interface.name modem


And the same goes for an address table entry;
 diag sys checkused firewall.address.name all




Now in order to use the cm  diag sys checkused, you have  to  understand the table and objects.

So basically the  command will be the path object and key and the table field. To get the latter just apply a question mark after the cmd on the cli.


 Example an address group would be  firewall = path   addrgrp = object name = mkey and the actual named.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, October 1, 2014

Finding the ASR 9010 chassis serial number

Here's a new thing I found out playing around with ASR IOS_XR, this is a continual followup to another followup on ASR9K chassis serial#;
http://socpuppet.blogspot.com/2014/05/a-follow-up-howto-get-asr-serial-number.html

The show diag chassis cmd from the admin mode will also display the chassis serial number. You must execute this from  the admin context.

e.g

So now you have a few different ways for acquiring the chassis serial#.

admin  show diag chassis
admin show inv chassis
By execution of a QNX korn shell  and cat the contents of the  license_bkup1 file

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  $  $ )=
       o 
      /  \