Sunday, November 18, 2018

Junos SRX RPM

RPM { RealTime Probe Monitor } is  Juniper equal to the cisco IPSLA. It's supported in  various Junos devices. In this post we will look at the   icmp RTM that was setup for gathering uplink statistics

[edit]
kfelix@MANHATTAN# show | display set | match rpm                               
set services rpm probe ICMP test icmp1 probe-type icmp-ping
set services rpm probe ICMP test icmp1 target address 8.8.4.4
set services rpm probe ICMP test icmp1 probe-count 1
set services rpm probe ICMP test icmp1 probe-interval 120
set services rpm probe ICMP test icmp1 test-interval 120

[edit]




And dump of any active probe;



 "show services rpm probe-results owner ICMP test icmp1"
    Owner: ICMP, Test: icmp1
    Target address: 8.8.4.4, Probe type: icmp-ping, Test size: 1 probes
    Probe results:
      Response received
      Sun Nov 18 13:12:55 2018
      Sun Nov 18 13:12:55 2018, No hardware timestamps
      Rtt: 9893 usec, Round trip jitter: 140 usec, Round trip interarrival jitter: 4996 usec
    Results over current test:
      Probes sent: 1, Probes received: 1, Loss percentage: 0.000000
      Measurement: Round trip time
        Samples: 1, Minimum: 9893 usec, Maximum: 9893 usec, Average: 9893 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 9893 usec
      Measurement: Positive round trip jitter
        Samples: 1, Minimum: 140 usec, Maximum: 140 usec, Average: 140 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 140 usec
    Results over last test:
      Probes sent: 1, Probes received: 1, Loss percentage: 0.000000
      Test completed on Sun Nov 18 13:12:55 2018
      Measurement: Round trip time
        Samples: 1, Minimum: 9893 usec, Maximum: 9893 usec, Average: 9893 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 9893 usec
      Measurement: Positive round trip jitter
        Samples: 1, Minimum: 140 usec, Maximum: 140 usec, Average: 140 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 140 usec
    Results over all tests:
      Probes sent: 3995, Probes received: 3980, Loss percentage: 0.375469
      Measurement: Round trip time
        Samples: 3980, Minimum: 9442 usec, Maximum: 134912 usec, Average: 11707 usec, Peak to peak: 125470 usec, Stddev: 7648 usec, Sum: 46592163 usec
      Measurement: Positive round trip jitter
        Samples: 1994, Minimum: 0 usec, Maximum: 125086 usec, Average: 3567 usec, Peak to peak: 125086 usec, Stddev: 10224 usec, Sum: 7112597 usec
      Measurement: Negative round trip jitter
        Samples: 1985, Minimum: 1 usec, Maximum: 125069 usec, Average: 3583 usec, Peak to peak: 125068 usec, Stddev: 10229 usec, Sum: 7112336 usec


So the  last lines would be our collective count for all test and for the number of probes sent. I bold out a few lines of interest.



Keep in mind that various probe types exists and your not limited to just icmp types.


Possible completions:
  http-get             Perform HTTP Get request at target URL
  http-metadata-get    Perform HTTP Get request of metadata at target URL
  icmp-ping            Send ICMP echo request to target address
  icmp-ping-timestamp  Send ICMP timestamp request to target address
  icmp6-ping           Send ICMP6 echo request to target address
  tcp-ping             Send TCP packets to target
  udp-ping             Send UDP packets to target
  udp-ping-timestamp   Send UDP packets with timestamp to target
[edit]


These problems can be called out and used to help ensure and measure service availability. If you define  thresholds, you can  set traps on fails.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \


Thursday, November 15, 2018

ICMP timestamp request examples

Here's a few examples of a ICMP  timestamp request. In reality you should not allow this from the untrusted internet.

linux  "TS and addr"




linux  "TSonly"




MS windows10








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
 

Wednesday, November 14, 2018

URL category Fortiguard

In the web category the  fortiguard  web URL look has a feature for selecting  5.4/5/6 and the lookups results could be very different.

Take these two lookups for the following and the various  fortios versions






So be advise that   specific  fortiOS  version categorize URLs differently.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
 

top firewall vendors

This youtube  explains some of the  top 5 firewall vendors in today's market.

https://www.youtube.com/watch?v=MvNYdxap0AY








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

Tuesday, November 13, 2018

Junos SRX API interface is so easy

In this  post, I will show you some  means for  making very simple API calls using curl.


The Junos API is probably hands down, one  of  the  best API interface for  firewalls. And quickest imho to learn and pickup on.


To make a rpc call you need to know the  cmd equal. The quickest way to find this is to  execute the display xml rpc on the cli for know cli cmds. The output will be in xml and with the  corresponding  "rpc" string.



e.g { show system uptime )

kfelix@NYCMANCOURTDC> show system uptime | display xml rpc 
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/15.1X49/junos">
    <rpc>
        <get-system-uptime-information>
        </get-system-uptime-information>
    </rpc>
    <cli>
        <banner></banner>
    </cli>

</rpc-reply>


Now to make a rpc call, you will use curl and call the  GET strings with the proper  rpc string. 



curl http://x.x.x.x:3000/rpc/get-system-uptime-information -u username:yourpassword 


Here's a few  working examples and with authentication, BUT 1st if your WWW basic authentication fails, you will always get a 401 message  " unauthorized "


< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm="Need basic auth header"
< Content-Type: text/html
< Content-Length: 351
< Date: Mon, 12 Nov 2018 21:41:58 GMT
< Server: lighttpd/1.4.32




 { dump the route table for a junosSRX  device  }

 
> GET /rpc/get-route-information HTTP/1.1
> Host: 10.1.1.1:3001
> Authorization: Basic a2ZlbGl50kdFVEVTQTI0MHpjYXIwMQ==
> User-Agent: curl/7.59.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: application/xml; charset=utf-8
< Transfer-Encoding: chunked
< Date: Mon, 12 Nov 2018 21:42:17 GMT
< Server: lighttpd/1.4.32
< 
<route-information xmlns="http://xml.juniper.net/junos/15.1X49/junos-routing" xmlns:junos="http://xml.juniper.net/junos/*/junos">
<!-- keepalive -->
<route-table>
<table-name>inet.0</table-name>
<destination-count>12</destination-count>
<total-route-count>13</total-route-count>
<active-route-count>12</active-route-count>
<holddown-route-count>0</holddown-route-count>
<hidden-route-count>0</hidden-route-count>
<rt junos:style="brief">
<rt-destination>0.0.0.0/0</rt-destination>
<rt-entry>
<active-tag>*</active-tag>
<current-active/>
<last-active/>
<protocol-name>Static</protocol-name>
<preference>5</preference>
<age junos:seconds="43081">11:58:01</age>
<nh>
<selected-next-hop/>
<to>192.124.194.97</to>
<via>ge-0/0/0.0</via>

</nh>



 { dump arp table }



% curl 10.1.1.1:3001/rpc/get-arp-table-information -u kfelix
Enter host password for user 'kfelix':
<arp-table-information xmlns="http://xml.juniper.net/junos/15.1X49/junos-arp" xmlns:junos="http://xml.juniper.net/junos/*/junos" junos:style="normal">
<arp-table-entry>
<mac-address>20:fd:f1:64:ab:81</mac-address>
<ip-address>10.1.0.25</ip-address>
<hostname>10.1.0.25</hostname>
<interface-name>ge-0/0/2.0</interface-name>
<arp-table-entry-flags>
<none/>
</arp-table-entry-flags>
</arp-table-entry>
<arp-table-entry>
<mac-address>10:c3:7b:92:d2:59</mac-address>
<ip-address>10.1.0.26</ip-address>
<hostname>10.1.0.26</hostname>
<interface-name>ge-0/0/2.0</interface-name>
<arp-table-entry-flags>
<none/>
</arp-table-entry-flags>
</arp-table-entry>
<arp-table-entry>
<mac-address>00:16:e0:32:e8:a1</mac-address>
<ip-address>10.1.0.27</ip-address>
<hostname>10.1.0.27</hostname>
<interface-name>ge-0/0/2.0</interface-name>
<arp-table-entry-flags>
<none/>
</arp-table-entry-flags>
</arp-table-entry>
<arp-table-entry>
<mac-address>64:9a:be:cb:1a:0c</mac-address>
<ip-address>10.1.0.28</ip-address>
<hostname>10.1.0.28</hostname>
<interface-name>ge-0/0/2.0</interface-name>
<arp-table-entry-flags>
<none/>
</arp-table-entry-flags>
</arp-table-entry>
<arp-table-entry>

<mac-address>d8:38:fc:38:25:40</mac-address>

NOTE: output  cut


{  review policy hit counts  }

% curl 10.1.1.1:3001/rpc/get-security-policies-hit-count -u kfelix
Enter host password for user 'kfelix':
<policy-hit-count xmlns="http://xml.juniper.net/junos/15.1X49/junos-security-policy">
<logical-system-name>root-logical-system</logical-system-name>
<policy-hit-count-entry>
<policy-hit-count-index>1</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>trust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>trust-to-trust</policy-hit-count-policy-name>
<policy-hit-count-count>623</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>2</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>trust2untrust</policy-hit-count-policy-name>
<policy-hit-count-count>7839</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>3</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>COMMON</policy-hit-count-policy-name>
<policy-hit-count-count>31049</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>4</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>ALLOWCUST53</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>5</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>VPN</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>6</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>ALLOWDNS</policy-hit-count-policy-name>
<policy-hit-count-count>917</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>7</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>ALLOWCUST222</policy-hit-count-policy-name>
<policy-hit-count-count>3599</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>8</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>ALLOWCUST220</policy-hit-count-policy-name>
<policy-hit-count-count>22524</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>9</policy-hit-count-index>
<policy-hit-count-from-zone>trust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>DENYDNS</policy-hit-count-policy-name>
<policy-hit-count-count>895</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>10</policy-hit-count-index>
<policy-hit-count-from-zone>untrust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>trust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>policy_in_wizard_dyn_vpn</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>11</policy-hit-count-index>
<policy-hit-count-from-zone>untrust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>trust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>VPNn</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>
</policy-hit-count-entry>
<policy-hit-count-entry>
<policy-hit-count-index>12</policy-hit-count-index>
<policy-hit-count-from-zone>untrust</policy-hit-count-from-zone>
<policy-hit-count-to-zone>untrust</policy-hit-count-to-zone>
<policy-hit-count-policy-name>APIACCESSS</policy-hit-count-policy-name>
<policy-hit-count-count>0</policy-hit-count-count>


{ system uptime }


% curl 10.1.1.1:3001/rpc/get-system-uptime-information  -u kfelix
Enter host password for user 'kfelix':
<system-uptime-information xmlns="http://xml.juniper.net/junos/15.1X49/junos" xmlns:junos="http://xml.juniper.net/junos/*/junos">
<current-time>
<date-time junos:seconds="1542059265">2018-11-12 21:47:45 UTC</date-time>
</current-time>
<time-source> LOCAL CLOCK </time-source>
<system-booted-time>
<date-time junos:seconds="1542015547">2018-11-12 09:39:07 UTC</date-time>
<time-length junos:seconds="43718">12:08:38</time-length>
</system-booted-time>
<protocols-started-time>
<date-time junos:seconds="1542015547">2018-11-12 09:39:07 UTC</date-time>
<time-length junos:seconds="43718">12:08:38</time-length>
</protocols-started-time>
<last-configured-time>
<date-time junos:seconds="1542016213">2018-11-12 09:50:13 UTC</date-time>
<time-length junos:seconds="43052">11:57:32</time-length>
<user>kfelix</user>
</last-configured-time>
<uptime-information>
<date-time junos:seconds="1542059265">9:47PM</date-time>
<up-time junos:seconds="43748">12:09</up-time>
<active-user-count junos:format="2 users">2</active-user-count>
<load-average-1>0.50</load-average-1>
<load-average-5>0.21</load-average-5>
<load-average-15>0.11</load-average-15>
</uptime-information>
</system-uptime-information>



And finally , NOT all cli cmds  have a rpc  equal , and if you try to find the equal and none exist, the  junos will display the following output.




apiuser@SRX3400> show system processes | display xml rpc 
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/15.1X49/junos">
    <message>
        xml rpc equivalent of this command is not available.
    </message>
    <cli>
        <banner></banner>
    </cli>
</rpc-reply>


Enjoy and don't hesitate  with using Junos API.

lastly keep in mind the output is in xml by default. You have two ways to display the output in json










NOTE: All examples where done on Junos versions 15.1X49-Dxxxxxx







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Monday, November 12, 2018

Howto find bad linux login attempts



The files  wtmp and btmp are  typically  for tracking  successful and bad logins. To find  bad logins just run the  last or lastb commands. The former  requires you specify the  file "btmp" and the later does it automatically.




It's good to monitor btmp  since it can  give clues that a brute force login attack is under way or some one is having major login problems.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
 

FTNT stock is growing

Pictures says a thousand words








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Sunday, November 11, 2018

Let's Encrypted Made Easy

For "Let's Encrypt" You typically  use a acme client. A lot  devices support the acme but if you do not have a supported os, than sslforfree.com is gear'd for you.

The steps to generate a free certificate . YES  100% FREE! is very easy.

1: Generate a CSR 
2: add the  txt files that they  present for the acme challenge
3: execute a manual update 

Afterward upload you x509 certificate to the device













-----BEGIN CERTIFICATE-----
MIIFZzCCBE+gAwIBAgISAzXqLOBMEor1AKK5+ibWj8S2MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODExMTIwMjE4MzRaFw0x
OTAyMTAwMjE4MzRaMBkxFzAVBgNVBAMTDnNvY3B1cHBldHMuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA436Ue8gDRg75msayqqv/Ld7kW3Wmzx0Z
S27VZsmuKrM40H0bcOJVg6GKJ4Yf3dZFrPCm7ZqlAQL3Zlk6Ozbcv85yG3xNwiwb
SPEp/VhObkr0G8nh6TUtSJnABhxlwWTS7S6EyNzEBuj/EXqfo5zs8IfqZZmhQUcH
0yKQlQEG69YY45Jbo1xcUB5vjeXkQR2RP6E5lfW/Xhx3HKzP/QIlrBoxASEL62lN
yeoj/Nn135V5TXh8NYNveEVy2OEXMzO0+9BymZW4Stpt+j91IzD1Z5OyQWTGO93K
YVbJDVgMTolXJlAwkStcY0MkiBm+wqiP4vxudxm5vZY4vtvDIL9o7QIDAQABo4IC
djCCAnIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSYRnMth00q2JnGVaLoiLMfoi+r
ejAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMC0GA1UdEQQmMCSCDnNvY3B1cHBldHMuY29tghJ3d3cuc29jcHVwcGV0cy5j
b20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQC
BIH0BIHxAO8AdQB0ftqDMa0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWcF
7Y+nAAAEAwBGMEQCIEfG8/KvJXPD7oRglsg2bzb5FxitlGNQsNgPv4yC4BPfAiBt
SCZFu/CR2g+dvev484rjOtdlaNCzLSG9Yfnig2FkiAB2ACk8UZZUyDlluqpQ/FgH
1Ldvv1h6KXLcpMMM9OVFR/R4AAABZwXtkHkAAAQDAEcwRQIhAPzK6lX94oL/6X1l
3MszcrjksBfLu/DA9Uqk9rTC1KElAiAcsElJsx971HeCnC349wWV+SltLeRh5gBn
cP9OFdPPnzANBgkqhkiG9w0BAQsFAAOCAQEADGVz4tgSICeiJSYjbOfpLJ0EOSmP
Rt8C9Pgm+9L4KBizpYK/m976zb2kOp4jecpD+NmoCc9XDmKTMssk5xbOBEerAfTe
+pBLaXDJXl4sxhkaH9pPNQiKFpqOf+SrX/S8iEBWewdQCRLDf2gbaEp4lbSTUmWy
mZ2ZUhOX8RaXgeHy2MdL4bl86JwD2bUyC9Lzy1pDtj2agGHPcmdI7v830bMQvIPD
reZizQ0LfhJx26ASmSoWKdey5sKfoIOBnCZjWivZvnTPT/FOI0wR68PLL+qZqyH/
xo5haHFFdMHQ1DfUdj3KNLSin8fpiBARWeCNyLcIi8x7ScfM3H6CS13T3A==

-----END CERTIFICATE-----



That's all that it takes, in less than 10-15minutes, you can have a valid and trusted certificate. Just remember the cert is good for only 90days per  "Let'S Encrypt" Policy

https://letsencrypt.org/docs/integration-guide/









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \