Ken Felix Security Blog: 2020

Thursday, December 31, 2020

Using yabgp for Blackhole injection

In this post I will demo a simple blackhole injection where a yabgp process sends /32 for blackholing

The junos device is set to accept /32 only and with a bgp community of 2:666

set protocols bgp group yabgp import IMPORT_RTBH

set protocols bgp group yabgp export DENY

set protocols bgp group yabgp peer-as 65101

set protocols bgp group yabgp neighbor 192.168.1.108

set policy-options policy-statement IMPORT_RTBH term 1 from community BLACKHOLE

set policy-options policy-statement IMPORT_RTBH term 1 from route-filter 0.0.0.0/0 prefix-length-range /32-/32

set policy-options policy-statement IMPORT_RTBH term 1 then local-preference 999

set policy-options policy-statement IMPORT_RTBH term 1 then next-hop discard

set policy-options policy-statement IMPORT_RTBH term 1 then accept

set policy-options policy-statement IMPORT_RTBH term 999 then reject

set policy-options community BLACKHOLE members 2:666

1st let start a bgp session for establishment to our junos SRX

yabgpd --bgp-remote_as 2 --bgp-local_as 65101 --bgp-remote_addr 192.168.1.99 --rest-bind_port 8888 --verbose

Now with simple JSON we can push via the API our route-advertisement, withdraws and route_refresh

e.g. API entry /v1/peer/x.x.x.x/send/update

sock:~ kfelix$ curl -X POST -d @advertise.json_file -u admin:admin -H "Content-Type: application/json" http://127.0.0.1:8888/v1/peer/192.168.1.99/send/update

{"status":true}

You can also withdraw routes also

e.g . API entry /v1/peer/x.x.x.x/send/update

sock:~ kfelix$ curl -X POST -d @withdraw.json_file -u admin:admin -H "Content-Type: application/json" http://127.0.0.1:8888/v1/peer/192.168.1.99/send/update

{"status":true}

For route refresh you have the following

e,g API entry /v1/peer/x.x.x.x/send/route-refresh

sock:~ kfelix$ curl -X POST -d @rrr.json_file -u admin:admin -H "Content-Type: application/json" http://127.0.0.1:8888/v1/peer/192.168.1.99/send/route-refresh

{"status":true}

So with a open source bgp daemon you can easily build a route injector for RTBH and to drop traffic deem malicious

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Thursday, December 24, 2020

fortios bgp route-maps do not work 100% as configured for BGP

I've been studying a issue in a BGP update message that's sent from fortios 6.2.x to a juniper SRX./ What I 've noticed are the following;

1: one the configure map metric value is being ignored

2: A new update message is sent at 1+min and it some how decreases the metric with no reason or logic why. Here's a snippet of an BGP_UPDATE message 5 min after the above screenshot was taken ;

3: So the configure route-map value are not being honored in the fortiOS configuration. At 1st I thought it had to be related to the origin-type but that is not the case , since EGP , IGP & INC all behaves the same.

4: The value received in the UPDATE does not make any sense or follow a set pattern from my monitoring. And yes, I've been studying this behavior for 2+ years and across multiple fortiOS versions.

So it looks like I might have to re-engage fortinet support on why metric received are not matching the configured value and also why the metric are counting down or why they are sporadic in value from what is configured.

As the metric are being UPDATE the route-age is reset back to zero just a tip

With one of the peer shutdown, I 've still the same behavior where the fortios configured metric is not be honored.

The pcap where also done to show the decrement of the metric vrs the configured router-map.

More to come and I hope FTNT support can identify this behavior and give a solid answer.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Monday, December 7, 2020

HOWTO run iperf client from fortigates

The fortios has a iperf server/client. The documentation does not clearing tell you how to setup a test session.

1st identify the iperf server you want to test to.

e.g

Public Iperf3 servers ( in my test I 'm using scottlinux.com )

5201

TCP/UDP

Now you need to first use the diag traffictest show command to see what interface are defined and the protocol and tcp/udp-port number.

Now set your criteria using the interface that you are going to use;

You can run these test for a long time just keep in mind that you should do this during low bandwidth periods, use UDP if you want to avoid tcp-window size and buffering issues if the iperf server supports it.

this is a test using udp for connectivity;

brooklyn01 # diag traffictest proto 1

proto: UDP

brooklyn01 # diag traffictest show

server-intf: wan1

client-intf: wan1

port: 5201

proto: UDP

brooklyn01 # diag traffictest run -c 177.125.27.122

Connecting to host 177.125.27.122, port 5201

[ 9] local 182.xx.xx.111. port 15859 connected to 177.125.27.122 port 5201

[ ID] Interval Transfer Bandwidth Total Datagrams

[ 9] 0.00-1.02 sec 120 KBytes 966 Kbits/sec 15

[ 9] 1.02-2.02 sec 128 KBytes 1.05 Mbits/sec 16

[ 9] 2.02-3.02 sec 128 KBytes 1.05 Mbits/sec 16

[ 9] 3.02-4.02 sec 128 KBytes 1.05 Mbits/sec 16

[ 9] 4.02-5.02 sec 128 KBytes 1.05 Mbits/sec 16

[ 9] 5.02-6.02 sec 128 KBytes 1.05 Mbits/sec 16

[ 9] 6.02-7.02 sec 128 KBytes 1.05 Mbits/sec 16

[ 9] 7.02-8.02 sec 128 KBytes 1.05 Mbits/sec 16

[ 9] 8.02-9.02 sec 128 KBytes 1.05 Mbits/sec 16

[ 9] 9.02-10.02 sec 128 KBytes 1.05 Mbits/sec 16

- - - - - - - - - - - - - - - - - - - - - - - - -

[ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams

[ 9] 0.00-10.02 sec 1.24 MBytes 1.04 Mbits/sec 0.092 ms 1/159 (0.63%)

[ 9] Sent 159 datagrams

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Wednesday, December 2, 2020

Running a python3 http and ftp-server

When working in a all MSwindows environment, you will find sometime you need to upload or download config file via ftp or http to the device. If you have python3 installed, these 2 examples will show you how to run a local server for http and ftp on your window host.

1st you need to install the module pyftpdlib

Once you have install it, you can run the ftpserver in anonymous

Or set a user+password if you want to enable passwords

For the http.server, you have a module name http.server and upon http.requests, you will have a simple log output to standard screen and with status.codes

In this example it's python version 2.x

https://socpuppet.blogspot.com/2017/01/python-http-server.html

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Tuesday, December 1, 2020

junos SRX protect the junos config via slax script

Here's a simple slax commit script that expect a minimum junos config items. Any part of these items missing will prevent a successful commit action.

This will help if you do any accidental "delete" from a top hierarchy. This is a good practice if you have numerous admins and do not want them to delete critical parts of the junos configuration. You will have add what part of the configuration must be present.

kfelix@HOMESRX> file show protection.slax

version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";

ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";

ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";

param $user;

/* Alerts on missing cfgs

match configuration {

call error-if-missing($must = interfaces/interface[name == "lo0"]/unit[name == "0"]/family/inet/address, $statement = "interfaces lo0 unit 0 family inet address");

call error-if-present($must = interfaces/interface[name == "lo0"]/disable | interfaces/interface[name == "lo0"]/unit[name == "0"]/disable)

call error-if-present($must = security/policies/default-policy/permit-all) {

with $message = {

expr $user;

expr ", we do not want to enable permit-all. This over-ride the default action of a firewall which is to inplicit deny-all unless permitted .";

}

/* check for my mandatory admin users */

call error-if-missing($must = system/login/user/[name == "fwadmin1"], $statement = "missing a critical local admin account");

call error-if-missing($must = system/login/user/[name == "fsocadmin1"], $statement = "missing a critical local admin account");

/* check for missing syslog system syslog */

call error-if-missing($must = system/syslog, $statement = " missing syslog config ");

/* check for routing-protocols */

call error-if-missing($must = protocols/bgp, $statement = "protocols bgp");

call error-if-missing($must = protocols/ospf, $statement = "protocols ospf");

call error-if-missing($must = protocols/ospf3, $statement = "protocols ospf3");

call error-if-missing($must = interfaces/interface[name == "lo0"]/unit[name == "0"]/family/inet6/address, $statement = "interfaces lo0 unit 0 family inet6 address");

call error-if-missing($must = routing-options, $statement = "[edit routing-options]") {

with $message = {

expr "The [edit routing-options] is missing !!! ";

}

template error-if-missing ($must, $statement = "unknown", $message = "missing mandatory configuration statement") {

if (not($must)) {

<xnm:error> {

<edit-path> {

copy-of $statement;

}

<message> {

copy-of $message;

}

template error-if-present ($must = 1, $message = "invalid configuration statement") {

/* give error if param missing */

for-each ($must) {

<xnm:error> {

call jcs:edit-path();

call jcs:statement();

<message> {

copy-of $message;

}

You just add the critical parts to the check for what you expect to be installed in the SRX firewall and give it a test run

kfelix@HOMESRX> configure

Entering configuration mode

[edit]

kfelix@HOMESRX# delete routing-options

[edit]

kfelix@HOMESRX# commit check

[edit routing-options]

The [edit routing-options] is missing !!!

error: 1 error reported by commit scripts

error: commit script failure

[edit]

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Monday, November 30, 2020

MS RDP and UDP

In most firewalls session the idle timers for any UDP and ICMP session are typically expired once they go idle after 30secs or less.

With MS RDP ( Terminal Services ) you can set the client up to use TCP only if your seeing numerous disconnects

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

SelectTransport

REG_DWORD 1

Than you can monitor the firewall session tables to see if the client is using Tcp.

fortios:

diag sys session filter dport 3389

diag sys session filter proto 6

diag sys session list

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Friday, November 20, 2020

fortiosapi address+group creation

Some one raised a email from the FTNT forum community asking how to build address and add them to a group.

Here's a sample way of accomplishing this action in one playbook that I will demonstrated.

I'm creating two address types and then adding them as a member to a group named maingroup;

---

- hosts: control_node

collections:

- fortinet.fortios

vars:

host: "12.12.12.12"

username: ansible

password: test1234

vdom: "root"

ssl_verify: false

tasks:

- name: mkAddress-subnet

fortios_firewall_address:

host: "{{ host }}"

vdom: "{{ vdom }}"

username: "{{ username }}"

password: "{{ password }}"

state: "present"

https: "true"

ssl_verify: "{{ ssl_verify }}"

firewall_address:

comment: "subnet type"

name: "name1"

type: ipmask

subnet: "192.0.2.0/30"

- name: mkAddress-fqdn

fortios_firewall_address:

host: "{{ host }}"

vdom: "{{ vdom }}"

username: "{{ username }}"

password: "{{ password }}"

state: "present"

https: "true"

ssl_verify: "{{ ssl_verify }}"

firewall_address:

comment: "fqdn type"

name: "name2"

type: fqdn

fqdn: "soc.example.com"

- name: mkAddressGroup

fortios_firewall_addrgrp:

host: "{{ host }}"

vdom: "{{ vdom }}"

username: "{{ username }}"

password: "{{ password }}"

state: "present"

https: "true"

ssl_verify: "{{ ssl_verify }}"

firewall_addrgrp:

comment: "blog example https://socpuppet.blogspot.com/"

member:

- name: "name1"

- name: "name2"

name: maingroup

Within fotiosapi if you provide item that is not recognize , the module will kick a error and tell you wants allowed.

For example, I type fqdns when I should have typed fqdn

And now the module kicks a error telling me to use one of the following;

So always read the error, it will give you direction on what the module is expecting. To learn more about the fotiosAPI and example on what can be done read some of my earlier posts on this subject.

https://socpuppet.blogspot.com/2020/07/howto-user-ansible-with-fortios.html

https://socpuppet.blogspot.com/2019/09/howto-use-fortios-apiuser.html

https://socpuppet.blogspot.com/2018/07/howto-use-fortios-api-to-add-delete.html

Make sure you run your plays on a non-product device or create a vdom for testing before applying changes to production fortigate. If your working with a dev-ops group, use the "ANSIBLE_DEBUG=1" to debug any playbooks if your having issues executing config changes. If you setup a dev-ops test vdom you can do all testing in the test vdom b4 rolling it out

e.g

So jump into the API and give it a spin. You can do a lot of creative configs and changes in your fortigate environment with the easy of the CM tool.

You can find me on forum.fortinet.com posting under emnoc. I've been a member in the open community for over 12 years.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Friday, November 13, 2020

fortios alias cmd

Fortios has the ability to create alias commands. Great if your tired of typing login strings to get status

config system alias

edit "get"

set command "get system status | grep Version"

next

edit "policy"

set command "show firewall policy"

next

edit "route"

set command "get router info routing all"

next

edit "vpn1"

set command "diag vpn ike gateway"

next

edit "vpn2"

set command "diag vpn tunnel list"

next

end

execute is simple , just use "alias" followed by the alias

e.g

alias route

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Wednesday, November 11, 2020

OracleCloud vpn to fortigate

Here we have a vpn and bgp cfg to a fortigate device.

FGT100E 6.4.3

oracle cloud ashbun

The fgt vpn-ipsec cfg;

So use the wizard and define your tunnel0interface inside address and the CPE peer-ipv4 address ( aka your fortinet wan )

The oraclecloud will dump a simple cfg summary if you follow the wizard make sure to record all details. Similar to the following;

The dashboard will update when you have ipsec and bgp UP.

Make sure to monitor the fortigate for bgp connectivity and ipsec-vpn details;

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Monday, November 9, 2020

Understand Juniper SRX self-traffic-policy

Any traffic origination to the SRX is controlled by a policy that is hidden. This policy is known as a self-traffic-policy which means we originate or terminate the traffic to it's self.

e.g

A ssh to a SRX and BGP session