Category: Uncategorized

NMAP and fping deep dive (Part II)

This is a continuation of my previous post, NMAP and fping deep dive in that post I talked about fping and NMAP and how they worked at a basic level as NMAP, in particular, has a lot more parameters that you can use depending on the task at hand.

In this post I want to cover more of NMAPs capabilities and what commands we could use to discover more about the network and what potential vulnerabilities these hosts might have that could be used to exploit them.

In the last post we found out what hosts were alive on the network and we also found out what ports were open on those hosts. The next step is to find out what OS they’re running or at least get the best guess as to what it might be.

I am going to use the -sV (version) option and also the -O (OS fingerprinting option) to get more detail on the hosts. You don’t want to blindly attack a network without gathering all the information possible about your target or you run the risk of causing the target to crash because you ran the wrong tool against it. Information gathering is one of the most important parts of penetration testing.

As Abraham Lincoln once said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”

The first command to run is the -sV command that will give us more information on the ports that are open and what version the service is running.

Screenshot from 2018-05-27 12-24-44

The administrator might have changed the port to a non-standard port as is the case for the host at 10.142.111.213. You can see the port is 81 but the service using that port is HTTP which is usually on port 80 also if you remember this is the host that did not respond to the ping sweep when using fping.

Screenshot from 2018-05-27 16-27-58

To build on this we can now run the -O command with nmap. This command will send special probes to try and figure out what OS is running, for example, IIS, Apache?

The command is $:nmap -O 10.142.111.1,6,48,96,99,100,213

Here instead of using /24 I am only running the OS scan on the hosts we already know are alive on the network, this saves us a lot of time as I am only concentrating the scan on specific hosts.

Screenshot from 2018-05-27 12-51-03

From the output you can see that host at 10.142.111.48 is a Windows XP machine. From this, we could start to look for vulnerabilities on Windows XP for the services they’re running.

To summarise we started off not knowing what IP addresses were alive for this we used the fping tool and also nmap -sn command. We then ran more nmap commands to figure out what ports were open and also the versions of those open ports. Lastly, we ran the OS fingerprint command to try to figure out what OS the hosts were using.

I hope this was useful.

NMAP and fping deep dive

NMAP and fping are used for scanning and OS footprinting of a network during the information gathering phase of a penetration test.

It is always good to know how to use these tools but also to understand what they’re doing and how they work at a deeper level. So with that in mind, I am going to run these tools and at the same time capture what is going on the wire using Wireshark.

First, let us see how fping works vs the same scan ran using nmap and why the results might be different.

I will run fping on the 10.142.111.0/24 network to see what hosts are alive. The command I will use is. #>fping -a -g 10.142.111.0/24 2>/dev/null

What are the additional parameters of -a and -g doing? The -a parameter is used to only report back hosts that are alive and the -g parameter is telling fping that it should carry out a ping sweep and not just a normal ping against one host. The 2>/dev/null parameter at the end of the command is sending err-out messages to the bit bucket so they’re not displayed while running the command.

fping

After running the command we get the following 7 hosts responding to the ping sweep. Now I will run the same scan but this time using the nmap tool.

The nmap tool is a very powerful tool and it has a lot more capabilities compared to fping. To run the same scan that we did previously but now using nmap we run:

#>nmap -sn 10.142.111.0/24

The -sn parameter is requesting nmap to scan the subnet for hosts that are alive.

nmapscan

With the nmap scan we get back 8 hosts that are alive on the network vs the 7 reported by fping. That extra host is 10.142.111.213 but why? Let us take a closer look at what fping is doing vs nmap using the -sn parameter.

fping will first send out arp requests for each host on the subnet it is scanning. If a host replies to the arp request with its MAC address fping will then take that IP address and send an ICMP echo request message to it (ping).

arpcapture

Shown above are the arp request and the arp reply. Next the fping tool sends an ICMP echo request to 10.142.111.213. But if you look at the capture there is no response found! This host has probably been set up to not respond to ICMP messages.

icmpnoresponse

If you compare this to one of the hosts that did reply the output would look like this with an echo request and an echo reply.

normalreply

So the reason that fping does not show the 10.142.111.213 in its scan results is down to the fact that the host is configured not to respond to the ICMP ping request which is perfectly normal and is a good security practice.

On the other hand, nmap reported it to be alive this is because the nmap -sn scan only sends arp requests out and if a host replies to it with its MAC address nmap marks that host to be alive.

As mentioned earlier nmap is a powerful tool. Let us look at what other scans it can do. Now we know what hosts are alive on the network but that is all we know which lets face it isn’t that much. To see what services (daemons) are running on these hosts we can run another command using nmap.

The command is #>nmap -sS 10.142.111.0/24

The -sS parameter is telling nmap to perform a TCP SYN scan which is a stealthier scan because it does not complete a TCP 3-way handshake. When a client wants to communicate with a web server, for example, it first completes a TCP 3-way handshake and then it will start exchanging data. This is usually logged by the web server daemon that a new connection has been made which is bad news for us as it might alert a sysadmin that someone is scanning their network.

A TCP 3-way handshake looks like this.

TCP3WAY

When running the TCP SYN scan instead of completing the 3-way handshake nmap will send an RST message in reply to the servers SYN/ACK message as shown below. This stops the connection completing and also from the web server daemon logging the connection.

TCPRST

The result of the nmap TCP SYN scan is shown below. It goes through each IP address and sends a SYN message to each well-known port to see if the server will reply with a SYN/ACK  message meaning that the port is open or a RST/ACK message meaning that the port is closed. For the IP of 10.142.11.1 ports 22, 53 and 80 are all open.

nmap_sS_scan

That is it for now. I’ll go through more of the capabilities of nmap such as OS fingerprinting in my next post.

CCNA Cyber Ops

It has been a while since I have posted something on my blog. I’ve been busy studying for the CCNA Cyber Ops cert. Cisco created this certificate due to the serious lack of Cyber Security personal worldwide, Cisco will invest $10 Million into this program to close this gap. They opened up a CCNA Cyber Ops scholarship program which I applied for over a year ago now and I was successful in getting a place on the program (https://mkto.cisco.com/security-scholarship).

The scholarship gives students access to an online portal where you get access to all the training material which include text slides, videos and labs for hands on training. Unlike most Cisco certifications the Cyber Ops certificate is mostly vendor neutral, yes Cisco equipment gets mentioned from time to time but most of the security tools used on the course are not Cisco such as Kali Linux, Security Onion, Burp, Wireshark, Bro, ELSA to name a few.

The certificate is broken into two exams the SECFND 210-250 exam and the SECOPS 210-255 exam.

The SECFND 210-250 exam topics are broken out into the following main areas:

  • Network Concepts
  • Security Concepts
  • Cryptography
  • Host-Based Analysis
  • Security Monitoring
  • Attack Methods

The SECOPS 210-255 exam topics are broken out into the following main areas:

  • Endpoint Threat Analysis and Computer Forensics
  • Network Intrusion Analysis
  • Incident Response
  • Data and Event Analysis
  • Incident Handling

I have to say that Cisco did a great job here and created a really interesting and engaging course. I hope they continue to develop this track into the CCNP level and beyond and that they stick to the vendor neutral delivery of this course.

I’ve now passed both exams and I’m officially CCNA Cyber Ops certified.

So what is next? I’ve started the PTSv3 course from eLearnSecurity which is a pentesting course and what I like about the course is that it is hands on learning in a lab environment and what is even better for me is the exam is hands on. You have 72 hours to carry out pentesting against designated targets. I think this is a great way to test you on what you have learned and I personally prefer this way of testing over just multiple choice questions.

 

CCNA Security 210-260 Passed

CCNA_security_largeOn Wednesday 6th of September, I passed the CCNA Sec 210-260 exam on my second attempt.

In my first attempt, I got 808 passing score is 860 so I wasn’t a million miles away from getting a pass. I am sort of glad that I did fail the exam on my first attempt as strange as that may seem. The reason being it showed me where I was weak and where I was strong. I went back over topics I didn’t score well in and really dug deep to understand them better. Like all Cisco exams, some of the questions were hard to understand what Cisco was actually asking or what is the correct “Cisco” answer.

I did better with my second attempt getting a score in the 900 range. So that extra study did the trick.

The resources I used:

OCG from Cisco. There has been a lot said about the book and I have to agree with what others have said. Why CPP is in the book I will never know. Also some topics are not covered in great detail but the questions asked in the exam expect you to have a better understanding.

CBT Nuggets – CCNA Security 210-260 course is very good and highly recommend it.

31 days before your CCNA Security exam which filled in some of the gaps from the OCG Book.

GNS3 for labs. The more labs you can do the better. You’ll get a better understanding of the technologies and also troubleshooting mistakes you make while setting up labs will help you learn. In GNS3 you can run the ASA, Switches, Routers, End hosts, Kali Linux to run attacks against your own topology.

What is next?

I have been accepted on the CCNA Cyber Ops Scholarship program. I start the cource on the 24th of September. I plan on updating this blog with what I am learning and how the course is going.

After that, I would like to do some pentesting courses maybe something from eLearning Security and then finish off with the gold standard OSCP cert.

 

Clientless SSL VPN Lab

In this post I’m going to setup a Clientless SSL VPN via the ASDM GUI and then connect to it via the TinyCore Linux PC all from GNS3.

Topology:

LAB_SSL_CL

I’m using the topology above. The nodes I’m using will be the ASA with the ASDM connected via the cloud from my local PC, if you want to know how to set the ASA up with access via the ASDM check out one of my other posts: How-To: ASA in GNS3 with ASDM

I’ll also be using R4 and the Remote Worker PC which is running a TinyCore Linux to test the Clientless SSL VPN.

Configure the Clientless SSL VPN on the ASAv via the ASDM GUI

ASDMmainscreen

When you log into the ASDM GUI you’ll get the main screen above. Click on Wizards > VPN Wizards > Clientless SSL VPN Wizard…

ASDM_Wizard

The Clientless SSL VPN Wizard window will pop up, click on Next. You’ll get the following window.

Step2_SSL

Here you need to give your Clientless SSL VPN a Connection Profile Name I’ve named this one SSL_Remote_Access and I’ve also selected the Interface that the SSL VPN will connect in on which is the Outside Interface (Internet). I don’t have my own digital certificate so I’m leaving the Certificate set to None, because of this the ASA will provide a self signed certificate. I’ve also given the Connection an Alias of SSL. Click on Next

step3_auth.png

The next step is to configure User Authentication you’ll have the choice to use an AAA server (which I dont have) or the Local User DB which I’ve selected. Select Authenticate using the local user database and add a new user, here I’m adding Homer once added click on Next

Step4_GroupPolThe next step is to setup a group policy or select an existing policy. Here I’ve setup a new policy called Remote_Users, this policy will inherit the DfltGrpPolicy attributes which I can change later if I need to. Click on Next

Step5_Bookmark

In the next step you can configure a list of bookmarks that the Remote users will be able to click on to access resources on the Corp LAN. Click on Manage > Add

Here you give the bookmark a name like EMAIL. Click on Add

Step5_BM2

You need to configure the IP address of the EMAIL server. I don’t have an email server in my lab but the bookmark will appear once I connect to the Clientless SSL VPN (hopefully).

step6_finish.pngThat is it, you’ll get a summary page click on Finish to send the config to the ASA.

With the ASA configured the next step is to configure R4 in my topology. I’ll have to give Gi0/1 an IP address (200.0.0.1/24) and also a default route to send all traffic to the ASA using the command “ip route 0.0.0.0 0.0.0.0 136.1.47.1” as shown below.

R4

Next configure the TinyCore Linux PC with an IP address in the same range as Gi0/1 I’ll use 200.0.0.2 and set the default gateway to 200.0.0.1.

tinylinux

To configure an IP address on the Linux PC click on Control Panel > Network

Set the IP address and the Gateway and click on Apply

It is always good practice to test the connectivity, open a Terminal Window in the Linux PC and ping the Gateway at 200.0.0.1.

pingR4

Now using the built-in Firefox browser on the Linux PC it is time to test the Clientless SSL VPN and see if we can connect to the Corp LAN. In the address bar enter the URL  configured earlier which is: https://136.1.47.1/SSL

SSLConnection

Looks good because this is a self signed certificate from the ASA the Firefox brower gives you a warning not to trust the site. Click on I Understand the Risks to continue. Once you accept the risk you will get the following login page.

SSL VPN Login

Enter in the username and password in my case Homer.

LoggedIn

Success !! I have logged in and as you can see the EMAIL bookmark I configured during the Clientless SSL VPN setup is there.

I hope you found this useful, get labbing and try it out for yourself.

Feedback always welcomed.

How-To: ASA in GNS3 with ASDM

After struggling to get the ASDM to work in GNS3 I thought it would be a good idea to write a blog post on how to get the ASA and ASDM working within GNS3.

Below is the ASAv image I am using and also the version of GNS3. Note if you want to run an ASAv image you must run it in GNS3VM and not in the GNS3 local.

ASA image: asav952-204.qcow2 (VIRL image)

GNS3VM Version: 2.0.0b3 on Windows

The GNS3 team have a great video showing you how to import the ASAv image into GNS3.

https://gns3.com/discussions/gns3-talks-gns3-asa-setup-import

I would strongly recommend that you view that video.

They also recommend that you use the ASAv directly from Cisco’s VIRL software. A google search will get you the image you need.

I had a few issues getting the ASDM GUI working initially, note that you do NOT have to import the ASDM .bin file onto the ASA it is already on there even if you can’t see it when you do a dir, trust me it is!

Below is the topology I am using. Drag your newly imported ASAv image onto the workspace along with the GNS3 Ethernet Switch and the Cloud object. Connect the ASA Management 0/0 interface to the switch and then using another port on the switch connect it to the Cloud and select eth1 as the interface on the cloud, the eth1 interface should be bridged from VMware to your local machine.

topologyasa

Next, you need to configure the ASAv to get an IP address via DHCP and also activate the http server on the ASA and allow the IP that you get from DHCP to access the http server on the ASA.

manipconfig

When you go into enable mode it will ask you for a password don’t panic as you just press enter and it will continue into enable mode this is the default behaviour of the ASA. Go into configuration mode and configure the management interface as shown above.

Wait a minute and then run the #show ip command. As you can see in my setup I’ve been given an IP address of 192.168.159.189.

Next, we need to enable http servers on the ASA to allow us to access it via the ASDM GUI.

http

The commands to do this are #http server enable and #http 0 0 mgmt. I cheated a bit by using the http 0 0 mgmt command. I could have said only allow the IP address or subnet of 192.168.159.0 access the ASA via the ASDM. The command I used above is basically allowing any IP to connect to the ASA because this is just a lab that is fine you wouldn’t want to do this on a production ASA.

So you are all set now to access the ASA via the ASDM GUI. Open a webpage and enter the IP address that was assigned to your management interface via DHCP. NOTE you must use HTTPS:// after all it is a security device we are accessing here.

webpageYou will get a warning message when you first try to connect to it saying that it isn’t secure as the certificate is a self-signed certificate from the ASA and your browser will not recognise it as a trusted site. Just click on Advanced and add exception.

asdmlunch

At this stage, you should get the following screen. Note you’ll need to have java installed on your machine to be able to run the ASDM. Select Install ASDM Launcher this will install an icon on your desktop so you can run the ASDM directly from there which will save you having to go via a webpage each time. When you start the ASDM launcher you’ll be asked to put in the IP address which will be the IP address that was assigned to the management interface. I didn’t set a username or password just click on connect.

You should be now logged in 🙂

ASDM.png

 

 

ASA Lab with ASDM

asav-lab2

It has been too long since my last post. I’ve been very busy in work and also studying away working towards CCNA security. I just wanted to show what my latest topology looks like that I will be using to study with doing as many labs as possible. Hopefully, this will grow over time.

The topology as full access to the Internet which is great.

And also the most important piece is I have the ASDM running from my browser on my PC 🙂 as you can see below.

asdm

This is a big deal as I will be able to configure the ASA from the ASDM and practice using it as much as possible.

I will probably add a zone-based router to the topology at some stage as well. The switches are vIOS switches which will allow me to do Port Security and DHCP Snooping etc.

If you have any questions on the setup let me know.

Note: The lab has been built using GNS3 version 2.0b3

 

 

Labs Labs Labs…

For me labs are the most important part of my pursuit of certification. I am a visual learner more than anything else and I find doing labs is a great way to learn and it also helps you remember topics and commands. Another important part is troubleshooting your lab, when you first configure something chances are it wont work fist time round so you have to think about what steps you have taken in configuring the lab and start troubleshooting the issues. What a great way to learn.

So what is the best way to practice using labs? The lab rental model is good if you don’t have the physical hardware, it can be expensive to buy and run in your own home lab, the other option is to run virtual labs on your own PC at home and its the one I use.

I built my own PC which was another great learning experience. It has a i5 Intel processor, with 16G of RAM, 250G SSD, ASRock Motherboard….I wont bore you with all the details but its a powerful enough machine.

So what is the best software out there to run on your own PC? I use a combination of software depending on what I am doing. I use Packet Tracer for every quick and basic labs. I also run GNS3 which is for more complex labs which I used a lot for my CCNP R&S certification exams.

But the latest one I am using is Unified Networking Labs or UNL for short. To run the UNL software you must use VMWare or VirtualBox and need a powerful PC depending on the complexity of the lab you want to run. You can download the software from http://www.unetlab.com/ if you are interested in trying it out.

So why UNL? Well it supports a lot of the security appliances you need to use for the CCNA Security exam. ACS, ASA, ASAv, Cisco Switches IOU, Cisco Routers to name a few. It is really important to get some hands on experience on the ASA in particular and also its GUI interface the ASDM.

Unified Network Labs

Below I will show you what it looks like and also setup the ASA and a Virtual Windows Machine to access the ASDM from all within the UNL system.

I wont go into detail on how to install the software as the UNL website does a really good job of that and also provides videos as well.

unl_login
UNL Login Screen

Once you start the VMWare for UNL you log onto the system via your browser. Username/Password is admin/unl.

Once logged in you’ll get the following screen.

addlab

To create a new lab click on Actions and ‘Add a new lab’

After naming your lab and saving it it will appear in your list, double click on the lab and then select Open.

selectlab

On the left hand side click the plus button to add an object and select node. Select ASAv from the list to add it to the lab, do this again and select Windows to add a virtual Windows machine. Next select the link icon to add a link between the nodes. asdm

Next step is to Start the nodes by right clicking on them and selecting Start. Now the fun begins configuring the ASAv and Windows machine so we can not only configure the ASAv via the CLI but also using the ASDM GUI.

First thing we need to do is configure the ASAv node. I am using putty here.

asaputty

First step, configure the management interface that is connected to the Windows machine. Here I gave it an IP address of 192.168.1.200/24.

I then enable http server and also told the ASA what network is allowed to connect to it.

What isn’t shown in the screen capture above is configuring a username and password to use via the ASDM. The command for this is:

#username admin password admin123 privilege 15

You also need to tell the ASDM how to authenticate the user and what database to use. I’m just using the local ASA one.

#aaa authenticate http console LOCAL

That is it ! now save your configuration using wr command.

Next the Windows machine. I connect to it via Remote Desktop Viewer (I run Linux on my home PC)

windows

Nothing special here apart from the fact that you need to have the Windows machine on the same network as the ASA. Open up Network Connections and enter in an IP address in the 192.168.1.0 subnet. I used 192.168.1.201/24.

Once configured run a quick ping test.

ping

SUCCESS !

Double click on the ASDM icon to launch the ASDM and configure the IP address as the IP address you gave the management interface on the ASAv in my case 192.168.1.200 and the username/password of admin/admin123.

 

asdmhs

Bingo ! I am now connected to the ASAv via the ASDM GUI.

I hope you find this useful. Any questions just ask in the comments section.

NOTE: You need to download and install the different images you want to use in the UNL system via the Cisco website just like you have to do with GNS3. The UNL website has a HOW-TO guide on how to import them into the system.

DoS/DDoS

DoS (Denial Of Service) attack is aimed at making a network resource such as a website unavailable for valid use. These types of attacks are a major risk to a company’s infrastructure  and also their reputation. If a company offers a service available on the internet it can be targeted by an attack(s) for a number of reasons, they mightn’t agree with the companies policies, bought a service from them that didn’t meet their expectations, ex-employee and so on. Attackers can use known vulnerabilities in networking protocols to launch an attack with, such has a TCP SYN Attack. TCP is a reliable protocol which means it will keep track to see if all packets are delivered and if not it will resend the packets that were lost along the way. When a client (host) wants to communicate with a website it will first set up a TCP connection with the server. This is called the 3-way handshake as shown below.

 

3waytcp

 

With a TCP SYN Attack the attacker will keep sending SYN requests towards the target in our example the web server. In return the web server will send a SYN ACK back to the client but most likely the attacker is sending hundreds of requests from spoofed IP addresses and because of this the web server will never receive the ACK back. The web server is kind enough to wait for the ACK and in doing so ties up resources on the web server and the more SYN requests the more resources are used until all resources are used up. Now legitimate users traffic can’t establish a TCP connection with the web server as it cannot process the requests, the web server is now unavailable.

DDoS (Distributed Denial Of Service) uses botnets around the internet to attack its target. So what is a botnet? A botnet is a PC or even a smartphone that has been infected with malware. Once the malware is installed on the device it becomes part of a botnet network. These botnets are controlled by the attacker from a control and command server on the internet. The attacker can command the botnets to attack a target all at the same time. Examples of attacks used by attackers are Reflection attacks and Amplification attacks. A well-known reflection and amplification attack is using open NTP (Network Time Protocol) servers on the internet that are incorrectly configured and still respond to a monlist request.

ntp

Above is the NTP attack in action. The Attacker will send a request to the Botnets to target the Web Server. The Botnets will send a small request usually Kilobytes in size to the open NTP server(s) requesting a list (monlist) of the last 600 IP addresses that requested time from the NTP server but instead of the botnets receiving the reply the botnets spoof the source IP address to be that of the Web Servers (Reflection) address meaning all replies will go towards the Web Server. The NTP reply can be 10 times the size or more of the initial request (Amplification) meaning Gbps worth of data hitting the Web Server causing it to crash or using up all the available bandwidth. DNS servers can be used in a similar way.

With the explosing of IoT devices available on the internet has seen an increase in DDoS attacks. IoT devices have poor security with many of them having the same default username/password to access the devices. A recent IP CCTV DDoS attack was launched which was 620GBs in size. Thousands of IP CCTV cameras were taken over due to weak passwords and used to attack a website. When setting up IoT devices the manufacturer should force the user to change the default password using a minmum of 8-10 characters which should include uppercase, special characters and numbers which would be a start in stopping attackers from getting access to the IoT devices on the internet.

ARP Poisoning Lab

It has been a couple of weeks if not more since I last posted on my study blog. Life getting in the way as it does. But I hope to get back on track now.

In my last post I talked about ARP Poisoning and how it works as a Man In The Middle attack. So how do you stop this sort of an attack?

Does something called DHCP Spoofing ring a bell? I previously talked about it and how to stop it in the DHCP Spoofing post. So if you need a refresher click on the link and then come back here.

So we can use the DHCP Snooping database to help us also stop ARP poisoning after all the database keeps mappings of IP addresses to MAC addresses and what port they were learnt on. So for this to work you need to already have DHCP Snooping enabled. If you are on a non-DHCP network you can setup ARP ACL lists to do the mappings instead.

To enable ARP Inspection you need to enable it in Global Config mode  and it is done on a per vlan basis.

#config t

#ip arp inspection vlan 123

Just like with DHCP Snooping untrusted ports will DROP any traffic that does not match the IP address to MAC address mapping on that port. And just like with DHCP Snooping you can set ports (Interfaces) to be trusted. If a port is changed to a trust port it will not be subject to inspection and it will allow the traffic to flow. To change a port to a trusted port go into the interface.

#interface fa0/2

#ip arp inspection trust

And that is it.

To finish out you can enable ARP Inspection on Access, Trunk and EtherChannel ports.