Planned Certification Path

Certification No Responses »
Nov 102010

Procrastination is my middle name when it comes to certifications. I mean, I’ve been meaning to get myself certified with a couple of industry recognised certifications for all of two years now, yet all I have to show for these “plans” is a CCNA Security certificate, and the now retired CCSP:SNPA exam. With my current contract nearing its end (March 2011), it’s about time I wrote down my road to certification with final test taking dates. I’m allowing study time of one month for each of these exams; I feel I have the fundamentals of each area of study down, leaving me with smaller gaps to fill.

Security Certifications

  • (ISC)² – SSCP -> December 24, 2010;
  • EC-Council – CEH  -> January 28, 2011;
  • Cisco – CCSP SECURE -> June 2011;
  • Cisco – CCSP FIREWALL -> July, 2011;
  • Cisco – CCSP IPS 7.0 -> August, 2011;
  • Cisco – CCSP VPN 1.0 -> September, 2011.

Networking Certifications

  • Cisco – CCNP ROUTE -> February 25, 2011;
  • Cisco – CCNP SWITCH -> March 25, 2011;
  • Cisco – CCNP TSHOOT -> April 29, 2011;
  • Cisco – CCDP ARCH ->May, 2011.

The reason I decided on the CCSP path listed above is to ensure that it also aligns with the CCNP Security certification that has recently been released. It makes sense to obtain both certifications at the same time without having to sit any additional exams.

Naturally I expect to make ammendments to the above list where applicable, and will do so as the time comes.

Posted by hazed at 14:09

Tracing Rogue Applications with SPAN and Wireshark

Analysis, Cisco, Network Security, Networking, Security, Sniffing, Switching 1 Response »
Oct 152010

Bringing on new clients often flags previously unseen issues; on both the client side, as well as the hosting side of the equation. I’ve mentioned in past blog posts that I work for a large State Government body, and we’re bringing on new departments on a somewhat regular basis.

We are currently in the process of bringing on board a large department of about 500 employees, 50 or so servers, and an infrastructure consisting mostly of Juniper gear. They’re already part of the Telstra GWIP, so we needed Telstra to set up routing between sites, and required adding rules to both ours and their firewalls. This is where a few issues were identified.

From several of our workstations we found that something was trying to hit the new network using a source IP address from the 192.168.0.0/24 subnet (example subnet). While the client network uses 192.168.0.0/24 subnet, we do not–nor have we ever–used this subnet. Naturally our routers would not have known how to route to this network previously and would have simply dropped any return packets; this is no longer the case.

This newly identified problem required a resolution, and I took it as an opportunity to use and learn Cisco’s SPAN (Switch Port Analysis), which I had only read about but never used in the past.

I first identified the switch port that one of the culprit workstations was using with the show mac-address-table command as follows:

NULLSEC-SW1#show mac-address-table | include xxxx.xxxx.xxxx

I then set up a monitoring session on that port to send ingress and egress packets from the source port to the networked port that I was using with Wireshark to capture any packets (my laptop was connected to that port, listening in passive mode):


NULLSEC-SW1#config t
NULLSEC-SW1(config)#monitor session 1 source interface fa3/0/10
NULLSEC-SW1(config)#monitor session 1 destination interface fa4/0/48

Once I started monitoring the Wireshark feed, it became obvious that something was going crazy with HSRP Hello multicasts. So I logged myself another call to resolve this issue (unfortunately as it is the production environment, I couldn’t fix it without proper approval processes), and set a filter to not hsrp so I could actually read the packet flow.

After about 3 hours of capturing packets, Wireshark died with an “Out of Memory” error; I should have seen that coming. I then killed the SPAN session using the following command:

NULLSEC-SW1(config)#no monitor session 1

Because so much data was captured before Wireshark died, I had to split 5GB of data into smaller, manageable files. I wrote the following batch script to achieve this:

echo [+]========================================================[+]
echo [+]--------------| WireShark File Splitter |---------------[+]
echo [+]--------------| Author: Michael Howe    |---------------[+]
echo [+]--------------| Version: 1.0            |---------------[+]
echo [+]========================================================[+]

rem Define working directory
set wireshark="C:\Program Files\Wireshark\"

rem Set the file variable
set /P file="Enter File Name with Full Path: "

rem Obtain packet information for file
echo "Obtaining file information."
%wireshark%\capinfos.exe -c %file%

rem [Set the number of packets in the file
set /P max="Enter Number of Packets in File: "

rem Reset the b variable to 0
set b=0

rem Loop through file splitting into 500000 packets
FOR /L %%a IN (1,500000,%max%) DO (
SET /a b = %%a+499999
%wireshark%\editcap.exe -r %file% %file%_%%a-!b! %%a-!b!
)

Unfortunately monitoring that particular interface didn’t return any results, so the next logical step was to enable monitoring on the entire VLAN. I used the following to enable SPAN on the VLAN:


NULLSEC-SW1#config t
NULLSEC-SW1(config)#monitor session 1 source vlan 2122
NULLSEC-SW1(config)#monitor session 1 destination interface fa4/0/48

This time I thought ahead and had Wireshark split the packet dump into 200MB files. Alas, it didn’t crash again, and the files were much more manageable.

Split Wireshark Dumps into 200MB Files at Time of Capture.

Split Wireshark Dumps into 200MB Files at Time of Capture.

Using the following filter on the 50GB+ of data that I had by the end of the venture, I found that there was no rogue application on the network, and notified the client.

ip.addr == 192.168.0.0/16 or ip.addr == 10.0.0.0/8

It turns out that the spoofed IP packets were coming from an external source.

Update: Upon further investigation, it has been determined that the address spoofing seen was sourced from misconfigured Telstra routers between our GWIP sites. Telstra has confirmed this and rectified the issues.

Posted by hazed at 10:11

Regional Office Upgrades

Cisco, Networking, Policy, Routing, Switching 4 Responses »
Sep 302010

For the past 18 or so months I’ve been working in the data centre team for a large governmental state body. The role is technical specialist; specialising in networking (switching, routing, etc). Naturally it’s had its boring, repetitious work (data backup and recovery), but a lot of the work I’ve been performing has been full of excellent learning opportunities, and good, fun, hardcore networking tasks.

This fortnight I’ve been planning and implementing upgrades at three regional offices (well, they’re Sydney based, but they aren’t head offices). As of Wednesday night, I implemented the final upgrade, which was ultimately a success.

The previous networks all roughly the same as the following (give or take a switch or two):

Basic Network Layout for the Regional Offices

The basic network layout that the regional offices followed.

The switches were comprised of old 12 and 24 port Cisco 3500 series switches. Authentication was an enable password over telnet, which I saw as somewhat insecure, and policy breaching.

Each site had a single Cisco 2600 series router with an E1 VWIC connecting to Telstra. The routers also lacked decent authentication (again, enable password over telnet).

Most of our core devices currently use RADIUS for authentication, so the infrastructure was already in place to implement decent authentication that is trackable, secure, and centrally managed. All that was required on the new devices was that the IOS be upgraded to the K9 (or crypto) version.

The new routers that I implemented are the Cisco 2921 series, using an E1 VWIC for voice. Currently we’re using ethernet to GWIP at the sites, but there is a chance that this will be upgraded to fibre, therefore I setup the GWIP on interface GigabitEthernet0/1. The trunk to the switch stack was setup on GigabitEthernet0/0 as a router on a stick.

Each regional site has two levels, one level requiring 96 access ports, and the other requiring 48 access ports. The larger of which I set up two 3750′s as a switch stack. I had never set up a switch stack before, so this was a new learning experience (though I let the stack elect a master automatically).

Of course it was required that upgrade the switches to the new IOS using the Solarwinds TFTP tool, and the following commands:

#copy tftp://<ip_addr>/<ios.bin> flash
#copy flash1:/<ios.bin> flash2
(config)#boot system switch all flash:/<ios.bin>
#write memory
#reload

The single switch on the other level was also upgraded, and the switches were trunked with fibre on the GigabitEthernet ports.

To enable RADIUS on the devices, or more accurately aaa, I used the following configurations (note: I have modified these slightly to ensure confidentiality):

The new network layout of the three regional sites.

The image is a layout of the current/new network at the regional sites.

aaa new-model
!
aaa group server radius RADAUTH
server 192.168.123.254 auth-port 1812 acct-port 1813
!
aaa authentication login default group RADAUTH local enable
aaa authentication enable default group RADAUTH line
aaa authorization console
aaa authorization exec RADAUTH group radius local
!
ip radius source-interface Loopback0
!
radius-server host 192.168.123.254 auth-port 1812 acct-port 1813 key 7 <removed>
radius-server authorization default Framed-Protocol ppp

Each site had incredibly (and I mean incredibly) messy patch work, one of which was patched with the ultra stiff Cat6 cable standard.

I found that it was actually easier to pull out all the patching and rewire it. Not only was it the neater, more manageable option, but I feel that it also saved a significant amount of time.

All three upgrades were 100% successful at time of implementation. It goes to show that it only takes a few hours planning to save many hours implementing.

The following photos give you and idea of just how messy the cabling was, and the changes that needed to be put in place to make the network neat and manageable once again.

Posted by hazed at 14:50

Cisco Lab Work

Cisco, Networking No Responses »
Jul 052010

In 2008/2009 I studied for an Advanced Diploma in Network Security, and an Advanced Diploma in Telecommunications Networks. The study was at the Cisco Academy in Meadowbank, and also included the CCNP v5.0 – BSCI, BCMSN, ISCW, and ONT; and modules from the CCSP – SNPA, and SNRS. Unfortunately I never actually got around to sitting the CCNP exams, and wish to do so now.

I’ve decided to go through all my old lab manuals and redo each lab in GNS3, and of course, post notes for those labs here. While the CCNP has been updated to v6.0, a lot of the lab work is the same. Any knowledge gaps I will fill as I go. Some labs that require switch work (most of BCMSN) will either be done in GNS3 using a 3700 IOS and a 16port switch module; else, I will be using actual hardware.

I’ve added a Cisco labs category to my category list for this purpose. I may add more categories (such as EIGRP, OSPF, etc) in the future.

Posted by hazed at 22:32

A Little Late to the Party

Uncategorized No Responses »
Jun 232010

“The man in black fled across the desert and the gunslinger followed” — Stephen King; The Dark Tower. How I wish I could have been so resolute in my pursuit to be part of the blogosphere; a goal I’ve had on my check-list for so long, but a task that my ever prevailing procrastination has always disallowed. Never did it seem like I’d actually be writing this post.

I registered the domain name “null-security.com” in 2006 when I first started dabbling in the field of information security (in particular, web-hacking). A discussion took place between myself and a couple of other up-and-coming “hackers” on irc.2600.net #somerandomchannel, that it would be a something of a good idea to publish our thoughts, findings, and research for reasons that would be beneficial to ourselves and others in the form of a blog. In retrospect, it was a good idea. In retrospect, I should have started it then.

There is reason for my procrastination, but in all truth, it was more excuse than sound reason. You see, I’d originally started a blog not much earlier than the discussion took place; I had great plans and high hopes. At the time, I was pretty stuck into PHP coding and had created my own blogging platform–albeit, a very limited blogging platform–and wanted to continue developing that in conjunction with related blog posts.

Unfortunately I ran into some troubles with my host at the time (DreamHost) who didn’t like the idea of hosting anything remotely related to hacking. They removed my account without warning; wiping my profile and everything hosted by them- including my blogging platform. It was quite a blow and I never quite regained the motivation to start over. Backing up my code would have been a great idea, but hindsight is 20/20 and a hard lesson is a lesson learned.

With the hundreds of FOSS options for blogging, I don’t understand why I just didn’t pick one up and continue with that. I guess I always thought it best practice to develop your own blogging platform if a integral part of your blog was to be about development. Fortunately I’ve left that mentality behind and picked up WordPress as my platform. It’s so feature-rich it makes it difficult to warrant building your own.

Four years on from the tragic day my ~ directory was rm -rf’d by an over-security-zealous host, I’ve moved on from the trouble-making black hat I was, to a network engineer and security enthusiast. I’m currently employed by a large government body where I deal with a range of issues from building multi-layered switched networks, to applying relevant IDS rules, monitoring network traffic, and ensuring that the network is performing at an optimal state, even penetration testing in-house developed applications.

I still get excited when I find an unknown hole in a popular CMS. I still get excited when I get to play with new networking equipment. I still get excited when I get to plan and perform a penetration test at work; and get paid to do so.

Posted by hazed at 01:07
Creative Commons License Share-alike. Some Rights Reserved. Null Security: WordPress Blog