Tracing Rogue Applications with SPAN and Wireshark

Analysis, Cisco, Network Security, Networking, Security, Sniffing, Switching 1 Response »
Oct 152010

Bringing on new clients often flags previously unseen issues; on both the client side, as well as the hosting side of the equation. I’ve mentioned in past blog posts that I work for a large State Government body, and we’re bringing on new departments on a somewhat regular basis.

We are currently in the process of bringing on board a large department of about 500 employees, 50 or so servers, and an infrastructure consisting mostly of Juniper gear. They’re already part of the Telstra GWIP, so we needed Telstra to set up routing between sites, and required adding rules to both ours and their firewalls. This is where a few issues were identified.

From several of our workstations we found that something was trying to hit the new network using a source IP address from the 192.168.0.0/24 subnet (example subnet). While the client network uses 192.168.0.0/24 subnet, we do not–nor have we ever–used this subnet. Naturally our routers would not have known how to route to this network previously and would have simply dropped any return packets; this is no longer the case.

This newly identified problem required a resolution, and I took it as an opportunity to use and learn Cisco’s SPAN (Switch Port Analysis), which I had only read about but never used in the past.

I first identified the switch port that one of the culprit workstations was using with the show mac-address-table command as follows:

NULLSEC-SW1#show mac-address-table | include xxxx.xxxx.xxxx

I then set up a monitoring session on that port to send ingress and egress packets from the source port to the networked port that I was using with Wireshark to capture any packets (my laptop was connected to that port, listening in passive mode):


NULLSEC-SW1#config t
NULLSEC-SW1(config)#monitor session 1 source interface fa3/0/10
NULLSEC-SW1(config)#monitor session 1 destination interface fa4/0/48

Once I started monitoring the Wireshark feed, it became obvious that something was going crazy with HSRP Hello multicasts. So I logged myself another call to resolve this issue (unfortunately as it is the production environment, I couldn’t fix it without proper approval processes), and set a filter to not hsrp so I could actually read the packet flow.

After about 3 hours of capturing packets, Wireshark died with an “Out of Memory” error; I should have seen that coming. I then killed the SPAN session using the following command:

NULLSEC-SW1(config)#no monitor session 1

Because so much data was captured before Wireshark died, I had to split 5GB of data into smaller, manageable files. I wrote the following batch script to achieve this:

echo [+]========================================================[+]
echo [+]--------------| WireShark File Splitter |---------------[+]
echo [+]--------------| Author: Michael Howe    |---------------[+]
echo [+]--------------| Version: 1.0            |---------------[+]
echo [+]========================================================[+]

rem Define working directory
set wireshark="C:\Program Files\Wireshark\"

rem Set the file variable
set /P file="Enter File Name with Full Path: "

rem Obtain packet information for file
echo "Obtaining file information."
%wireshark%\capinfos.exe -c %file%

rem [Set the number of packets in the file
set /P max="Enter Number of Packets in File: "

rem Reset the b variable to 0
set b=0

rem Loop through file splitting into 500000 packets
FOR /L %%a IN (1,500000,%max%) DO (
SET /a b = %%a+499999
%wireshark%\editcap.exe -r %file% %file%_%%a-!b! %%a-!b!
)

Unfortunately monitoring that particular interface didn’t return any results, so the next logical step was to enable monitoring on the entire VLAN. I used the following to enable SPAN on the VLAN:


NULLSEC-SW1#config t
NULLSEC-SW1(config)#monitor session 1 source vlan 2122
NULLSEC-SW1(config)#monitor session 1 destination interface fa4/0/48

This time I thought ahead and had Wireshark split the packet dump into 200MB files. Alas, it didn’t crash again, and the files were much more manageable.

Split Wireshark Dumps into 200MB Files at Time of Capture.

Split Wireshark Dumps into 200MB Files at Time of Capture.

Using the following filter on the 50GB+ of data that I had by the end of the venture, I found that there was no rogue application on the network, and notified the client.

ip.addr == 192.168.0.0/16 or ip.addr == 10.0.0.0/8

It turns out that the spoofed IP packets were coming from an external source.

Update: Upon further investigation, it has been determined that the address spoofing seen was sourced from misconfigured Telstra routers between our GWIP sites. Telstra has confirmed this and rectified the issues.

Posted by hazed at 10:11

Regional Office Upgrades

Cisco, Networking, Policy, Routing, Switching 4 Responses »
Sep 302010

For the past 18 or so months I’ve been working in the data centre team for a large governmental state body. The role is technical specialist; specialising in networking (switching, routing, etc). Naturally it’s had its boring, repetitious work (data backup and recovery), but a lot of the work I’ve been performing has been full of excellent learning opportunities, and good, fun, hardcore networking tasks.

This fortnight I’ve been planning and implementing upgrades at three regional offices (well, they’re Sydney based, but they aren’t head offices). As of Wednesday night, I implemented the final upgrade, which was ultimately a success.

The previous networks all roughly the same as the following (give or take a switch or two):

Basic Network Layout for the Regional Offices

The basic network layout that the regional offices followed.

The switches were comprised of old 12 and 24 port Cisco 3500 series switches. Authentication was an enable password over telnet, which I saw as somewhat insecure, and policy breaching.

Each site had a single Cisco 2600 series router with an E1 VWIC connecting to Telstra. The routers also lacked decent authentication (again, enable password over telnet).

Most of our core devices currently use RADIUS for authentication, so the infrastructure was already in place to implement decent authentication that is trackable, secure, and centrally managed. All that was required on the new devices was that the IOS be upgraded to the K9 (or crypto) version.

The new routers that I implemented are the Cisco 2921 series, using an E1 VWIC for voice. Currently we’re using ethernet to GWIP at the sites, but there is a chance that this will be upgraded to fibre, therefore I setup the GWIP on interface GigabitEthernet0/1. The trunk to the switch stack was setup on GigabitEthernet0/0 as a router on a stick.

Each regional site has two levels, one level requiring 96 access ports, and the other requiring 48 access ports. The larger of which I set up two 3750′s as a switch stack. I had never set up a switch stack before, so this was a new learning experience (though I let the stack elect a master automatically).

Of course it was required that upgrade the switches to the new IOS using the Solarwinds TFTP tool, and the following commands:

#copy tftp://<ip_addr>/<ios.bin> flash
#copy flash1:/<ios.bin> flash2
(config)#boot system switch all flash:/<ios.bin>
#write memory
#reload

The single switch on the other level was also upgraded, and the switches were trunked with fibre on the GigabitEthernet ports.

To enable RADIUS on the devices, or more accurately aaa, I used the following configurations (note: I have modified these slightly to ensure confidentiality):

The new network layout of the three regional sites.

The image is a layout of the current/new network at the regional sites.

aaa new-model
!
aaa group server radius RADAUTH
server 192.168.123.254 auth-port 1812 acct-port 1813
!
aaa authentication login default group RADAUTH local enable
aaa authentication enable default group RADAUTH line
aaa authorization console
aaa authorization exec RADAUTH group radius local
!
ip radius source-interface Loopback0
!
radius-server host 192.168.123.254 auth-port 1812 acct-port 1813 key 7 <removed>
radius-server authorization default Framed-Protocol ppp

Each site had incredibly (and I mean incredibly) messy patch work, one of which was patched with the ultra stiff Cat6 cable standard.

I found that it was actually easier to pull out all the patching and rewire it. Not only was it the neater, more manageable option, but I feel that it also saved a significant amount of time.

All three upgrades were 100% successful at time of implementation. It goes to show that it only takes a few hours planning to save many hours implementing.

The following photos give you and idea of just how messy the cabling was, and the changes that needed to be put in place to make the network neat and manageable once again.

Posted by hazed at 14:50

Cisco Lab Work

Cisco, Networking No Responses »
Jul 052010

In 2008/2009 I studied for an Advanced Diploma in Network Security, and an Advanced Diploma in Telecommunications Networks. The study was at the Cisco Academy in Meadowbank, and also included the CCNP v5.0 – BSCI, BCMSN, ISCW, and ONT; and modules from the CCSP – SNPA, and SNRS. Unfortunately I never actually got around to sitting the CCNP exams, and wish to do so now.

I’ve decided to go through all my old lab manuals and redo each lab in GNS3, and of course, post notes for those labs here. While the CCNP has been updated to v6.0, a lot of the lab work is the same. Any knowledge gaps I will fill as I go. Some labs that require switch work (most of BCMSN) will either be done in GNS3 using a 3700 IOS and a 16port switch module; else, I will be using actual hardware.

I’ve added a Cisco labs category to my category list for this purpose. I may add more categories (such as EIGRP, OSPF, etc) in the future.

Posted by hazed at 22:32
Creative Commons License Share-alike. Some Rights Reserved. Null Security: WordPress Blog