Author Archives: Andy Millett

Don’t open THAT attachment!!

Don’t open THAT attachment!!

I run a mail service for a number of friends, mainly personal, but some business. Part of the service configuration blocks attachments which are sent where the file is a specific extension (for example exe, com, bat, scr, vbs, etc). Over the last few years, it’s done a great job in filtering out malicious stuff, but of late, I’ve started pushing the files into an Open Source sandbox called Cuckoo, for extra protection, but also the nerd factor as this sort of thing interests me, Sandboxes are great, as they allow you to execute an unknown file in a restricted environment, then view the results without it ever affecting your actual computer. Once you have the results, you can decide whether it’s safe or not. So what follows should be considered a warning – ‘Don’t open THAT attachment!’.

First off, here’s the mail alert –

 

It actually looks like it’s come from a valid source, but if you look closer, you’ll see then the actual sender is IP 192.3.10.7 (owned by Colo-Crossing). Hmmmm….never-mind, we’ll push forward and take a peak at the file anyway. The actual file attachment in the mail is called ‘Hello.zip’, inside it are two files; a Word file, and a VBS script.

Files which are blocked are stored in a special mailbox for me to review. These files are uploaded to the Cuckoo Sandbox using a browser (no, I don’t use Windows to do this!) which is protected from running unknown scripts. Once the file is loaded, the sandbox executes it. I’ve ignored the Word file in the attachment, and instead gone straight to the VBS script. After a few minutes, the results are in –

 

Uh oh, a score of 11.2 out of 10 (I guess it does say the score feature is in Alpha on Cuckoo :P), I’m already suspicious. Lets see what this VBS script does.

First off, it’s queried the computer name, asked about system information, queried which browsers are installed, and checked how much memory is available.

Thats suspicious, but not actually ‘doing’ anything to the system.

Next, we see the script starting to do something.

Whoa!! Now we’re getting somewhere. There’s quite a lot of things happening here, but the one which springs out to me more than any other is ‘File has been identified by one AntiVirus engine on VirusTotal’. VirusTotal, can check up to 56 AntiVirus engines, so being detected by only ONE is a serious issue. Think your local AV is going to protect you? Think again. Local AV is the last, and often worst line of defence. The script also initiates a number of outbound HTTP requests, and steals a lot of information from local browsers, as well as creating additional processes. Very scary!.

Finally, we see the real damage of the VBS script.

The VBS script now starts to do some credential stealing. Email, FTP, IM Client credentials amongst other nefarious actions, are raked from the machine. Add these to the fact it’s created a new process which is running on the computer (and will run at system startup), the computer is now something to run away from. All from opening an attachment from an unknown source.

Don’t open attachments from emails when you don’t recognise the source!

Juniper SRX IPSec Quick Commands

Juniper SRX IPSec Quick Commands

Over the last couple of years, the company I work for has become more and more involved in looking after customer SRX firewalls, either as a managed service, or simply on a remote technical support basis. Quite a lot of those customers have IPSec tunnels numbering in the hundreds (the biggest has 850+ on an SRX240 cluster, which is approaching the 1000 tunnel limit supported by the SRX240 platform), and whilst that isn’t a huge number where models like the SRX3xxx or SRX54xxx line is concerned, it’s still a huge number to have to parse through and diagnose issues. As a consequence, I started saving simple Linux command combinations for parsing the SRX output, so what follows are Juniper SRX IPSec quick commands, which I’ll add too as time goes on.

Show IPsec Tunnels Based on Index Value

OK, so you’ve got 850 tunnels, of which 250 are related to one customer. You need to show detailed information for a report, or log purposes. First, run ‘show security ipsec security-associations | match <remote_peer_ip>’ (1.2.3.4) in my example –

 <955 ESP:aes-cbc-256/sha1 7adbd7ba 1723/ unlim - root 500 1.2.3.4 
 >955 ESP:aes-cbc-256/sha1 c1a8e6d0 1723/ unlim - root 500 1.2.3.4 
 <963 ESP:aes-cbc-256/sha1 c261b766 6461/ unlim - root 500 1.2.3.4 
 >963 ESP:aes-cbc-256/sha1 9808343e 6461/ unlim - root 500 1.2.3.4 
 <969 ESP:aes-cbc-256/sha1 b61ef91a 7901/ unlim - root 500 1.2.3.4 
 >969 ESP:aes-cbc-256/sha1 d459398f 7901/ unlim - root 500 1.2.3.4 
 <472 ESP:aes-cbc-256/sha1 1ee64eea 7696/ unlim - root 500 1.2.3.4 
 >472 ESP:aes-cbc-256/sha1 116bae2f 7696/ unlim - root 500 1.2.3.4 
 <961 ESP:aes-cbc-256/sha1 b95d7d52 3967/ unlim - root 500 1.2.3.4 
 >961 ESP:aes-cbc-256/sha1 2181b470 3967/ unlim - root 500 1.2.3.4 
 <927 ESP:aes-cbc-256/sha1 5b329b28 8232/ unlim - root 500 1.2.3.4 
 >927 ESP:aes-cbc-256/sha1 818e8e95 8232/ unlim - root 500 1.2.3.4 
 <913 ESP:aes-cbc-256/sha1 f0c86d2b 6481/ unlim - root 500 1.2.3.4 
 >913 ESP:aes-cbc-256/sha1 86e6ac9d 6481/ unlim - root 500 1.2.3.4 
 <849 ESP:aes-cbc-256/sha1 44636b47 3327/ unlim - root 500 1.2.3.4 
 >849 ESP:aes-cbc-256/sha1 f0bb1e56 3327/ unlim - root 500 1.2.3.4 
 <959 ESP:aes-cbc-256/sha1 f7134e72 5356/ unlim - root 500 1.2.3.4 
 >959 ESP:aes-cbc-256/sha1 ca7c6ca4 5356/ unlim - root 500 1.2.3.4 
 <919 ESP:aes-cbc-256/sha1 a8d17b61 2110/ unlim - root 500 1.2.3.4 
 >919 ESP:aes-cbc-256/sha1 f1dba7f2 2110/ unlim - root 500 1.2.3.4 
 <925 ESP:aes-cbc-256/sha1 a8656ce1 7193/ unlim - root 500 1.2.3.4 
 >925 ESP:aes-cbc-256/sha1 7fac5d04 7193/ unlim - root 500 1.2.3.4 
 <479 ESP:aes-cbc-256/sha1 c1e43feb 7300/ unlim - root 500 1.2.3.4 
 >479 ESP:aes-cbc-256/sha1 f40830b5 7300/ unlim - root 500 1.2.3.4 
 <847 ESP:aes-cbc-256/sha1 9981358f 27442/unlim - root 500 1.2.3.4 
 >847 ESP:aes-cbc-256/sha1 ee0041be 27442/unlim - root 500 1.2.3.4 
 <967 ESP:aes-cbc-256/sha1 176837ff 8747/ unlim - root 500 1.2.3.4 
 >967 ESP:aes-cbc-256/sha1 1ebfca2 8747/ unlim - root 500 1.2.3.4 
 <981 ESP:aes-cbc-256/sha1 bc8158c1 6710/ unlim - root 500 1.2.3.4 
 >981 ESP:aes-cbc-256/sha1 d47ddf1e 6710/ unlim - root 500 1.2.3.4 
 <915 ESP:aes-cbc-256/sha1 deb2e014 8053/ unlim - root 500 1.2.3.4 
 >915 ESP:aes-cbc-256/sha1 1552f027 8053/ unlim - root 500 1.2.3.4 
 <857 ESP:aes-cbc-256/sha1 1f77087b 7264/ unlim - root 500 1.2.3.4 
 >857 ESP:aes-cbc-256/sha1 bdcc90f 7264/ unlim - root 500 1.2.3.4 
 <923 ESP:aes-cbc-256/sha1 2761d752 6389/ unlim - root 500 1.2.3.4 
 >923 ESP:aes-cbc-256/sha1 59bcc562 6389/ unlim - root 500 1.2.3.4 
 <965 ESP:aes-cbc-256/sha1 289fc4a1 8045/ unlim - root 500 1.2.3.4 
 >965 ESP:aes-cbc-256/sha1 4ad83567 8045/ unlim - root 500 1.2.3.4 
 <853 ESP:aes-cbc-256/sha1 b9dfde99 5515/ unlim - root 500 1.2.3.4 
 >853 ESP:aes-cbc-256/sha1 63fe23a2 5515/ unlim - root 500 1.2.3.4 
 <973 ESP:aes-cbc-256/sha1 ec3def97 5246/ unlim - root 500 1.2.3.4 
 >973 ESP:aes-cbc-256/sha1 e7b6fd05 5246/ unlim - root 500 1.2.3.4 
 <917 ESP:aes-cbc-256/sha1 30d89c7c 6650/ unlim - root 500 1.2.3.4 
 >917 ESP:aes-cbc-256/sha1 6918cd5a 6650/ unlim - root 500 1.2.3.4 
 <987 ESP:aes-cbc-256/sha1 16f1dd88 5762/ unlim - root 500 1.2.3.4 
 >987 ESP:aes-cbc-256/sha1 8b0b08cc 5762/ unlim - root 500 1.2.3.4 
 <941 ESP:aes-cbc-256/sha1 3875c290 9003/ unlim - root 500 1.2.3.4 
 >941 ESP:aes-cbc-256/sha1 827e5a3 9003/ unlim - root 500 1.2.3.4 
 <1011 ESP:aes-cbc-256/sha1 8cd1107d 8409/ unlim - root 500 1.2.3.4 
 >1011 ESP:aes-cbc-256/sha1 d8d41c4a 8409/ unlim - root 500 1.2.3.4 
 <1009 ESP:aes-cbc-256/sha1 378df4a 8684/ unlim - root 500 1.2.3.4 
 >1009 ESP:aes-cbc-256/sha1 111a9b87 8684/ unlim - root 500 1.2.3.4 
 <991 ESP:aes-cbc-256/sha1 a1b94904 6334/ unlim - root 500 1.2.3.4 
 >991 ESP:aes-cbc-256/sha1 be9b3b07 6334/ unlim - root 500 1.2.3.4 
 <975 ESP:aes-cbc-256/sha1 d9bdff5d 5147/ unlim - root 500 1.2.3.4 
 >975 ESP:aes-cbc-256/sha1 d2b9a1c0 5147/ unlim - root 500 1.2.3.4 
 <855 ESP:aes-cbc-256/sha1 f0cc56e0 8902/ unlim - root 500 1.2.3.4 
 >855 ESP:aes-cbc-256/sha1 c8671fe 8902/ unlim - root 500 1.2.3.4 
 <1005 ESP:aes-cbc-256/sha1 33f7c862 4234/ unlim - root 500 1.2.3.4 
 >1005 ESP:aes-cbc-256/sha1 1ae9d135 4234/ unlim - root 500 1.2.3.4

Running ‘show security ipsec security-associations index <index value> detail’ against each of those will take AGES!! Try this instead –

cat << EOF | sed '/>/d' | awk '{print $1}' | sed 's/</show security ipsec security-associations index /' | sed 's/$/ detail/'

Once you hit enter, paste in the output from the SRX ‘show’ command, and type ‘EOF’ at the end. What you’ll get is –

show security ipsec security-associations index 955 detail
show security ipsec security-associations index 963 detail
show security ipsec security-associations index 969 detail
show security ipsec security-associations index 472 detail
show security ipsec security-associations index 961 detail
show security ipsec security-associations index 927 detail
show security ipsec security-associations index 913 detail
show security ipsec security-associations index 849 detail
show security ipsec security-associations index 959 detail
show security ipsec security-associations index 919 detail
show security ipsec security-associations index 925 detail
show security ipsec security-associations index 479 detail
show security ipsec security-associations index 847 detail
show security ipsec security-associations index 967 detail
show security ipsec security-associations index 981 detail
show security ipsec security-associations index 915 detail
show security ipsec security-associations index 857 detail
show security ipsec security-associations index 923 detail
show security ipsec security-associations index 965 detail
show security ipsec security-associations index 853 detail
show security ipsec security-associations index 973 detail
show security ipsec security-associations index 917 detail
show security ipsec security-associations index 987 detail
show security ipsec security-associations index 941 detail
show security ipsec security-associations index 1011 detail
show security ipsec security-associations index 1009 detail
show security ipsec security-associations index 991 detail
show security ipsec security-associations index 975 detail
show security ipsec security-associations index 855 detail
show security ipsec security-associations index 1005 detail

Awesome!

Basically, the command process is –

  • cat << EOF – Concatenate data into the cat buffer until you see ‘EOF’
  • sed ‘/>/d’ – Use Sed to remove any lines which start with a > character
  • awk ‘{print $1}’ – Use awk to print out the first column of the output (our IPSec SA ID)
  • sed ‘s/</security ipsec security-associations index /’ – Use sed to replace the < character with ‘show security ipsec security-associations index ‘
  • sed ‘s/$/ detail/’ – Use sed to add ‘ detail’ onto the end of each line.

Show IPsec Phase 2 Tunnels Based on VPN Name

Using the example above, here’s a similar process for getting the same output, but based on IPSec VPN name. Run ‘show configuration security ipsec | display set | match <value>’ to get the IPSec Phase 2 tunnel information. For example –

set security ipsec vpn SB-MG-ANTIVIR-234 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-ANTIVIR-234 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-ANTIVIR-234 establish-tunnels immediately
set security ipsec vpn SB-MG-ANTIVIR-237 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-ANTIVIR-237 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-ANTIVIR-237 establish-tunnels immediately
set security ipsec vpn SB-MG-P2PE-234 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-P2PE-234 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-P2PE-234 establish-tunnels immediately
set security ipsec vpn SB-MG-P2PE-237 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-P2PE-237 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-P2PE-237 establish-tunnels immediately
set security ipsec vpn SB-MG-APPL2-234 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-APPL2-234 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-APPL2-234 establish-tunnels immediately
set security ipsec vpn SB-MG-APPL2-237 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-APPL2-237 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-APPL2-237 establish-tunnels immediately
set security ipsec vpn SB-MG-WSUS-234 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-WSUS-234 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-WSUS-234 establish-tunnels immediately
set security ipsec vpn SB-MG-WSUS-237 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-WSUS-237 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-WSUS-237 establish-tunnels immediately
set security ipsec vpn SB-MG-TERMSERV-234 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-TERMSERV-234 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-TERMSERV-234 establish-tunnels immediately
set security ipsec vpn SB-MG-TERMSERV-237 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-TERMSERV-237 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-TERMSERV-237 establish-tunnels immediately
set security ipsec vpn SB-MG-DNS-234 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-DNS-234 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-DNS-234 establish-tunnels immediately
set security ipsec vpn SB-MG-DNS-237 ike gateway SB-MG-VPN
set security ipsec vpn SB-MG-DNS-237 ike ipsec-policy SB-MG-POLICY
set security ipsec vpn SB-MG-DNS-237 establish-tunnels immediately

Here’s the command to filter that into a show command for the index value –

cat << EOF | grep "ipsec-policy" | sed 's/set/show/' | sed 's/vpn/security-associations vpn-name/' | awk '{print $1,$2,$3,$4,$5,$6}' | sed 's/$/ detail/'

The logic of the above command is based on the fact that every IPSec VPN tunnel will ALWAYS have an ‘ipsec-policy’ defined.

The output becomes –

show security ipsec security-associations vpn-name SB-MG-ANTIVIR-234 detail
show security ipsec security-associations vpn-name SB-MG-ANTIVIR-237 detail
show security ipsec security-associations vpn-name SB-MG-P2PE-234 detail
show security ipsec security-associations vpn-name SB-MG-P2PE-237 detail
show security ipsec security-associations vpn-name SB-MG-APPL2-234 detail
show security ipsec security-associations vpn-name SB-MG-APPL2-237 detail
show security ipsec security-associations vpn-name SB-MG-WSUS-234 detail
show security ipsec security-associations vpn-name SB-MG-WSUS-237 detail
show security ipsec security-associations vpn-name SB-MG-TERMSERV-234 detail
show security ipsec security-associations vpn-name SB-MG-TERMSERV-237 detail
show security ipsec security-associations vpn-name SB-MG-DNS-234 detail
show security ipsec security-associations vpn-name SB-MG-DNS-237 detail

Neat. I can’t tell you how many times those commands have saved me hours of tedious typing in a terminal!

Clearing IPSec Tunnels

Finally, here’s a last one which refreshes IPSec Phase 2 tunnels. Be careful with this, as it’s possible to do damage and interrupt tunnel traffic. Use the ‘show security ipsec security-associations | match <peer_ip>’ output to filter against the remote peer concerned.

cat << EOF | sed '/>/d' | awk '{print $1}' | sed 's/</clear security ipsec security-associations index /'

Enjoy a nice cuppa with the time saved :)

Juniper SRX VPN Monitor

Juniper SRX VPN Monitor

Juniper SRX has a great subset of SNMP Mibs for monitoring the device remotely. One of these is JUNIPER-IPSEC-FLOW-MON-MIB, which provides feedback on IKE Phase 1 and IPSec Phase 2 configured tunnels on the SRX. This saves having to login to the SRX to check the state of tunnels, and presents a nice Juniper SRX VPN monitor.

The end-result is below.

Juniper SRX IKE/IPSec Remote Monitor
IKE Phase 1 Tunnel State

There’s a script (updatedpeers.php) which pulls the currently working Phase 1 IKE associations from the SRX every 5 minutes using a cron script.

I call this file in cron like so –

*/5 * * * * (/usr/bin/php /var/www/juniperike/updatepeers.php)

This will update the MySQL database tables with the parsed output of OID (jnxIkeTunMonState, 1.3.6.1.4.1.2636.3.52.1.1.2.1.6). I did try using the jnxIpSecSaMonState OID, but unfortunately, this proved very unreliable for some reason, so instead I used the IKE (Phase 1) state which is both reliable, and should be there for a healthy security association anyway.

The data from the MySQL tables is pulled using another PHP file (status.php), and displayed on the page, which refreshes every 60 seconds.

If you need to add more remote peers for monitoring, this is possible via an additional PHP file (add_tunnel.php)

Juniper SRX IKE/IPSec Remote Monitor
Add new IPsec Tunnel

The PHP file, blank MySQL Tables and a short README file are available for download below –

juniperike – SHA256 sum – 26d9a294611b76eda7958982d17cbfe2ca14e0696fa2abfe108e460f6671d9ab

We use a similar page I wrote at the company I work for which monitors the tunnels on multiple customer SRX firewalls.

Enjoy!

CDS Group Email Spam/Malicious Attachments

CDS Group Email/Malicious Attachments

Over recent days, my mail relay has been receiving repeated email spam/malicious attachments to various accounts where the ‘from’ address claims to be ‘accounts@cdsgroup.co.uk’. CDS Group is a Courier Business operating in the UK. The emails contain zip files, and in-turn, the zip file contains a malicious xls.scr file which can cause nastiness on your PC. More information on CDS Group Email can be seen on the excellent Dynamoo Blog.

Here, from my mail logs is one such attempt.

Banned name: .exe,invoice_cdsgroup_799543.xls/invoice_cdsgroup_799543.xls.scr
Content type: Banned
Internal reference code for the message is 22915-03/KkviimjUhz4l
First upstream SMTP client IP address: [202.43.74.182]
According to a 'Received:' trace, the message apparently originated at:
 [202.43.74.182], [202.43.74.182] unknown [202.43.74.182]
Return-Path: <accounts@cdsgroup.co.uk>
From: "Kris Haley CDS Group" <accounts@cdsgroup.co.uk>
Message-ID: <20140807180922.A9A8119A8F8E354F@cdsgroup.co.uk>
Subject: CDS Invoice: 412-96221
The message has been quarantined as: banned@unimatrixzero.co.uk

CDS Group as far as I can tell don’t operate in Indonesia which is where the originating IP is from –

inetnum:        202.43.72.0 - 202.43.75.255
netname:        INTERLINK-TECH-ID
descr:          PT. INTERLINK TECHNOLOGY
descr:          Internet Service Provider
descr:          Cyber Data Centre 5th Floor
descr:          Cyber Building.
descr:          Jl. Kuningan Barat no. 8
descr:          Jakarta Selatan, 12710
country:        ID

So, CDS Group are completely innocent in this case, and I feel sorry for them. It’s a trivial matter to fake the ‘from’ address on an email, anyone can do it. Fortunately, they’ve now deleted the ‘accounts’ email alias on their domain, so anything claiming to be from that address is invalid.

It’s also a trivial matter to block emails claiming to be from ‘accounts@cdsgroup.co.uk’. I use Postfix as my mail relay software, and have added the following line to a ‘sender_access’ DB file which blocks email matching certain conditions.

accounts@cdsgroup.co.uk     REJECT May your shit come to life and kiss you

As the SMTP 550 response says ‘May your shit come to life and kiss you’ (quoting the awesomeness of Frank Zappa).

WordPress XMLRPC Attacks

WordPress XMLRPC Attacks

Fun going down today on the web. My webserver is being hit by multiple IP attempts to POST data to xmlrpc.php which comes as part of the WordPress installation and is used for PingBack Vulnerability exploits to DDoS other WordPress sites. Thousands of individual IP addresses are attempting to ‘POST /xmlrpc.php HTTP/1.1’.

It’s been happening since around 0400 this morning (GMT).

A quick shell script to gather data from the access log shows 3741 unique IP addresses (and counting) attempting to send the following command to the webserver.

POST /xmlrpc.php HTTP/1.1

The shell script is as follows –

#!/bin/sh
cd /var/log/apache2/
cat access.log | grep "POST /xmlrpc.php HTTP/1.1" | ipsort -au | wc -l
cat access.log | grep "POST /xmlrpc.php HTTP/1.1" | ipsort -au > xmlrpc_attackers.txt
exit 0

I’m doing a count of the access log file after searching for the relevant line on line 3 of the script, and the same command (except exporting the output to a text file) on line 4 of the script. The line 4 command is for some forensic investigations later although it’s possible/likely a lot of the IP addresses attempting to connect are members (un-whitingly) of a Botnet. The ipsort command from JimSun’s website helps to filter and show unique IP addresses.

Nothing has managed to get in so far, fortunately.

The POST request contains the following data –

POST /xmlrpc.php HTTP/1.1
Connection: Close
Content-Length: 215
Host: andymillett.co.uk
<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>test</value></param>
<param><value>427900</value></param>
</params>
</methodCall>

The <value></value> changes with every connecting IP, but everything else remains the same.

NTOPNG Network Flow Monitoring

NTOPNG Network Flow Monitoring

I’ve used open-source network flow monitoring software for a long time now. Sflow/Netflow/JFlow applications are a nice way of getting visibility of network throughput at ingress/egress points of your network, as are SPAN/TAP devices which simply listen on a mirror port. NTOP has been around for some years, is a great application for doing this and has recently under gone a lot of development to bring us NTOPNG. It also offers a low-cost alternative to full Layer 7 inspection devices although it doesn’t necessarily have the full detection depth of such commercial products (appliances such as Allot’s NetEnforcer, or Blue Coat’s Packetshaper).

NTOPNG is available as a source package which you can build yourself as well as pre-built binaries (some Linux OSes come with it packaged) all the way up to commercial appliances capable of monitoring flows at very high speeds. For my purposes, I used the source package, with the intention of building a Virtual Machine capable of monitoring the network and have a mirror port on my switch.

My VM settings are pretty basic – 1GB memory, 20GB disk space, and two vNIC’s. I used Debian as my OS of choice for the VM. A basic install was needed to begin with, with a few extra packages needed later to support the installation of NTOPNG (more on that below).

NTOP-VM-1

Network adapter 1 is for management, adapter 2 is for packet capturing from the switch mirror port. The mirror port uses a spare physical NIC on the ESX host which is configured in promiscuous mode (e.g it hears everything).

NTOP-vSWITCH


I won’t go into the basic install of Debian here, however, to build ntopng, you will need the following additional packages from the Debian APT sources repository –

apt-get install rrdtool libxml2 wget curl tcpdump libpcap-dev linux-headers-3.2.0-4-amd64 subversion libxml2-dev libglib2.0-0 libglib2.0-dev redis-server

When the above packages have been installed, you can that move forward with the NTOPNG installation.

First, download the two packages from the NTOP website. The files are (at time of writing) –

ntopng-1.1_6932.tgz – NTOPNG main source package

ntopng-data-1.1_6932.tgz – NTOPNG GEOIP data.

Place the files somewhere accessible on your VM (I use the /root directory). You’ll need to untar the ‘ntopng-1.1_6932.tgz’ file in the normal manner (e.g ‘tar xzvf ntopng-1.1_6932.tgz’). Once extracted, cd into the newly created ntopng directory

cd ntopng-1.1_6932

Now start building the package by entering the following command

./configure

If all is well and you have the necessary supporting packages installed (as mentioned above), the output after this command has executed should read –

You are now ready to compile typing make

Enter ‘make’ to start building ntopng. The VM will start to build ntopng and may take a few minutes depending on the speed of the CPU and how busy the ESX host is. When it is finished, you will simply be returned to a command prompt if the build was successful.

Next, enter the following command to install ntopng onto your Linux host.

make install

Once done, you can fire up ntopng. There are a number of parameters which can be specified with the ntopng command.

Usage:
 ntopng <configuration file>
 or
 ntopng [-m <local nets>] [-d <data dir>] [-e] [-g <core>] [-n mode] [-i <iface|pcap file>]
 [-w <http port>] [-p <protos>] [-P] [-d <path>]
 [-c <categorization key>] [-r <redis>]
 [-l] [-U <sys user>] [-s] [-v] [-C]
 [-B <filter>] [-A <mode>]

My command line is specified as follows –

/usr/local/bin/ntopng -i eth1 -m "172.16.17.0/28, 172.16.129.0/24, 172.16.100.0/24, 192.168.17.0/24, 10.23.1.0/24, 10.22.1.0/24. 10.21.1.0/24, 10.20.1.0/24, 172.16.96.0/24" -n 0 -e -l

The above command actually runs from the /etc/rc.local file which is invoked at system startup. This means you don’t need to build a startup script for use in /etc/init.d/ with Debian, as rc.local is already called.

I found the login timeout for the web console annoyingly short, so disable logons (with the ‘-l’ switch) as ntopng is on a protected network segment.

With all that done, here are some screen captures from ntopng. First off, live traffic.

Top Talkers

NTOPNG-TOP-TALKERS

Top Hosts

NTOPNG-TOP-HOSTS

Active Flows

NTOPNG-ACTIVE-FLOWSFlow Detail

NTOPNG-FLOW-DETAIL

Next, we can view historical data from ntopng (this is based on information since the process started up).

Interface History

NTOPNG-INT-HISTORY

Protocol History

NTOPNG-PROTOCOL-HISTORY

SPAN/TAP configuration

For the switch mirror end of the setup, I configured my Juniper EX2200C to mirror the ingress/egress port (ge-0/0/9) to the physical NIC which vSwitch1 is attached too (ge-0/0/10). This then maps the mirror port to the PCAP vNIC which is assigned to the Debian VM.

set ethernet-switching-options analyzer SESSION1 input ingress interface ge-0/0/9.0
set ethernet-switching-options analyzer SESSION1 input egress interface ge-0/0/9.0
set ethernet-switching-options analyzer SESSION1 output interface ge-0/0/10.0
set ethernet-switching-options storm-control interface all

Conclusion

So there you have it. NTOPNG setup and nicely monitoring my network. There are lots of other features to play with, including integration with block.si for URL Category monitoring which I may play with in the future.

Juniper EX Switch GRE Tunnels

Juniper EX Switch GRE Tunnels

I recently had a need to establish a GRE tunnel between two sites. The reason being, we were deploying a Meru Wifi proof-of-concept where AP’s were on one site, and the controller on a remote site. Normally, the connectivity between AP’s the controller would go over the existing routed network (layer 3 mode in Meru-speak), but in this case, it wasn’t possible to get the new subnet assigned to the controller updated with the ISP providing the private links. As the customer was using Juniper EX switches and had a Juniper SRX firewall at the remote (controller) site, GRE allowed us to build the network without the need to involve the ISP.

The following topology was used –

EX_GRE_TOPOLOGY

GRE was added to the EX switch feature set in JunOS 12.1 (link here). In-order to use it, you need to allocate a physical port to be dedicated for tunnel services. For my example, I’ve used port ge-0/0/14 on the switch

set chassis fpc 0 pic 0 tunnel-port 14 tunnel-services

The JunOS 12.1 documentation above defines we allocate a port via it’s fpc and pic allocation. In my case, the switch was a single switch so the fpc was ‘0’. In a Virtual-Chassis environment, the fpc number would change. For example, if you wanted to use port 47 on switch 4, the command would be ‘set chassis fpc 4 pic 0 tunnel-port 47 tunnel-services’.

With the port allocated, we can then build the GRE configuration.

set interfaces gr-0/0/14 unit 0 tunnel source 10.11.3.101
set interfaces gr-0/0/14 unit 0 tunnel destination 10.44.128.1
set interfaces gr-0/0/14 unit 0 family inet address 10.11.12.1/24

On the SRX-side, the configuration is as follows.

set interfaces gr-0/0/0 unit 1 tunnel source 10.44.128.1
set interfaces gr-0/0/0 unit 1 tunnel destination 10.11.3.101
set interfaces gr-0/0/0 unit 1 family inet address 10.11.12.2/24

Each GRE interface has a tunnel source and destination set (this is the routed interface of the device at each end) and an inet address assigned to the interface which is used to establish the tunnel (10.11.12.1 and 10.11.12.2 in my case). I’ve used unit ‘1’ on my SRX, as I already have some GRE tunnels built to other destinations. A GRE interface uses the same unit assignment as a switch or inet port in JunOS, they can be used for different connection purposes.

GRE tunnels show ‘UP’ immediately, even if the configuration isn’t set correctly, so don’t assume as it’s UP, it’s going to work. Look closely at the Input/Output packet count to validate traffic flow.

Here’s the output of ‘show interfaces gr-0/0/14.0’ on the EX.

GRE-EX-INT

Now the output of ‘show interfaces gr-0/0/0.1’ on the SRX.

GRE-SRX-INT

Back on the EX switch, we set routing-options to send any 10.0.0.0/24 traffic through the GRE tunnel.

set routing-options static route 10.0.0.0/24 next-hop gr-0/0/14.0

On the SRX, we set the routing-options to send any 10.50.50.0/24 traffic in the same manner.

set routing-options static route 10.50.50.0/24 next-hop gr-0/0/0.1

As the SRX is a firewall, we need to perform some additional steps to allow traffic. This means creating a ‘zone’ to assign the GRE tunnel interface too, disabling any Network Address Translation rules, and some security policies to permit the traffic. Here’s what I’ve configured.

set security policies from-zone gretunnel to-zone trust policy allowall match source-address any
set security policies from-zone gretunnel to-zone trust policy allowall match destination-address any
set security policies from-zone gretunnel to-zone trust policy allowall match application any
set security policies from-zone gretunnel to-zone trust policy allowall then permit
set security policies from-zone trust to-zone gretunnel policy allowall match source-address any
set security policies from-zone trust to-zone gretunnel policy allowall match destination-address any
set security policies from-zone trust to-zone gretunnel policy allowall match application any
set security policies from-zone trust to-zone gretunnel policy allowall then permit
set security zones security-zone gretunnel host-inbound-traffic system-services ping
set security zones security-zone gretunnel host-inbound-traffic system-services traceroute
set security zones security-zone gretunnel interfaces gr-0/0/0.1
set security nat source rule-set trust-to-gre from zone trust
set security nat source rule-set trust-to-gre to zone gretunnel
set security nat source rule-set trust-to-gre rule source-nat-off match source-address 0.0.0.0/0
set security nat source rule-set trust-to-gre rule source-nat-off then source-nat off

Now we should be able to initiate a traceroute from the EX switch to our Meru Controller (10.0.0.3).

GRE-EX-TR

Looks good. We enter the GRE tunnel interface (10.11.12.2) and exit directly to the Meru Controller.

Protecting Your Computer Online For Free

Protecting Your Computer Online For Free

Protecting your computer online is a minefield of choices for a user to contemplate; should you trust the software you install not to be riddled with backdoors, the websites you visit to make sure their code isn’t riddled with malicious scripts or linked to malicious third-party sites, the ISP who provides your connection to stop the bad guys before they get to your home connection, or a combination of all to make sure you don’t get hacked/compromised/infected, become hijacked and join a botnet or lose your private information?

For my day job, I often see company networks relatively well protected with Next Generation Firewalls which inspect protect corporate networks from attack using advanced IDS/IDP/Content Filtering/Application Inspection features, but these devices cost a lot of money. So how to add some much needed protection to your computer, for free?

If you checkout my other posts here, you’ll notice I’m a bit of a Blue Coat fan. I’ve worked with their products for 10 years and have always been mightily impressed with their capability of protecting corporate users from websites which want to install malicious code or steal information. As with the Next Generation Firewalls, those Blue Coat products cost money, however there’s one product Blue Coat provides which is designed with home users in-mind and is free; K9 Web Protection.

K9 is specifically designed to allow Parental Control of children’s internet browsing, restricting which website categories your child can visit, how much time they can spend online and whether Search Engine Safe Search is enabled. Whilst this is great, K9 can also provide highly effective protection for everyone’s computer whether you have children or not.

K9 uses Blue Coat’s ‘Web Pulse‘ collaborative online rating system. Web Pulse is a global network maintained by Blue Coat which provides an almost instant rating of categorised and uncategorised web pages using many different methods such as page content, links on the page to other websites, DNS information, hosting history (e.g is the server hosting the website also hosting content from a known malicious source) and historical reputation. It rates 1 Billion+ requests per-day from 75+ million users worldwide. The ‘collaborative’ part of this system is that all of the Blue Coat corporate devices (the ProxySG, ProxyAV and PacketShaper), and existing K9 users feed uncategorised URLs to Web Pulse for it to rate. The effect of this is that any URL one user sends to Web Pulse for categorisation, other users of Web Pulse get the benefit of that categorisation. Thats very cool, no?!

I won’t go into getting the software install, there are some very good instructions on the K9 website on how it’s done, instead I’ll show you what you need to do to protect yourself from the bad guys online.

First, login to the K9 Web Protection (usually in Program Files / Blue Coat for Windows or Applications / K9 Web Protection if you use a Mac), and navigate to the ‘Setup’ section.

K9-DASHBOARD

By default, when you install and activate K9, it blocks a number of categories out of the box.

K9-DEFAULT-CATS

You may want to keep those as is, however if you want a less restrictive, but still protected level of categories, choose ‘Custom’ then check the following.

K9-CUSTOM-CATS

Make sure you click ‘Save’ at the bottom of the page to finish the changes.

Finally, under ‘Other Settings’ (on the left), ensure that ‘Enable HTTPS Filtering’ is checked (this is the default).

K9-OTHER-SETTINGS

Why enable HTTPS filtering? See below at the end of the document for more information.

A Real Life Use Case

As an example of how K9 can protect users online, lets take my wife’s internet browsing habits. She’s what I’d class as a ‘regular’ internet user, browsing shopping sites, checking her email, and watching TV online. My wife is a Filipino, so likes to keep up-to-date with programs from the Philippines. There are a few places online which allow this, but she primarily uses just one. That site is packed with advertisements, popups, and links to other external sites as I guess they have to pay for it some how, however, here’s a snapshot of the K9 Web Protection report from her Macbook.

K9-REPORT

So, as a ‘regular’ internet user, with no intention of visiting a site which is malicious, she’s visited something which is clearly classified as Suspicious or Spyware/Malware Source according to K9!

Why HTTPS?

I mentioned above that you should ensure ‘Enable HTTPS Filtering’ is enabled in K9; the reason why is that malicious content is more and more often distributed over HTTPS. I recently came across some clients which were attempting to do just this when inspecting a Blue Coat ProxySG appliance. The following domains were those which clients were attempting to connect too –

baoh7q0me83hg.www5.jub.cc
mojp2e.oul.su
h53afv15zv6diw6xx.jub.cc
8enqzskkkn4kn061ee.oul.su
uyx0v0en.ioh.cc
3kvte9y6i.vng.su
7hlaxwh4.vng.su
6e7ezku4z7142l.oul.su
m6hot8f.www5.ioh.cc
ek9hsz4kpw.sge.su
9usu4uw3hf9nynrr.jub.cc

Those domain name look suspicious straight off, no? Here’s a screen capture of those connection attempts. In this case, the client computer is attempting to make a HTTPS  ‘CONNECT’ to the sites listed above. ‘CONNECT’ is the method used by HTTPS communication to setup the session between your client and the server on the internet.

K9-SSL-CONNECT-PROTECTION

In this case, as the customer was protected by a ProxySG appliance, the requests were blocked, however it is a good demonstration of why HTTPS, as well as HTTP should be inspected if you use K9.

So there it is, protect your computer (or Mac) online, for free. Install it now, before its to late!

 

DHCP IP Addresses with Blue Coat ThreatPulse/Juniper SRX

DHCP IP Addresses with Blue Coat ThreatPulse/Juniper SRX

A problem landed on my desk the other day from a customer in relation to using the excellent Blue Coat ThreatPulse cloud SaaS product when the Juniper SRX sits behind a DHCP assigned public IP Address. Worse, due to the location of some sites and the ISP offering available, the SRX was itself behind a home broadband NAT router doing IPSec pass-through in order to establish a connection back to the corporate network.

ThreatPulse is Blue Coat’s SaaS which has been around for a couple of years and leverages the use of their existing Web Pulse(TM) dynamic rating system to categorise unknown URL’s on-the-fly or return previous categorisation. With Data POD’s located strategically around the world, it’s possible to control web access for HQ, home or roaming workers in a single place using one of several methods –

  • Explicit Proxy – Configuring client browsers to use ThreatPulse directly
  • IPSec Forwarding – Configuring an edge firewall to transparently intercept requests and send them to ThreatPulse using a LAN-to-LAN tunnel
  • Proxy Forwarding – Utilising an on-site proxy to forward requests to ThreatPulse.
  • Client Connector – A software package which sits on a client machine (Laptop/Mac) which transparently intercepts requests and sends them to ThreatPulse
  • Mobility Connector  – An iOS client which creates a VPN tunnel to ThreatPulse to control what apps and browsers can do on iDevices.

This particular problem, and the solution I came up with relates to the first three connection methods, Explicit Proxy, IPSec Forwarding and Proxy-Forwarding. Each of these methods requires that you setup a ‘Location’ within the ThreatPulse dashboard.

TP-LOCATIONS
ThreatPulse Locations

Selecting the IPSec (Firewall/VPN) location brings up its configuration section.

IPSEC-FWD
ThreatPulse Location Edit

As you can see, there’s no place to update this dynamically, and ThreatPulse doesn’t support Aggressive mode VPN which can sometimes help to mitigate such problems. In this case, however, we have to do something at the SRX end.

There’s some useful information on Blue Coat’s Knowledge Base for making changes to ThreatPulse using the built-in API. The API is designed for situations like this where administrators need an automated way of updating ThreatPulse, but without having to login to the administration dashboard. Unfortunately, the documentation doesn’t specifically cover Juniper SRX (or SSG for that matter), it covers Cisco IOS and using ‘ip ddns’ commands to update the ThreatPulse service settings. All that said, the API can be used in-conjunction with the SRX and what follows is how I did it.

In some of my previous posts I’ve used the underlying BSD cli to update things like Firewall Filters. Using this method again, we can update ThreatPulse Location settings without having to login.

When in the shell of JunOS, there are several useful commands available – CP, CuRL, Diff, and Cat. These are used in the following script –

#!/bin/sh
cp ipnow.txt ipprev.txt
curl http://andymillett.co.uk/rip.php > ipnow.txt
IPN=`cat ipnow.txt`
if diff ipnow.txt ipprev.txt >/dev/null ; then
else 
 curl "http://<user>:<password>@portal.threatpulse.com:8080/api/locations?name=<location>&type=<type>&ip=<NEWIPADDRESS>&key=<PRE-SHARED-KEY>"
fi

Basically, the script copies the last IP Address check results from ‘ipnow.txt’ to ‘ipprev.txt’, uses CuRL to get the Public IP Address at the time the script is run, and copies the output to a new ‘ipnow.txt’ file after which it performs a ‘diff’ against the two files within an ‘if’ statement. If the ‘if’ statement evaluates that the two files are the same, it does nothing, however if it evaluates that there is a difference, it performs a ‘cat’ against the new ‘ipnow.txt’ file and uses it as part of the new CuRL string sent to ThreatPulse API which updates the location.

The other end of this is a simple PHP page which returns the IP Address in text form.

<?php
function getIP() {
$ip;
if(getenv("REMOTE_ADDR"))
$ip = getenv("REMOTE_ADDR");
else
$ip = "UNKNOWN";
return $ip;
}
$client_ip=getIP();
echo $client_ip;
?>

All it needs is to be on a public Web Server somewhere the SRX can get too.

With both ends in place (the script on the SRX, and the PHP script on the Web Server), you can run the script manually if you like by running – ‘sh <script_name>’.

To test that the script would work properly, I setup two additional scripts on the SRX in our Lab. Both simply do a ‘load replace’ from a pre-defined file (script 1/2 data below) –

Script 1

{
echo "configure"
echo "load replace if15.txt"
echo "commit check"
echo "commit"
echo "exit"
} | /usr/sbin/cli

Script 1 data

interfaces {
replace:
fe-0/0/7 {
 unit 0 {
 family inet {
 address 94.17.248.15/27;
 }
 }
}

Script 2

{
echo "configure"
echo "load replace if16.txt"
echo "commit check"
echo "commit"
echo "exit"
} | /usr/sbin/cli

Script 2 data

interfaces {
replace:
fe-0/0/7 {
 unit 0 {
 family inet {
 address 94.17.248.16/27;
 }
 }
}

Following this, three cron entries were required to kick things off

*/5 * * * * (cd /cf/var/home/cronadmin; sh checkip.sh)
5 1,3,5,7,9,11,13,15,17,19,21,23 * * * (cd /cf/var/home/cronadmin; sh uif15.sh)
5 2,4,6,8,10,12,14,16,18,20,22 * * * (cd /cf/var/home/cronadmin; sh uif16.sh)

Line 1 executes my script to check the external IP address.

Line 2 executes the change IP ‘load replace’ script at odd hours.

Line 3 executes the change IP ‘load replace’ script at even hours.

Having left this running for a week, the results are pretty good (below is from my ThreatPulse account under the Services / Account Maintenance section which gives a full audit of what has been happening under the account) –

TP-ACC-AUDITING

Sweet! Simple Unix commands and a cron script save the day!

Unfortunately, I don’t have a DSL connection which I can put an SRX onto behind a NAT router, however this script will work irrespective of this (e.g it will pickup the public IP of the NAT router).

The above script is for IPSec Forwarding (Firewall/VPN in ThreatPulse speak), however the script above will work in just the same way if you choose to use the Proxy-Forwarding or Explicit Proxy method. For example –

Proxy-Forwarding

https://<username>:<password>@portal.threatpulse.com/api/location?name=<location_name>&ip=<IP_address>&type=proxy-forwarding

Explicit Proxy

https://<username>:<password>@portal.threatpulse.com/api/location?name=<location_name>&ip=<IP_address>&type=explicit-proxy

Now, you might perhaps notice that the above examples use HTTPS, whereas my script uses HTTP over port 8080. Weeeeeeell, unfortunately, when Juniper compiled JunOS and it’s associated libraries, the didn’t include HTTPS in ‘libcurl’ which leads to the following error if you attempt to use HTTPS –

curl: (1) Protocol https not supported or disabled in libcurl

This, despite the fact that the options are available under ‘–help’. For example –

-1/--tlsv1 Use TLSv1 (SSL)
-2/--sslv2 Use SSLv2 (SSL)
-3/--sslv3 Use SSLv3 (SSL)

That strikes me as a bit shoddy, but we have to work with what we get. Perhaps Juniper will fix it in later releases.

So there it is, if you have purchased Blue Coats excellent ThreatPulse SaaS (and, oh boy should you) and you have an SRX which is sat on a DHCP assigned IP address somewhere on your network, the above will help you keep ThreatPulse updated with any changes in the IP.