Wednesday, January 11, 2017

python http server

I was in a datacenter a few days ago and had a host of issues with access to my SSH server for upgrade a cisco appliance.

How I got around this issues was by setting up a simple HTTP server using python and hosting the file that I want to  download on that server.


Here's a quick http server if you ever are being  blocked or filter by a local firewall rule for  scp/ssh/ftp but you have  HTTP open

you need sudo for  binding to port 80 or any port under 1024




















the directroy that you start the server under is your "webRootDirectory" make sure the file(s) you want to host are in that path







Ken Felix

 

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

HOWTO: bulk interface gathering details FortiOS

In this post, I will show you how to gather bulk interface gathering details.

For example, you have a  firewall model that has numerous interface, it can be slow and time consuming to  execute diag cmd per interface.

Take this FGT3240, we will build a script that allow us to run thru all 28ports and drop the diad commands of interest.

Than I will show how you can gather  the status using a unix ssh client.

1: here's the script.

(  this unit runs multi-vdom ...drop the globla cfg  if your single vdom )


for ((a=1; a <=  28; a++))
do

echo -e "config global"
echo -e "diagnose hardware deviceinfo nic port$a | grep _drop \n"
echo -e "diagnose hardware deviceinfo nic port$a | grep _dp_  \n"
echo -e "diagnose hardware deviceinfo nic port$a | grep err   \n"
echo -e "diag hardware deviceinfo nic  port$a  | grep over \n"
echo -e "end\n"




done


2: Now the fun part to execute this you could do the following;

./<scriptname.sh>  | ssh <username>@firewall.address > myoutput.`date +%Z%T_%F`


3: Here's a netlink  script and statistic collection plus clearing;

SOCKET01>cat looper1.sh
for ((a=1; a <=  28; a++))
do

echo -e "config vdom \n"
echo -e "edit root \n"
echo -e  "diag netlink interface list port$a   \n"
echo -e  "diag netlink interface clear port$a   \n"
echo -e "end \n"

done


YMMV but you can get very creative and use this in  custom "Expect" scripts or in nagios  | syslog-ng for alert triggers when a condition exists.


e.g 



and syslog-ng with source and destination filters






sendmestatus.sh  would be a simple  bash script  that  runs the  looper1.sh and directs the output into sendmail


.looper1.sh | socfwmongrp1@192.168.192.110 | mail -s " ALERT ME  ` date +%F_%T`  -c kenn1.felix@socpuppets.com SOCSUPERVISION@socpuppets.com












Just ensure you have the correct syslog message for the trigger 










Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Tuesday, January 10, 2017

how to find vlan-id fortiOS

If you have created sub-interfaces on a fortigate for 802.1q  and need to find the vlan-id  you can use the   diag sys vlan  command to list the   interface names


After you have the output, you can now convert the  "vid" from hex to dec.


e.g a list of named subinterfaces







e.g converting the names interfaces hex value to dec

 




Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Monday, January 9, 2017

bad travel advise ( security when away )

My corporate break room has this posted on  the wall for a security tip or advise.





This is very bad practice if you ever go away on long winded trip.  Here's why;


1: a luggage handler or anybody that handles the luggage now know where you live at

2: they know your on a vacation/business trip or travel

3: they have your  phone#. So if it's house,  the potential thieves could called to validate your actually NOT at home before arriving to break in.


What you should do;

1:  place your name and maybe your business address

2: place you cell-phone number or a temporal number ( dropbox, goog-voice, call forwarder, a cellphone# of a friend/relative who can relay to you if required ....)


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Tuesday, January 3, 2017

TIP SSL auditing F5 ltm virtual-servers

In a pinch and to find or prove a F5 LTM is NOT  negotiating  SSL protocols, you can run the following command from the TMSH



If you build a list of  SSL_profiles you could run these thru a ssh session and against each profile to find what profile is negotiating SSL v2 or v3

e.g

 echo -e "show ltm profile client-ssl | grep ClientSSL" |  ssh <username@ltmaddress>  | awk ' { print$3}' > listofprofiles.txt


show ltm profiles client-ssl <profilename> | grep Proto



for p in ` cat file.txt`; do  do echo -e "checking profile $p\n"; echo -e "\n"; echo -e "show ltm profile client-ssl $p | grep Proto" | ssh username@ltm_address ;done




Doing about is a quick sure way to find  SSL enable virtual-servers client-ssl profiles that are using SSL.




Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Why DV ssl certifcates are frown upon

The Domain Validate  ( DV ) ssl certificates are typically looked at as a less security and a weaker validation process.

The DV base ssl certificates that are regularly  issued  does nothing to ensure the domain contact is  the proper contact to begin with.

Because of  this, a rogue site could be craft  and ultimately trusted by the "trusting"  web end-user.  These site are also  wrongly labeled as  the "evil twin" ,  as in a site that  portray a legit site and with a trusted webserver certificate installed.

The best analogy I can come up.

" As a kid we are  taught to trust the police office  who has the badge , uniform and gun. We most likely will not question a person holding badge, gun, has a uniform on,  and car that looks like a police car  "

**Just like the city of  troy trusted a wooden horse, we should  always be skeptical of what we see**


The same holds true when we access a site with HTTPS,  and  see the secured "lock" button in the web-browser input box.




So again, when you access a web site https://www.paypal.com are you  really secured? Do you know for a fact that the site has no MiTM device ( aka forward or a reverse proxy ) in your path ?

Because our browsers and the human element  have been wean in thinking that with HTTPand the S means secure , that we are  actually secured. This is a big lie, fraud, misleading,   etc....

 here's a clue .


Image result for clue

 

!!!! Nothing is 100% ( when we are on the internet and HTTPS )  secured and we have no ready means to id if a MiTM appliance is actually between you and the  webserver !!!!



 







Add on the  DV certificate process , and the fact it's not as stringent upon issuance , &  you now have a situation that is just bad advertisement from a "security aspect"



The folks at anti-phishing  consortium & ssl pulse have been  tracking  rogue sites for a while https://apwg.org/ and  https://www.trustworthyinternet.org/ssl-pulse/ . The data collected  should be studied by all in the IT security arena. imho


Enjoy and be safe ;)


 
Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

Sunday, December 25, 2016

HOWTO: delete the fortigate admin account

The installed out of the box  fortigate  has a user account named  "admin" . It's a pre-defined account that can not be deleted. You have away to eliminate it tho in a round-about way.


1st create a new local account with Super_User profile


config sys admin
     edit mynewadmin
           


2nd, rename the "admin" account to a new named

e.g

config sys admin
  rename admin to  deladmin
end

3rd now delete the newly defined  named ensure  the account is not in used or logged in.


e.g

config sys admin
    delete  deladmin
end



The  reserved names of "" and  ""  can not be used or eliminated





Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \