Stuff I'm Up To

Technical Ramblings

Broken ARP — April 26, 2017

Broken ARP

Not a fun morning. We spent an hour or two trying to figure out why our GUEST networks was unable to route any packets to the Internet.

For many a GUEST network may be a trivial network, but for us we also us GUEST for unauthenticated devices to access our Virtual Desktop System – primarily including devices that are re-purposed laptops/desktops that no longer require a full Windows PC for domain access and just provide a VMware Horizon Client. So we had a large number of users unable to connect to the back office systems.

The strange thing here was that all other network traffic from the trusted networks worked as expected.

Continue reading

Sophos UTM HA —

Sophos UTM HA

We encountered a few problems with licensing when we looked at moving from the UTM525’s to UTM430’s so we had to delay the project until yesterday. On the one hand it gave us plenty of time to plan for the eventualities like Martians and be confident that the configuration restore testing worked whilst testing.

The one thing we didn’t expect was problem getting the two UTM430’s to configure themselves using High Availability (HA).

Continue reading

Preventing Martians — April 4, 2017

Preventing Martians

In the process of changing firewalls and routers around we encountered the Juniper detecting what it suspected were malicious MAC address changes that no longer match the IP address it last used. Which is understandable as we’re giving the same IP address to new hardware.

This MAC mismatch error triggers some Martian alerts, which results in the IP addresses for the new devices becoming unroutable. To try and prevent this we should try clearing down the IP ARP cache tables for various devices.

Juniper (ScreenOS)

-> clear arp [192.168.0.254]

or

-> clear arp all

Extreme Switches (XOS)

# clear iparp [192.168.0.254]

or

# clear iparp vlan [TRUST]

Martian addresses are host or network addresses about which all routing information is ignored. When received by the routing device, these routes are ignored. They commonly are sent by improperly configured systems on the network and have destination addresses that are obviously invalid.

CVE – Security Vunerability Datasource — March 18, 2017
STIG — March 17, 2017
Oracle Database Patches —
Setting the Killbit for an ActiveX Control — March 7, 2017

Setting the Killbit for an ActiveX Control

Adding a killbit for a control that Nessus says requires one.

https://support.microsoft.com/en-gb/help/240797/how-to-stop-an-activex-control-from-running-in-internet-explorer

In brief you need to find or create the classid in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility

However, on one I found I first had to hunt the name in HKEY_CLASSES_ROOT\CLSID

eg. Nessus reported

  Class Identifier  : {D63891F1-E026-11D3-A6C3-005004055C6C}
  Filename          : C:\Program Files (x86)\xxxx\Runtime\NCSECW.DLL
  Installed version : 1.6.6.32

But when I search for NCSECW.DLL I got a different Class ID and that was what I needed to use to add a killbit for.

Kali and OpenVAS — March 4, 2017
Diving Deeper into Windows SSL — March 2, 2017

Diving Deeper into Windows SSL

This response to a question raised some interest and I found it very interesting. I then went to investigate the keys and values on my own machine. This can also be controlled using gpedit.msc, but found it interesting to see the current entries for myself.

HKLM\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 Functions

While not “incorrect” Steven’s answer is incomplete.

The linked article is a very good description for how to enable and disable cipher suites like SSL 2.0 etc, but SH’s pen test comments posted are also concerned about the mode of operation of the ciphers used – specifically about removing the use of CBC (Cipher Block Chaining) and using Counter (CTR) or Galois Counter (GCM). This is not fully covered in that answer.

In order to direct how the transport security is negotiated in this more granular level, they will also need to look at the content and ordering of the Functions list. This controls the preferred order and what is acceptable when the transport security is negotiated between server/webserver and client/browser.

HKLM\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002  Functions

Removal of CBC modes of operation from the list would prevent their sucesful negociation, but removal of all CBC is likely to have negative impact. Adjusting this list must be done with great care as misconfiguration will prevent sucesful connections. Support for modern modes of block cipher operation such as e.g. AES-GCM are still not completely widespread (March 2016) in all clients/browsers and OS versions.

As with much of crypto, what might be appropriate for state top-secrets and what might be appropriate for information of very low confidentiality won’t always be the same. A balanced approach for information assurance is needed depending on the categorization of the specific information and not an approach like CBC is “bad” GCM is “good”.

S.H. should probably return to his/her pen testers to discuss whether their specific use of CBC modes may be acceptable for a while longer until GCM is better adopted, before testing any adjustements to the Functions list.

Tuesday, March 08, 2016 9:46 AM, Tom Hollinghurst

 

References: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a51f9574-73b0-4808-ad5f-4db081d80e6f/disable-cbc-mode-cipher-encryption-and-enable-ctr-or-gcm-cipher-mode-encryption-disable-md5-and?forum=winserversecurity

OpenSSL Ciphers — March 1, 2017

OpenSSL Ciphers

OpenSSL is a very handy tool. Both on Linux and Windows. On both you can do all kinds of conversions and creations,  but equally of use you can view cipher details that are supported.

On Linux systems OpenSSL will look for /usr/local/ssl/openssl.cnf, or on some flavours /etc/ssl/openssl.cnf or even /usr/lib/ssl/openssl.cnf and on windows it will show a warning.

WARNING: can't open config file: /usr/local/ssl/openssl.cnf

Continue reading

SSL/TLS as a Server Admin — February 28, 2017

SSL/TLS as a Server Admin

I’m not an encryption expert by any means. I’ve no great understanding of the mathematics involved in the encryption process and the ciphers used. What I do understand is what that means from the point of view of a server admin.

One thing to state right now is that SSL/TLS are the same thing. SSL was simply renamed TLS, but the underlying principles are the same, the mechanisms and ciphers change, but the concept is the same – and despite the change it’s still mostly referred to as SSL.

The basic process of SSL is that in order to engage in a secure conversation between systems both systems must share a level of trust with a common 3rd party.

I don’t trust you just because we can encrypt data together. I need to trust you based on a 3rd party we both trust telling me that you are who you say you are.

Continue reading

Nessus Certificates — February 16, 2017

Nessus Certificates

In order to get your Nessus server to pass a vulnerability scan you’ll need to replace the original self-signed cert it uses for its web server. It’s easy enough to do.

Generate a CSR and a key for the server:

$ openssl req -out nessus.csr -new -newkey rsa:2048 -nodes -keyout nessus.key

Open the CSR and use that to get a certificate from your CA.

Whilst you’re there grab a copy of you CA servers public key.

Once you have the certificate (Base64 format) set about copying the key, CA certificate and your new server certificate to where they need to go.

Backup the following files first:

  • /opt/nessus/var/nessus/CA/serverkey.pem
  • /opt/nessus/com/nessus/CA/servercert.pem
  • /opt/nessus/com/nessus/CA/cacert.pem

Then replace them with your new key and pem files from your CA and restart the nessus service.

$ sudo cp ~/nessus.key /opt/nessus/var/nessus/CA/serverkey.pem
$ sudo cp ~/nessus.pem /opt/nessus/com/nessus/CA/servercert.pem
$ sudo cp ~/ca.pem /opt/nessus/com/nessus/CA/cacert.pem
$ sudo service nessusd restart

 

 

References: https://docs.tenable.com/nessus/6_5/Content/9_Additional_Resources/9_8_Custom_SSL_Certificates.htm