Saturday, July 30, 2016

War Walking

 on  with No comments 
In ,  
You've done all your due diligence.  You've optimized the transmit power of all of your access points to allow little to no signal outside of your boundaries.  You've enabled WPA2 on the corporate SSID, and installed certificates on all authorized laptops.  You've tightened up the physical security of your environment, and nobody is getting in.  Your users have been trained and will be retrained periodically in the future.  And finally, you've hired a third party to do a wifi security assessment on your environment.  All set, right?

Not exactly.  Have you accounted for WarKitteh?

WarKitteh, and its partner WarDoge, is an interesting project that involves a wifi enabled cat collar for the purpose of wardriving.  In the early days of wifi, you may recall wardriving being a thing where people would drive or walk around with a laptop computer and specialized software to log all open wireless access points for the purpose of obtaining free Internet access.  War drivers would share their databases, and even mark the buildings where they found open wifi with chalk.  Today its not that difficult to find free wifi, every coffee shop and fast food joint in town offers it.  No, today if anyone is looking, they have ill intentions.

In the space of a cat collar decoration, a wifi receiver and GPS unit are able to log all visible access points along with their GPS coordinates.  The gentleman behind the project notes that on a particular run, he found 23 wifi hotspots in his neigborhood, of which better than 30% were open or encrypted using only WEP.  The discovered networks were mapped using Google Earth.   Cat not included.

Now, lets think back to the hypothetical network in the opening paragraph.  You've locked it down tight through every technical means possible.  You've addressed the physical security of your environment well enough that no person is getting in without you knowing about it.  Now can you say you've never seen a cat or dog walking around outside the building?  It doesn't have to be a big cat.  In fact, the collar could probably fit on a rat or a gerbil.

Just one more thing to think about when you do your security audit and your wireless site analysis.
Share:

Wednesday, July 27, 2016

Running Powershell Script on Multiple Machines

 on  with No comments 
In , ,  
Part of my responsibility is remediation of the vulnerabilities picked up by the monthly vulnerability scan.  You know the routine, every month Nessus scans the entire network, rattling the locks on the doors and windows of every host it comes across, and then spits out pretty reports detailing everything it finds.  A lot of things are one off findings on a machine or two that have just been recently imaged or have a piece of software that isn't on the other machines.  We'll usually knock those out by hand.  But occasionally a new vulnerability comes along and there are hundreds or even thousands of machines with the vulnerability, and there isn't an existing tool or process to take care of it.  This is where PowerShell comes in handy.

The first example script I have here is to knock out a common vulnerability that keeps coming up, Nessus Plugin 63155, "Microsoft Windows Unquoted Service Path Enumeration.  We have a PowerShell script already available from Microsoft to deal with this problem, but it unfortunately is written to only run on the host machine.  So my contribution is a wrapper script that takes a file called hostslist.txt from the current user's My Documents folder, and executes Microsoft's script on each machine in that list.  Put one hostname per line, nothing more.

$a = Get-Content $env:userprofile\DOCUMENTS\hostlist.txt

foreach ($i in $a)
{
  Invoke-Command -filepath c:\scripts\Windows_Path_Enumerate_v3.1.ps1 -computername $i
}


The next example again involves Windows services, but this time it's the permissions on the executable.  Since it's running icacls.exe, rather than a PowerShell script, it was a little more complicated to hack together, but nothing that was impossible.   This again takes a list of hostnames from the users's My Documents folder and executes icacls on those machines.

I like this one better overall because you can stuff any number of PowerShell cmdlet's inside the braces on the ScriptBlock parameter.

$a = Get-Content $env:userprofile\DOCUMENTS\hostlist.txt
$command = 'c:\windows\system32\icacls.exe c:\Progra~2 /remove Everyone /T /C'

foreach ($i in $a)
{
  Invoke-Command -ComputerName $i -ScriptBlock {Invoke-Expression $args[0]} -ArgumentList $command
}


If you're new to scripting, or to PowerShell, I highly suggest the videos available at the Microsoft Virtual Academy.  A lot of the PowerShell related videos I watched when I was studying for the MCSA 2012 were taught by Jeffrey Snover, the architect of PowerShell himself and/or Jason Hemlick, Microsoft MVP and Pluralsight author.
Share:

Saturday, July 23, 2016

Discovery Protocols - Part I

 on  with No comments 
In , , ,  
Introduced in IOS 10.3, the Cisco Discovery Protocol (CDP) is used to share information between directly connected Cisco devices such as routers, switches, IP phones, and access points.  This information includes, but is not limited to: IOS version, hostname, IP address or addresses, native VLAN and power draw for Power over Ethernet devices.  CDP announcements utilize the type-length-value (TLV) format.  Another similar discovery protocol, Cabletron's CDP, known also as the VlanHello Protocol, utilizes the same acronym but is not compatible.  Cabletron's CDP is described in RFC 2641 which was published in August of 1999.

Cisco utilizes the multicast destination address 0100:0ccc:cccc for a number of it's proprietary protocols such as CDP and VTP.   Because it's a multicast address, it's important to note that any device capable of receiving the message will be able to process and act upon the data contained within it.  By default, CDP announcements are sent on all interfaces that support Subnetwork Access Protocol (SNAP) headers such as Ethernet, Frame Relay and ATM. While enabled by default, it can be disabled globally or per interface on a device. 

CDP Version 2 (CDPv2) is the most recent release of the protocol.  With CDPv2, Cisco added a reporting mechanism for more rapid error tracking, sending of error message to the console or a logging server, reporting of mismatched native VLAN ID's on trunks, and reporting of unmatched port duplex states. 

Cisco devices that support CDP store this information within a table in memory.  This information can be viewed using the show cdp neighbors command, as well as through SNMP.  The CDP table is refreshed with every CDP announcement received from a neighboring device and the hold time for that information is zeroed.  By default this hold time is 180 seconds. Once this time has been reached without receiving another CDP announcement, the information is discarded.

Third Party Utilization

Hewlett-Packard supports CDP in it's Procurve product line.  All Procurves that support CDP are able to receive and process CDP announcements to some level.  However, all Procurve models shipped after February 2006 will no longer support transmitting CDP announcements, and previous models will have that capability removed from future software upgrades.  More information about HP and Cisco interoperability can be found in the document HP/Cisco Switching and Routing Interoperability Cookbook.  Dell, Netgear, and other manufacturers use the term Industry Standard Discovery Protocol (ISDP) in reference to their CDP compatible implementation.

With version 2.7.4,  routers and switches are able to receive and process CDP frames.   This support can be configured utilizing the enable lldp cdp, disable lldp cdp, reset lldp cdp and show lldp cdp commands.  These commands also support a number of optional parameters.   The following is an example of the show lldp cdp command.


CDP general information

---------------------------------------------

Enabled ...................... Yes

Number of CDP neighbours ..... 14

SysUpTime .................... 12345.42s
CDP processing time .......... 3.385727s
Triggers:
CDP neighbour add .......... -
CDP neighbour remove ....... 5
---------------------------------------------


The following shows the output of the show lldp cdp entry command, which as you can see, shows most if not all of the information available through CDP for the connected Cisco switch.


CDP entry information
--------------------------------------------------------------------------------
Device ID ................. Switch
Protocol information:
IP address ................ 192.168.1.202
Platform .................... cisco WS-C3750G-24TS
Capabilities ................ Router,Switch,IGMP device
Interface ................... port20
Port ID (outgoing port) ..... GigabitEthernet1/0/10
Holdtime .................... 155s
Version:
Cisco Internetwork Operating System Software
IOS (tm) C3750 Software (C3750-I5-M), Version 12.2(20)SE, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Wed 19-May-04 11:52 by yenanh
--------------------------------------------------------------------------------

There is a project hosted on Sourceforge called CDP for Linux, which implements a module for the Linux kernel to receive and interpret CDP announcements.  It makes this data available through the /proc interface as /proc/net/cd_neighbors in a format very similar to show cdp neighbors detail on a Cisco router or switch.  However, the project's last update was in March of 2013 for a version to be utilized with Linux 2.4.18, so its not going to be useful with a modern kernel.  There is also a bundle of tools called CDP Tools which are user space tools to send and receive CDP announcements.  However, the changelog for these tools show their last update to be in 2007, calling into question whether or not they'll even compile at this point, let alone be of any use.

Finally, there are Perl modules such as Net:Packet:CDP and Net:CDP available via CPAN.
Share:

Wednesday, July 20, 2016

The Official CCNA Group FAQ

 on  with No comments 
In , ,  
I've been one of the admins of the group for a few years now, and there's a handful of questions that I see repeatedly posted.  I'm talking about the things that somebody asks at least once a week in the group.  So I've started compiling this FAQ for the group that can be posted as a response to any question that falls within this list.  As with many posts relating to the Facebook group, this will be a living document and material will be added, removed or modified as necessary.

If you haven't already read my post on how to ask better questions, maybe take a minute to look at that as well.
Share:

Saturday, July 16, 2016

I'm New, What Should I be Reading?

 on  with No comments 
In ,  
In the CCNA group, an often posted question is "what books should I be reading?" or the less inspired "What is the best networking book?"  Well, it's never quite that simple.  What are you looking to learn?  Do you want to become proficient in networking in general, or are you looking to become proficient in Cisco related networking?  Yes, there is a difference.  Do you want to really learn how things work, or do you want to just pass your next certification exam? Again, there is indeed a difference.

I wrote out a long post replying to this recently, and thought I'd save the response here and elaborate a little more.  A little because it's a good topic, and a lot because I'm lazy and will just link this rather than answer again in the future.  If you want to hear the simple answer, go with the dozens of knuckleheads screaming out that Todd Lammle is all you need.  Just ignore their misspelling of his name.  But if you want to actually learn networking, then continue reading.
Share:

Wednesday, July 13, 2016

Netflow Collectors

 on  with No comments 
In , ,  
One of the big topics currently in Cisco's security track is Netflow.  According to Cisco, "NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing."  With all of it's known, and yet to be discovered uses, it's no doubt that NetFlow will continue to be a big part of Cisco's security exams for the foreseeable future, as well as potentially finding it's way into other tracks if it's not already there.
Share:

Saturday, July 9, 2016

FreeCCNAWorkbook.com in Packet Tracer, Part 3

 on  with No comments 
In , ,  
In two previous blog posts, which can be found here and here, I started going through the labs on the Free CCNA Workbook website and attempting to perform the labs in Packet Tracer.  My focus lately has been more on my own studies with my first attempt at the SENSS exam scheduled for next month, but with Cisco finally releasing Packet Tracer to the world (you no longer need to be a Cisco Network Academy student to legally download a copy), I've been wanting to revisit this topic.  So in this post I'm going to move on to Section 5, Configuring Wide Area Network Links.
Share:

Wednesday, July 6, 2016

HIPAA Ain't That Hard People

 on  with No comments 
In , ,  
All of my career in I.T. has had at least some level of involvement in the medical field.  The majority of my time was spent with a Managed Services Provider (MSP) who had a client base consisting of a significant number of small and medium medical facilities.  We supported a good mixture of medical specialties.  I still do the occasional side project for them, but I've moved on to bigger and better things.  Today, I work as a contractor, supporting a government agency that does some medical.  In other words, I do HIPAA.

Share:

Saturday, July 2, 2016

The Lab

 on  with No comments 
In ,  
In addition to the few Facebook groups and pages that I contribute to, I also spend time occasionally in the /r/homelab subreddit.  There's a couple common questions that come up repeatedly there, and a few people jokingly say that they're going to publish a blog post with their answer so they don't have to reply with the same answer over and over again.  So rather than repeatedly say I'm going to do the blog post, I'm actually going to do it.  I check Reddit a couple times a week if you have a comment of question, but you can also comment here if you came across this post by another means.

Share: