Category Archives: Networking

Notes from the field – Penetration tests

This blog post is by no means a comprehensive guide from an expert in the cyber security area. However my previous role meant I had the pleasure of reviewing a number of customer penetration tests and from this, pretty much all of them were all exploited in the same way. So I put together some basic information for any of my customers to review and think about before they had a penetration booked.

After all, might as well make it a challenge for the people you are hiring to hack your network ūüėČ

Methodology

Ok, so I’m only going to cover the basics, as there are far better articles out there on this.

  • Reconnaissance
    • Information gathering before attending the targets site
      • IP addresses of websites and MX record details
      • Details of email addresses (shared mailboxes, employees direct)
      • Social networks (details shared on LinkedIn by Employees, the companies twitter posts etc)
        • Consider the below twitter post by a company, what information can you glean from seeing a picture of their racks and other equipment.
        • If we know the company name, we can enumerate the various domain names they own to public IP addresses, and just plug that into a website like http://shodan.io and maybe look for that Sonicwall and find out if its running the latest firmware.
        • Below when zooming in on the image, we can find details of an ADSL line
      • Job websites; are they hiring, especially in IT, what skills do they want? Looking for an engineer that knows a particular accountancy package?
  • Enumeration/Identification
    • Assessment of devices found and the search for vulnerabilities
      • Tools in use such as, but not limited to; nmap, Nessus, Metasploit, unicornscan, nikto, dotdotpwn, gobuster.
  • Exploitation
    • Create a plan of action/attack based on the information gathered.
    • Perform the attack/exploitation itself to achieve the end goal, usually access to systems from zero, escalation with the end goal being access to private/sensitive/restricted systems and data.
    • Tools in use such as, but not limited to; Kali Linux (OS and contains a lot of tooling), Nmap, Metasploit, BurpSuite, SQLMap, padbuster, custom exploit scripts
Common exploits to gain access

Ok so first, lets review how multiple networks were exploited or hacked.

Below is the common summary of issues found at many sites I reviewed, and this is what I will cover in this blog post ;

  • Null session authentication on Domain Controllers
  • Devices configured to use NBT-NS / LLMNR
  • SMB Signing
  • NTLMv1 in use for network authentication
  • Domain Users have Local Admin permissions to their machines
  • Poor password policy
  • No split accounts for Domain Admins
  • Poor patching on systems
Null Session Authentication

By default null sessions (unauthenticated) are enabled on Windows 2000 & 2003 servers. Therefore anyone can use these NULL connections to enumerate potentially sensitive information from the servers, read this as information from your Active Directory.

Therefore anyone with a legacy domain which has been upgraded through the years, will find that Null Session Authentication is enabled on their environments.

Seeing it in action Continue reading Notes from the field – Penetration tests

HP IMC 7.2 – won’t backup config of Cisco Nexus 9K switch

Background

I have a customer who is using HP Intelligent Management Center (IMC) to monitor their switching environment. Originally they were using all HP Switching, but have slowly moved away during a refresh cycle and now use Cisco Switching, a mix between 2960X and Nexus switching.

The issue

When changing the HP IMC (Basic edition licence) over to manage the Cisco switching, everything went fine, apart from the Nexus 9K switches, which were not detected properly nor could be backed up. We contacted HP, who said the 9K switches are supported, but they would not give us any further details until we had a software support contract in place.

When we ran a manual backup of the switch we would receive the following error message;

Failed to send the configuration file from the device to the iMC Server by TFTP
The cause

The cause is down to the sysOID seen by IMC, it correctly see’s the vendor a Cisco switch, but does not identify it as a Nexus switch. The default settings for a Cisco Switch in IMC is to use CatOS commands for any operation.

Continue reading HP IMC 7.2 – won’t backup config of Cisco Nexus 9K switch

HP FlexFabric Switches – AirFlow direction is not prefered

Quick note,

Installed some HP FlexFabric 5700 switches the other day and I was getting a red LED on the front, and a status message in the CLI

HPE DEV/1/FAN_DIRECTION_NOT_PREFERRED: -Slot; Fan 1 airflow direction is not preferred on slow 1, please check it.

This is a pretty common issue if you chose Back-to-Front fans for your build.

The part numbers for the 5700 series are as follows (taken from this document);

HP 58x0AF Bck(pwr) РFrt(ports) Fan Tray  РJC682A
HP 58x0AF Frt(ports) РBck(pwr) Fan Tray  РJC683A

The fix is quite simple

To display the airflow configuration;

display fan slot {slot No,}

To change the configuration

Fan prefer-direction slow 1 port-to-power

Below is a screenshot showing the error, the display command and the resolution. Continue reading HP FlexFabric Switches – AirFlow direction is not prefered

PowerCLI – Setup Host networking and storage ready for ISCSI LUNs

So I am no scripting master, my PowerShell knowledge is still something I want to expand. During an install last week I had a number of hosts to setup from scratch, so I decided to do this via PowerCLI, as a lot of the tasks were repetitive. Setting up the vSwitch networking and iSCSI configuration for each host

For those of you new to scripting, I’ve included screenshots to accompany the commands so you can see whats going on in the GUI.

Note: the full code without the breaks is at the end of this post

#Setup which host to target 
$VMhost = 'hostname'

Continue reading PowerCLI – Setup Host networking and storage ready for ISCSI LUNs

HP 2920 Switch – Reboot issue on firmware ver 15.18.0006 #vDM30in30

Updated 25.11.15

Firmware WB.15.18.0007 resolves the issue, see below


A colleague of mine found an issue with the latest HP 2920 switch firmware.
If you create VLANs using the CLI Menu, the switch reboots and the configuration is not saved.

We have reported this to HP, but is currently being¬†treated as a non critical issue as when creating a VLAN via the web interface or native CLI, the issue doesn’t happen.

We have also noticed on this firmware the switch seems to be less responsive. Luckily we had a few units in stock that we could replicate this issue on, and can confirm downgrading to the previous firmware version removes the issue.

A quick cheers to my colleague Marco for finding and researching this issue.

The issue

Switch: HP 2920-48G-POE+

Primary Image    :    12852982 08/12/15 WB.15.18.0006

Software revision  : WB.15.18.0006

  1.        Go to the Main Menu
  2.        Select (2) Switch Configuration…
  3.        Select (8) VLAN Menu…
  4.        Select (3) VLAN Port Assignment
  5.        Select Edit
  6.        Modify the tagging mode for a port
  7.        Select Save
  8.        Switch reboots and doesn’t save configuration

Hopefully HP will release a fix for this firmware soon, as mentioned we have recreated this issue in production and test.

The Fix

The following information was provided by HP Support. Continue reading HP 2920 Switch – Reboot issue on firmware ver 15.18.0006 #vDM30in30