Security - www.m00nie.com

Security

A collection of 14 posts

Specifically disable certificate verification in lftp

Specifically disable certificate verification in lftp

LFTP is a great FTP program that I use quite regularly. I recently had a problem connecting to a server (that I didnt control) and getting the following error due to the cert being self signed:

Decrypt HTTPS (SSL/TLS) with Wireshark

Decrypt HTTPS (SSL/TLS) with Wireshark

Wireshark has some very nice SSL/TLS decryption features tucked away although you need either of the following two: * Access to the servers private pki key * Access to the client machines and its (pre)master secrets (also need Firefox or Chrome) Unfortunately, dumping the premaster secret was removed in FireFox

GET VPN (GNS3 Lab)

GET VPN (GNS3 Lab)

Group Encrypted Transport (GET) VPN is slightly different and has quite different use cases from more traditional point to point IPSEC VPN where each point to point VPN is quite distinct in its own right. The most import thing to remember at GET VPN is the "G" means group and

DMVPN setup with PSK (GNS3 Lab)

DMVPN setup with PSK (GNS3 Lab)

Dynamic Multipoint VPNs (DMVPN) offer a low admin overhead and scalable VPN solution. It is also efficient at routing traffic as it can dynamically reconfigure itself from a hub and spoke to a partial or full mesh topology! This means that not all traffic has to pass through the hub

Disable ASA TCP State tracking (make my ASA a router)

640-553 CCNA Security

Disable ASA TCP State tracking (make my ASA a router)

Recently had to use this (useful?) feature to help a customer with an asymmetric traffic flow via an ASA. The ASA would only see the out bound traffic from a host with the return traffic going via an alternative path not visible to the ASA.This simple diagram is an

Install NFSEN (Centos 6 & Fedora 20)

Install NFSEN (Centos 6 & Fedora 20)

Found myself having to do this a few times now and it usually ends up being quite messy in the end so some nice clean instructions from a real sysadmin. All credit goes to @gowmonster. I've tested this guide against Fedora 20 and Centos 6. This guide follows Centos 6

BGP RTBH setup using exaBGP

BGP RTBH setup using exaBGP

In this post I'll describe a basic setup using Cisco IOS, IOS XR and exaBGP that will function as a BGP remotely triggered blackhole (RTBH) allowing you to null route any source/destination prefix. The example topology will be as below: exaBGP by a very nice man called Thomas Mangin

SNMP ACL (after community check?!)

SNMP ACL (after community check?!)

Not my usual kind of post of "how to do ...blah" but something I'd come across yesterday that was a little interesting/annoying/silly. Best practice dictates you apply an ACL to your SNMP config so only configured hosts can poll a router/switch even if the community is known.

Cisco Security Manager logging SDEE messages from IPS in Event viewer

Cisco Security Manager logging SDEE messages from IPS in Event viewer

Cisco Security Manager +4 (I was trying 4.0.1 at the time of this post) has an "event viewer" feature thats actually pretty good! It can receive syslog and SDEE messages, parse them and display them in the nice gui for you. Syslog is pretty straight forward to configure

DMVPN with PKI authentication (GNS3 Lab)

DMVPN with PKI authentication (GNS3 Lab)

Dynamic Multipoint VPNs (DMVPN) offer a low admin overhead and scalable VPN solution. It is also efficient at routing traffic as it can dynamically reconfigure itself from a hub and spoke to a partial or full mesh topology! This means that not all traffic has to pass through the hub

Cisco IOS Certificate Server set-up and client enrolment (GNS3 Lab)

Cisco IOS Certificate Server set-up and client enrolment (GNS3 Lab)

A quick step by step overview of how to configure the certificate server on a Cisco IOS device. The certificate server functionality was added in version 12.3(4). It is only available in in security images or higher. We can use this functionality to provide scalable authentication for VPN

Dynamic point to point IPSEC VPN tunnels using DTVIs (GNS3 Lab)

Dynamic point to point IPSEC VPN tunnels using DTVIs (GNS3 Lab)

Manually configuring point to point IPSEC tunnels can become a big administrative burden as the number of endpoints grows. In a hub and spoke environment we can use Dynamic Virtual Tunnel Interfaces (DVTI) to help ease this burden of lots of site to site or remote access tunnels When using

EAP, EAPOL and EAP types

EAP, EAPOL and EAP types

Extensible Authentication Protocol (EAP) - is a transport mechanism used in 802.1x to authenticate supplicants (hosts/pcs) against a backend server (Radius) via an authenticator (Switch). The first byte of the EAP header contains the code field, this identifies the EAP packet type. The four different codes are shown

Cisco (type 7) password decryption and encryption with Perl

Cisco (type 7) password decryption and encryption with Perl

I've often seen password decryption tools for the Cisco (type 7) passwords and wondered how they worked. To learn more about that and Perl I thought I'd give it a go :) The short story is it just seems to XOR each character against a value in an array. I'm sure