Extend Layer 2 Domains

Now, I am analyzing a complex network that consists of hundreds of Switches between 2 interconnected buildings by Layer2.

One month ago I suffered a Layer 2 loop that was propagated to both buildings. Due to I need to break up Layer 2 domains in order to isolate the effects of broadcast, flooding and Layer 2 loops.

 In order to break layer 2 I need create Layer 3 interconnection but in this way I will need STP and the multicast traffic layer 2 won’t be propagated.

For get the next goals:

  1. Extend Layer 2 domain across multiple ToR (Leaf)
  2. Prevent all issues of Layer2 like ARP Traffic, broadcast amplification, loop layer 2
  3. Remove the need for STP (is ineffective)

I am considering a few alternatives:

TRILL, Fabric Path (Cisco), PLURIBUS, VXLAN, NVGRE, GENEVE…

Please, told us your experience and use cases about this new protocols.

Thanks in advance!

Publicado en Switching | Deja un comentario

Another Hard Day At The Office

The last week after 5 hours of intervention I got a VoIP hybrid cluster (Virtual CUCM + Physical).

Unfortunately the CUCM Publisher was crash; this is the worst incidence that can occur in VoIP environment.

In this way, I decided  create a new Virtual CUCM publisher:

-OVA:Cisco_OVA_CUCM

In order to keep the same license that old crashed CUCM server you will need to do rehosting.

Once the CUCM Publisher was created and working we deal with the most dificult duties that are database replication between Virtual and Physical CUCM.

The key to get database replication successfully are these commands:

             a.utils dbreplication stop all  (Only on the publisher)
             b.utils dbreplication dropadmindb (First on all the subscribers one by one then the publisher)
            c.utils dbreplication reset all ( Only on the publisher )

You don’t doubt more and migrate to virtualize platform your VoIP servers.

I hope you like it.

Publicado en Uncategorized | Deja un comentario

Cloud Computing

The efficiency of a cloud implementation depends on how well the cloud software stack components communicate with each other, the cloud infraestructure devices (cpu, network, storage…)

screen-shot-2016-12-11-at-19-54-26

Publicado en Cloud | Deja un comentario

Evil Foca

Today we are introducing one of the best and intuitive tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks.

foca

After go over this security tool we verify that has a wealth of security features such as:

  • Man In The Middle (MITM) attack

          The well-known “Man In The Middle” is an attack in which the wrongdoer creates    the possibility of reading, adding, or modifying information that is located in a channel between two terminals with neither of these noticing. Within the MITM attacks in IPv4 and IPv6 Evil Foca considers the following techniques:

 

  • ARP Spoofing

    Consists in sending ARP messages to the Ethernet network. Normally the objective is to associate the MAC address of the attacker with the IP of another device. Any traffic directed to the IP address of the predetermined link gate will be erroneously sent to the attacker instead of its real destination.

 

  • DHCP ACK Injection

    Consists in an attacker monitoring the DHCP exchanges and, at some point during the communication, sending a packet to modify its behavior. Evil Foca converts the machine in a fake DHCP server on the network.

 

  • Neighbor Advertisement Spoofing

    The principle of this attack is identical to that of ARP Spoofing, with the difference being in that IPv6 doesn’t work with the ARP protocol, but that all information is sent through ICMPv6 packets. There are five types of ICMPv6 packets used in the discovery protocol and Evil Foca generates this type of packets, placing itself between the gateway and victim.

 

  • SLAAC attack

    The objective of this type of attack is to be able to execute an MITM when a user connects to Internet and to a server that does not include support for IPv6 and to which it is therefore necessary to connect using IPv4. This attack is possible due to the fact that Evil Foca undertakes domain name resolution once it is in the communication media, and is capable of transforming IPv4 addresses in IPv6.

 

  • Fake DHCPv6 server

    This attack involves the attacker posing as the DCHPv6 server, responding to all network requests, distributing IPv6 addresses and a false DNS to manipulate the user destination or deny the service.

 

  • Denial of Service (DoS) attack

    The DoS attack is an attack to a system of machines or network that results in a service or resource being inaccessible for its users. Normally it provokes the loss of network connectivity due to consumption of the bandwidth of the victim’s network, or overloads the computing resources of the victim’s system.

 

  • DoS attack in IPv4 with ARP Spoofing

    This type of DoS attack consists in associating a nonexistent MAC address in a victim’s ARP table. This results in rendering the machine whose ARP table has been modified incapable of connecting to the IP address associated to the nonexistent MAC.

 

  • DoS attack in IPv6 with SLAAC attack

    In this type of attack a large quantity of “router advertisement” packets are generated, destined to one or several machines, announcing false routers and assigning a different IPv6 address and link gate for each router, collapsing the system and making machines unresponsive.

 

  • DNS Hijacking

    The DNS Hijacking attack or DNS kidnapping consists in altering the resolution of the domain names system (DNS). This can be achieved using malware that invalidates the configuration of a TCP/IP machine so that it points to a pirate DNS server under the attacker’s control, or by way of an MITM attack, with the attacker being the party who receives the DNS requests, and responding himself or herself to a specific DNS request to direct the victim toward a specific destination selected by the attacker.

 

 

 

Publicado en Pentesting | Deja un comentario

FortiGate-VMX v.2

Teniendo en cuenta que para el próximo año 2017 el 50% de las compañías a nivel global tendrán modelos de cloud híbridas hoy os presentamos el nuevo Fortigate para plataformas cloud híbridas o privadas.

Esta versión de firewall es perfecta para la securización de tráfico “East-West” de aplicaciones o databases de nuestra red.

Antes de realizar la implantación es importante conocer el “size workload” de la red. En el caso de no ser suficiente con la versión virtual que presentamos hoy una buena práctica sería usar para analizar Layer-4 un edge firewall mientras que para Layer-7 usariamos el FGT-VMXv.2

Una vez hayamos decidido por ejemplo si usaremos un Firewall físico en modo load balancing hacia varios VM fortigates, o si será un entorno full virtual vamos a ver su instalación:

  1. Licencia

El proceso es como un Fortigate físico, una vez realizada la compra del device, via mail recibiremos el “license registration code”.

screen-shot-2016-11-27-at-17-38-07

2) FortiGate-VMX Service Manager

Ir a “support.fortinet.com” y en la sección “Register/Renew” descargar el “license file” en local.

Descargaremos también la imagen (.ovf) de la página de Fortinet

Se configurará en Fortigate los parámetros de NSX

screen-shot-2016-11-27-at-17-53-44

FGT#config sys global
FGT(global)#config nsx setting
FGT(setting)#exec nsx service add 

Ya por último ya veremos que el servicio “FGTVMXV2” ya aparece.

screen-shot-2016-11-27-at-17-59-32

 

Publicado en Uncategorized | Deja un comentario

Connection String Attacks

Aunque a dia de hoy ya son muy reducidos los ataques las cadenas de conexión veo importante comentar en qué consiste así como un caso muy curioso.

Los Web Servers tienen una cadena de conexión para indicar la comunicación con el servidor que contiene info muy valiosa generalmente las instancias de una BBDD.

La info que acompaña una cadena de conexión es sensible ya que puede contener información relativa a ubicaciones de servidores, redes internas, credenciales del sistemas y arquitectura de la red.

Los ficheros usados para establecer la conexión con servidores como SQL pueden ser UDL, ODC y DSN. Puesto que todos son archivos en texto plano, con “google dork” aún encontramos info sobre las cadenas de conexión como mostramos a continuación:

screen-shot-2016-11-26-at-20-07-27

Como cursiosidad allá por el 2009 la empresa myLittleTools presentó las herramientas myLittleSQLAdmin y MyLittleBackup que eran vulnerables y facilmente se conseguía acceder a BBDD de clientes importantes haciendo ataques SSRF.

Aquí os mostramos la publicación en un blog en el que reconocen la presencia del bug minimizando al máximo la importancia.

screen-shot-2016-11-26-at-20-13-00

 

Publicado en Pentesting | Etiquetado , , , | Deja un comentario

Forti CLI Commands

After find out that Fortinet is recognized as a leader in Unified Threat Management (UTM) by the Gartner Magic Quadrant… I think that is mandatory get any certification because is a Manufacturer that is growing in 35+ countries around the world.

I have created a list with the main CLI commands to help a proper troubleshooting.

screen-shot-2016-10-30-at-23-54-41*This CLI commands list was created during the NSE4 certification.  
Publicado en Fortigate, Uncategorized | Deja un comentario