Archive
Rant: Community is King
So I don’t think I’ve ever done a rant blog post, and to be fair there is no real reason behind this I just started thinking about it on the way into work (which is about a 10 minute drive). Shall we begin??
DISCLAIMER: I apologise in advance for any bad language used during this rant or the excessive use of “”.
A couple of weeks ago I had reason to tell someone (over email) a little about myself in an attempt to “sell” myself. It’s not something I like doing but sometimes you just have to. It made me realise that during the last 18 months that I’ve been “trying to get into Security” that I’ve actually achieved a lot so I hope this rant will help people who are in the same situation as me.
Community is King???
This time 2 years ago I would spend most of my downtime playing computer games, call it a lack of motivation, laziness or whatever but that’s what I did, then with some gentle pushing from my nearest and dearest I decided to start using my time to learn and develop. When you start with the goal of “breaking into Security” many people point out that the key to success is “the community” and it’s true but that can be the hardest challenge. If you don’t work in Security then some people will tell you it’s just a hobby and maybe they are right or maybe that’s just bollocks, it’s for you to decide and ultimately turn it into anything you want.
I’ll let you into a secret, I started this blog for 2 reasons, the first was to keep a record of what I’ve done and allow me to pat myself on the back for the number of visitors I get, the second was because I wanted to get noticed, I hoped that over time people would read my blog, follow me on twitter and allow me into their circle of InfoSec friends and maybe if I was lucky I might end up with a job out of it. Then I realised something, and some people might disagree but its my blog not yours..
“You don’t have to work in Security, to be in Security”
Not really groundbreaking is it but it’s important because well it’s the point of this post. Over the last 18 months I’ve done a fair few bits and pieces for “the community” I’ve met some awesome people, done some awesome things and have even more awesome things on the horizon and 98% of that was from the community. If people tell me Security is just my hobby my first reaction is to tell them to “do one” because I have hobbies and they don’t consume the amount of time I put into projects, blogging, helping with events. Hobbies don’t consume your time like this does, they don’t push you to go further, learn more, make yourself better and give you that feeling that you can make a difference. This isn’t a hobby, it’s not my career either but doesn’t make it any less, its part of who I am and always will be.
So if you are just starting in Security and find yourself a little unmotivated because you can’t find that dream Security job or you are finding the community a bit “cliquey” here are my top tips:
1. Write it and they will come – Remember that awesome blog post (not this one) you read about the latest exploitation technique? Or that tool you used? Someone took the time to write that and then out of the goodness of their heart gave it away for free to YOU. Don’t you think it would be nice to repay the favour?? Seriously if you just start writing code, making videos or writing articles people will find them, share them and slowly over time you will find yourself more involved in the community than you ever expected.
2. Twitter isn’t just about your latest bowel movement – Follow people on twitter, it’s a good way to find people who post all that useful stuff you read. Interact with them by all means but remember this.
To start with they will probably ignore you, won’t follow you and generally see you as noise on their timelines, but give it time and slowly you will get there. I get more followers from Twitter from blog posts/code release than just by talking to people, and just accept that some people are very picky about following back or even replying back if you mention them in Tweets.
3. You’re never alone – In the UK there aren’t a lot of conferences, CTF events and only limited events, if there isn’t anything in your area then start something, you want to be part of the community then sometimes you have to make it happen. If you want to organise a monthly Security focused meeting in your area then do it, don’t let people tell you can’t, because well you can. Even if only 1 other person turns up that’s 1 person you didn’t know who shares the same interests as you (unless it’s your mum).
4. It’s up to you – If you want to make Security just a hobby, then that’s fine. If you want to make it a career that’s awesome but it’s up to you to decide and more importantly it’s up to you to make it happen. Don’t let other people label what your passions, dreams or ambitions are, they are yours and no one elses.
OK that’s the rant over with. Thanks for listening.
Code: PDF hunter
So of late I’ve been playing around a lot with Scapy and pcap files, mostly for my sniffMyPackets project but also because it teaches me more about network forensics and python. The other area I’m starting to learn about is Malware Analysis and I’ve been spending some time looking at the Honeynet Project challenges.
One of the challenges to is to find the malicious content within a PDF file that is provided to you in a pcap file. Normally I would just reach for Network Miner and rebuild the file(s) that way but I wanted to see if I could write some code myself.
The goal of my code was simple, parse through a pcap file, identify a PDF and then rebuild the file so that if a tool such as exiftool or file was used that it would correctly be identified as a PDF and that you could open the PDF and view the content (if you wanted to).
I follow a certain process when I’m carving up pcap files, it’s not rocket science really just common sense. First off find the packets you are interested in, I tend to use a mix of Wireshark and Scapy for this and then look for something you can use to filter down to the packets you want before getting into the nitty gritty of carving them up.
For this piece of code I need to find some way of identifying a PDF file in a pcap file and as most PDF files will appear in a pcap file as part of an HTTP conversation, I parse each packet and if the packet has a Raw layer (a raw layer in Scapy is essentially the payload of a packet) then I look for this ‘Content-Type: application/pdf’. If this is matched then I store the TCP ACK number as a variable for use later.
Now once I have the ACK number I then need to find all the packets that relate to this in order to get the whole file. Now it turns out the ACK is the same for all the packets that the PDF download is in (something I didn’t realise until I started this) so it’s a simple case of using the following code to find all the packets I’m after:
for p in pkts:
if p.haslayer(TCP) and p.haslayer(Raw) and (p.getlayer(TCP).ack == int(ack) or p.getlayer(TCP).seq == int(ack)):
raw = p.getlayer(Raw).load
cfile.append(raw)
If either the TCP ACK or SEQ match our stored ACK variable we get the Raw layer and store it into a python list. This means that we now have (hopefully) all the packets that make up the PDF stored nicely away and because it’s a TCP conversation they should all be in the right order.
Now that we have all the packets we write those out to a temporary file, it’s a temporary file because if you were to open it in a text editor you would see all the HTTP headers at the top and the bottom, which means if you ran file against it, then you would get back a file type of “data” and not “PDF” (which is what we are after).
So we then have to do some python magic (well I think it’s magic), to slice the rubbish out. Now this is the part that took me the longest to figure out. If you have ever looked at a PDF file in a text editor (I wouldn’t blame you if you haven’t), you would notice that they start with “%PDF-” and end with “%%EOF” so finding the start of a PDF file is easy, the problem is that a PDF file can have multiple %%EOF towards the end of the file and I kept cutting at the wrong point.
To fix this I came up with a bit of a long-winded way of carving the temporary file up (see the code below):
# Open the temp file, cut the HTTP headers out and then save it again as a PDF
total_lines = ''
firstcut = ''
secondcut = ''
final_cut = ''
f = open(tmpfile, 'r').readlines()
total_lines = len(f)
for x, line in enumerate(f):
if start in line:
firstcut = int(x)
for y, line in enumerate(f):
if end in line:
secondcut = int(y) + 1
f = f[firstcut:]
if int(total_lines) - int(secondcut) != 0:
final_cut = int(total_lines) - int(secondcut)
f = f[:-final_cut]
outfile2.writelines(f)
outfile2.close()
else:
outfile2.writelines(f)
outfile2.close()
If you read Python awesome, if you don’t here’s what happens.
First off I open the temporary file and count the number of lines, I look for the variable I declared at the start of the code as start (which is this: start = str(‘%PDF-’)), if that’s matched it stores the line number as the variable firstcut
I then need to find the last cut, I look for the variable end (which is this: end = str(‘%%EOF’)) now remember I said a PDF can have multiple EOF statements, well I get round that because Python overrides the variable secondcut each time it’s matched so the last line with EOF is always the one used. I also add a +1 to the line number because for the next chunk of code if I didn’t I would actually cut the final %%EOF file the file (I know this because I did it, before realising what was happening).
So we now do a simple little IF statement to make sure that there is something at the end of the file to cut (sometimes there isn’t on the pcap files I’ve used/made) and if there is we slice the bad HTTP headers out before saving the file. If there isn’t anything to cut then we just save the file.
Hopefully that makes sense to non-python people (I can but hope).
I’ve tested this on a number of different pcap files that have PDF downloads in them and it works, I can open and view the PDF and if I run file or exitfool against it then it appears as a normal PDF. I’m sure there are some cases when it won’t work 100% but if you find something that doesn’t let me know so I can try to fix it.
The code can be found here: https://github.com/catalyst256/PDFHunter (in my ever-growing GitHub repo). Oh and I’ve added this function into my sniffMyPackets transform pack.
Enjoy!
Coming Soon: The very unofficial dummies guide to scapy..
So the last few weeks have been busy for me in terms of throwing myself into learning more about InfoSec, I’ve attended my first BSides event, made some new friends and published my year-long training plan.
One of the outcomes from attending BSides was my declaration that next year I would do a track 3 talk, and I decided that it would be on scapy (not sure why it just seems like a really cool tool). So I have included scapy on my aforementioned training plan and since then I’ve started playing around with it.
Then a week or so ago (time flies by so quick) @balgan tweeted about the lack of a scapy guide, at the time I thought it would be cool if such a thing existed but gave no more thought about it. That is until today, today I decided that I was going to write what shall now be known as “The very unofficial dummies guide to scapy”… no I’m not making up I’ve decided that as an official scapy dummy why not write a guide as I go, that will both enforce what I learn and maybe give back to the InfoSec community in some small way.
Now this guide is not going to be a huge bible of commands and examples, what is it going to be is a concise guide to building packets, seeing the results and providing examples of actual things you can do with it, basically something you can read in a few hours, follow the examples and write some packets.
I am well aware that you can find a lot of scapy related documentation on the internet but although the end result might not be any different to a few hours googling for things, that’s not the point. The point is really the same as this blog, I write about stuff I want to, if you find it useful that’s awesome, if not oh well never mind.. 
However, if you think this isn’t actually a bad idea and you’ve used scapy for real world things then let me know. If you know of something that scapy is really cool at doing drop me a line and I will include it in the guide. Remember this is a guide for the community so why not contribute if so inclined..
Environment Disclosure via #shodan
First of a big thanks to @achillean and his awesome website over at http://www.shodanhq.com, the amount of information that gets collected and stored is mind-blowing. I had a brief email conversation with John when I decided to write this blog and at the time there were over 70 million records stored in ShodanHQ.
So to the point of this blog post, in my current job I work a lot on e-commerce type stuff, mostly because I’m responsible for the load balancers we use (if you’ve read this blog before you might be able to guess what they are..). Part of that work means every now and again I get sent the output of our regular pen tests to answer questions or fix “holes”.
One of the most common “holes” I fix is what the external pen testers call “Environment Disclosure Information“, which in layman’s terms means you are giving out more information that you should to external people when they visit your websites.
This is an example HTTP header extract from a website, which will highlight the sort of stuff I mean:
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, no-transform, private
Content-Length: 43
Content-Type: image/gif
Date: Sun, 13 May 2012 10:35:11 GMT
Etag: “4FAF8E5F-48B6-0D239661″
Expires: Sat, 12 May 2012 10:35:11 GMT
Last-Modified: Mon, 14 May 2012 10:35:11 GMT
Pragma: no-cache
Server: Omniture DC/2.0.0
Vary: *
X-C: ms-4.4.5
p3p: policyref=”/w3c/p3p.xml”, CP=”NOI DSP COR NID PSA OUR IND COM NAV STA”
xserver: www4
Now remember I’m no security expert but to me this amount of “free” information about your web environment is both unnecessary and well to be fair a bit sloppy.
Looking at the HTTP header above an unethical type of person can determine the type of server you are running (Server: Omniture DC/2.0.0) and the version its running. Which would make it easier when looking for known vulnerabilities, and you can tell that they have at least 4 web servers (xserver: www4) providing this content (which means some sort of load balancing).
This is another HTTP header from a rather “large” software company that like Marmite you either love or hate..
Cache-Control: max-age=0
Connection: close
Content-Length: 12941
Content-Type: text/html; charset=utf-8
Date: Sun, 13 May 2012 10:40:24 GMT
Expires: Sun, 13 May 2012 10:39:24 GMT
PPServer: PPV: 30 H: BAYIDSLGN1H57 V: 0
Server: Microsoft-IIS/7.5
Set-Cookie: MSPRequ=lt=1336905624&co=1&id=64855; path=/;version=1
MSPOK=$uuid-b9356970-ea8a-491c-8c62-f367d9460ca3;
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 0
p3p: CP=”DSP CUR OTPi IND OTRi ONL FIN”
Again you will see that the Server: HTTP header is still there, so is this really a security concern? Do pen testers just highlight it as something to put in a report??
Now onto the cool stuff (well it’s cool to me), if you have ever used ShodanHQ you will know that there is an API available, and if you pay a small amount of $$ you can get a lot of functionality. I decided to use that API and write a ruby script that would look through the 70 million records and give me the total number of results that matched some of the most popular HTTP server headers.
This is my code (I have compared the numbers against individual searches with the same server header).
#!/usr/bin/env ruby
require 'rubygems'
require 'shodan'
#Set your Shodan API Key
SHODAN_API_KEY = "enteryourapihere"
#Create the API object
api = Shodan::WebAPI.new(SHODAN_API_KEY)
#Define the array of Server headers you want to search for
array = ["Apache/2.4","Apache/2.3","Apache/2.2.21", "Apache/2.2.20", "Apache/2.2.19", "Apache/2.2.18", "Apache/2.2.17", "Apache/2.2.16", "Apache/2.2.15", "Apache/2.2.14", "Apache/2.2.13", "Apache/2.2.12", "Apache/2.2.11", "Apache/2.2.10", "Apache/2.2.9", "Apache/2.2.8", "Apache/2.2.6", "Apache/2.2.5", "Apache/2.2.4", "Apache/2.2.3", "Apache/2.2.2", "Apache/2.2.0", "Microsoft-IIS/7.5", "Microsoft-IIS/7.0", "Microsoft-IIS/6.0", "Microsoft-IIS/5.0", "Microsoft-IIS/4.0", "Microsoft-IIS/3.0", "Microsoft-IIS/2.0", "Microsoft-IIS/1.0", "nginx", "squid", "lighttpd"]
begin
#For each value in array, search through Shodan
array.each_index {|s| d = api.search("#{array[s]}")
#Print the array value and the total number of matches against the array value
puts "#{array[s]}: #{d['total']}"}
end
I know it’s nothing flash, but it works..
Now the results (drum roll please)…Bear in mind this isn’t all the web server versions, just the ones I could think of or find without spending hours crawling through the internet.
Results:
Apache/2.4: 465
Apache/2.3: 531
Apache/2.2.21: 229250
Apache/2.2.20: 72756
Apache/2.2.19: 72666
Apache/2.2.18: 4048
Apache/2.2.17: 351696
Apache/2.2.16: 444607
Apache/2.2.15: 328945
Apache/2.2.14: 517311
Apache/2.2.13: 141590
Apache/2.2.12: 81345
Apache/2.2.11: 346329
Apache/2.2.10: 89642
Apache/2.2.9: 743891
Apache/2.2.8: 420166
Apache/2.2.6: 97186
Apache/2.2.5: 63
Apache/2.2.4: 131883
Apache/2.2.3: 2854600
Apache/2.2.2: 28955
Apache/2.2.0: 65168
Microsoft-IIS/7.5: 681421
Microsoft-IIS/7.0: 749303
Microsoft-IIS/6.0: 3932895
Microsoft-IIS/5.0: 506169
Microsoft-IIS/4.0: 14731
Microsoft-IIS/3.0: 603
Microsoft-IIS/2.0: 37
Microsoft-IIS/1.0: 31
nginx: 1299084
squid: 192084
lighttpd: 503577
Yes yes I know, surely someone can’t be using IIS/1.0 but I did triple check that result.. To me that’s a lot of people who either don’t care about hiding this information, or like I said earlier it’s not really a big issue.
So lets take it one step further, ShodanHQ also lets you search the exploitdb using the API. Using the ruby script available from the documentation I ran it against Microsoft IIS/6.0 (the most popular IIS version from my research). Using the script I got 6 “known” exploits back (see below).
Results found: 6
3965: Microsoft IIS 6.0 (/AUX/.aspx) Remote Denial of Service Exploit
8704: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Vulnerability
8754: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch)
8765: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)
8806: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (pl)
15167: Microsoft IIS 6.0 ASP Stack Overflow (Stack Exhaustion) Denial of Service (MS10-065)
Now most of these might not be valid because of patching, but out of the 3,932,895 results there might be one or two that hasn’t been patched??
I know that realistically you will never be able to hide everything that might or might not give unethical people an advantage if you become a target, but why make it easy for them??
So is this kind of free information really an issue? If you are pen tester does this kind of information help you when running a test or is it just accepted that it’s out there and available??
Let me know what you think.
What’s in your lab??
So to make things a bit easier as I wander along the path of self enlightenment (or in this case learning more about InfoSec) I thought it was about time I built some sort of “lab” at home, so I can get a better idea of what happens when I say run a nmap scan and to give me something to scan against.
Now it may come as a surprise to you but in the 15 years I’ve worked in IT I’ve never had a server at home.. nope never.. and to be honest I don’t think I need a server now to achieve the results I’m after. Now this is MY lab, its not huge, fancy or flash but it is portable and its low maintenance.
So what did I want from my lab:
1. Simple to maintain
2. Flexibility
3. Performs the tasks I want (always good)
You see some people would (and are entitled to) say that the point of a lab is so you can break things (and learn how to break things) for me, the purpose of my lab was the opposite, well sort of. You see I know what firewall logs say during a port scan, but I don’t know what a port scan looks like in terms of the actual packets sent/received. I’ve got a lot to learn and rather than download a “exploitable” VM and well exploit it I wanted to start at the very beginning.
So my lab setup is very simple.
I have a HP Mini Note 2133 running Security Onion, this is for a mixture of packet captures and IDS alerts. It uses a wireless NIC for the management interface and it’s onboard LAN for the sensor. I have a Checkpoint Safe@Office 500 firewall which will have it’s WAN connection plugged into my home network and I will open ports/services as I need to. Then finally I have my laptop which I will use to either scan the firewall and/or write packets with scapy and run packet captures as I go.
My plan (it’s always good to have a plan) is that to start with the firewall blocking everything, I can review the packet captures and actually see the real responses back (as opposed to the script telling me), when I start working with scapy I can write custom packets and see what effect that has. Then I can slowly start to open ports and compare the results with my initial baseline.
This of course might be the completly wrong way to do things, but to me it makes sense. If I can understand what happens in relation to the packets I hope it will give me a more complete understanding of how things work.
Below is a quick and simple diagram of my lab, written by the way with DroidDia (yes there is a droid version of Dia).
Let me know what you think (if you want) and I will let you know how I get on.
Adam
Man with a plan – My training plan
I’m not the most organised person, especially when it comes to staying focused on something (sorry was I talking about??). If you’ve read this blog before you would have picked up that I’ve decided to expand on my IT Security skills.
To that end I’ve created a 12 month training plan, nothing fancy just a list of technologies/software that I want to learn how to use better. It won’t make me an expert (I’m not that silly), but it will hopefully mean that come BSides London 2013 I might be able to give a track 3 talk.
The training plan includes, Ruby (not Python for the time being), wireshark, metasploit framework, nmap and a long period for scapy. I like the idea of being able to write packets so I’ve dedicated a lot of time to this.
Along the way I will blog about my progress and hopefully start getting some more InfoSec related posts up here instead of my ranting about stuff..
Below is the training plan, feel free to pass any comments if you think I’ve missed anything obvious, my goal is to be able to run pen tests (against my own systems), without resorting to “automated” tools.
I’m also looking (still) for a UK-based InfoSec mentor, if any of you lot are feeling generous (I’m not expecting a lot, just answering some questions when I get stuck). If you’re up for it let @infosecmentors know.
Adam
Popping my cherry – B-Sides London 2012
On April the 25th 2012 a group of crack InfoSec professionals, enthusiasts, hobbyist and newbies (that’s me by the way), descended on the Barbican Centre in London for the security event of the year (in my opinion).
That’s right; B-Sides London 2012 had arrived.
Most of you probably already know what the B-Sides events are all about, so I won’t bore you with going over that, If you don’t then you go find the main website here; http://www.securitybsides.com or the B-Sides London website is here; http://www.securitybsides.org.uk/.
This was going to be my first B-Sides event and as I was reading the website to find out as much as possible before the event, there were two comments on the front page that really stood out for me.
The first was this “built by the community for the community“,I’m still trying to find my way in InfoSec, but what makes it easier (and more fun) is the people that have the passion, drive, commitment and wiliness to share their knowledge with people like me. Without community events like B-Sides (and there is others) trying to navigate your way around the world of InfoSec would be a lot harder.
The second comment was “So make BSidesLondon whatever you want it to be“, for me this was really important I didn’t want to attend an event and be anonymous. I have a tendency in new environments to be a little bit shy and I wanted to make the most of the day, meet new people and try to become part of the community rather than a lurker in the corner.
So with less than a week to the event, I volunteered to help out on the day, yes that’s right I was now on the crew roster for B-Sides London 2012. Due to work commitments I wasn’t able to get to the Barbican early to help out with setting up, but I would just like to say at this point a HUGE thank you to Iggy (@geekchickuk) and the rest of the B-Sides London crew for getting everything ready for the day and in fact for all their work during the day.
Working as crew on the day for me was awesome; I met a lot of new people and had a lot of fun. What did I do on the day?, well if you bought raffle tickets between 10:00 – 12:00 from the table in the corner next to the guys from SANS that was me (sorry about making you write out your own tickets), and in the afternoon (from about 14:30) I was on the swag desk. I may or may not have also been involved in the nerf rocket war between the B-Sides crew and the guys from MWR InfoSecurity.
In the end I only attended one talk which was by Robin Wood on “Breaking in to Security” (check out the B-Sides London website because a lot of the talks were videoed and will be available to watch), but for the me day was still a success.
Would I help out again next year? Hell yeah, if fact I’ve already told Iggy I will, but next year I’m going to do a talk on Track 3 (that’s the turn up and talk about something track), I have no idea what about yet, but I’ve got a year to work that out.
See you all next year…
Adam
Don’t be shy, give it a try.. Mentoring
Apologises in advance if I ramble during this post or if it seems a bit long, there is a point to it and hopefully it will be come more clear as we go.
DISCLAIMER: The following post is the random collections of my thoughts and opinions and has no bearing or relation to the InfoSec Mentor Project (which I think is great by the way).
Back in December last year, @securityninja wrote a blog post called “Random Thoughts on Education & Learning from @markofu” the post was about security education, mostly in Universities courses but I posted some comments about how difficult I found it to “break into” the InfoSec community. @markofu very kindly replied with some tips about what I could do and one of the suggestions was the InfoSec Mentor project. I signed up to be a mentee and patiently (well my version of patience anyway)waited to hear back.
Still with me?
Fast forward to March 2012 and at work I was promoted (yah me), to Technical Lead – Wintel, for those not sure what “Wintel” is, it’s basically Windows running on Intel servers. What it actually means is, anything that is not Network or Midrange related (so quite a lot of things). One of my new functions in this role was to MENTOR people in areas I knew and understood.
I’m not what you would call a stereotypical “MENTOR” type, in a recent management “thing” other managers provided me with some 360 feedback (I think it’s called a Johari Window 360), and I managed to get zero ticks (that’s bad I think) for the areas of Caring, Encouraging, Motivational and Formal (not too worried about the formal part, I do swear a LOT). Doesn’t sound like ideal MENTOR material does it??, added to that I have a low threshold for people that ask me questions which can easily be found out (I like people that at least try) and when asked “Have you tried Google?” they look at me blankly while they mouth the word “G O O G L E” as it sinks in.
So am I doomed in my new role to be a MENTOR.. well to be honest no, although I have several flaws in what some might class as key areas to mentor people, I did get a lot of ticks (back to this Johari window thing) in areas such as Patient, Determined, Sociable, Dynamic and a few others. Why? I like to think it’s the passion and the experience I have that make up for those “fluffy” areas I lack in.
Just this week I started mentoring some of the Operations team on Netscalers. Netscalers are something I work on a lot, and I like to think I know a fair bit about them, and I’m passionate about them as a product. What does this matter? Well if you enjoy something and are passionate about it, giving the first of many 2 hour training sessions with no materials (other than a white board) and the knowledge in your head is easy and fun. I enjoyed sharing my knowledge with other people, they benefited from my experience and I got the chance to develop some of my softer skills.
So you’ve read all of this and none of it seems to have a point? OK let me explain..the InfoSec Mentor Project to me, is something that is key to the growth of the InfoSec Community, a place for people to connect with others and help build and develop skills. I still struggle to see how you can easily break into the world of InfoSec if you sit on the outside (and I’ve been trying and will continue to do so) so Projects like this are really important.
The project will always need people to offer to be mentors (well I would assume so) and no doubt you are thinking “I’m too busy” or “I’m not the mentor type”, even if you can give a couple of hours a week for someone out there that could be enough to help them, if the mentee has the drive and passion then a helping hand when they get stuck would be all that would be required. Not sure you are the mentor type? look through the post again, notice the words in BOLD? they are some of what I think are key behaviors for a mentor but you don’t need all of them. It’s not just what knowledge you will give to others but also about what you will get in return.
Maybe (and this is just me thinking out loud) even if you don’t work in InfoSec but you have rocking Ruby skills or are a Cisco wizard and you have some time to spare, the InfoSec Mentor Project could benefit from you too, InfoSec guys need good networking skills and help with code (yes both apply to me) so maybe a forum where you can offer your time and answer questions from mentors and mentee’s alike??
Right that’s me done ranting at you.. sorry I mean Persuasively getting my point across. Have time? What to help the community, go sign up to be a MENTOR.
Thanks.
Netscalers: Making sense of the cookie – the finale
So this is the final part to my Netscaler cookie series. If you haven’t read the other two blog posts you may want to just so this makes a bit of sense..
All make sense now?? (probably not but it’s polite to ask)..
Before I get started I just want to clear something up. I am in no way shape or form a programmer.. It’s one of those areas that up until recently has made my head hurt (and not just from banging my head on the desk a lot) but it is an area that I want to improve on and the best way for me to learn is to do.
So how do you end a series of blog posts about Netscaler cookies and how to decrypt them.. well you write a program to do it for you. I decided to use python to write my little decryption program as it will run on both Windows and Linux (I’ve even tested it to make sure) and it seems to be used a lot by InfoSec type people.
Now this is my first ever python program/script/application and in fact it’s the very first time I’ve ever written something like this (unless you count the macro I wrote in Word 7 that did a cypher substitution encryption), so yes while the code might not be perfect and possibly badly written the important thing is that it works.
Now before I get to the part where I give you the link to the script (is script the right word??) here’s how it works (in basic terms).
The script is designed to do 2 things, it accepts an Netscaler Cookie from the command line;
python nsccookiedecrypt.py NSC_rfse-gesfe-etsgsvs... (not the complete cookie)
It then runs two re.search functions to separate the cookie name (the Netscaler load balancer vserver name) and then the Server IP (IP address of the server your are persistent too).
Once it has these variables, it performs two decryption actions, the first is the cipher substitution to give you the real Server Name;
Service Name=qerd-fdred-dsrfrur-erdded
It then runs the XOR decryption based on the key that was mentioned in Part 2 of my series to give you then Server IP;
Server IP=63.17.71.92
Currently the script outputs both to the command line, it’s not exactly high end coding but it’s not a bad start for me.
You can find the script HERE, I’ve tested in on over a dozen real life Netscaler Cookies, so I’m 90% happy it will work in all cases, it doesn’t use any fancy imports so you should be good to go with just a standard python install.
If you find any bugs or want to let me know how to make it better, please drop me a line. Over time once I get better at coding I will probably improve it. I’ve created a new “Page” on my blog with links to the code and hopefully over time I will add to it.
If you want to modify the script for your own uses, please do, however if you let me know so I can keep tabs on how it’s being used and what I can do to improve it.
I would like to thank Alejandro Nolla for inspiring me to write this (check out his load balancer finder) and Daniel Grootveld for helping me with the XOR decryption (and by help I mean stopping me from using a Excel spreadsheet).
Happy decrypting.
Netscaler: Making your own dashboards
Welcome reader(s), as you will come to learn I will probably post a lot about Citrix Netscalers. The main reason for this is because where I work we have 9 Netscalers in total and I have the privilege of being the “Expert” on these wonderous hardware load balancers (ok that’s enough fluffy talk about Netscalers).
The Citrix Netscalers are a very good piece of kit in terms of what they do, one side that I personally think they are lacking is on the reporting. The appliances have some built-in reporting that allows you to see some historical information and a dashboard for “live” information.
Aside from the built-in reporting Citrix have released a product called Citrix Command Center, this allows you to centrally manage some functions of the Citrix Netscaler (or Citrix WANscaler) in one Dashboard. Command Center allows you so view service/service group/load balancer status, automatically download Netscaler config files from your appliances, record Appliance Events and Alerts as well as the ability to execute predefined or custom scripts from Command Center to your appliances.
Don’t get me wrong this is useful in it’s own right and is a good addition to your estate if you have Netscaler appliances, however I needed something a little less complex for our 24/7 Control Center to be able to see a read only portal for the relevant information needed for support.
The good thing about Command Center (in my opinion) is that it runs on Microsoft SQL Server, which means I can use my limited SQL skills to pull out the data I want for my dashboards and throw it into a web page (again I’m not a web developer). The main areas of focus for my dashboards where:
1. Last 50 Events
2. GSLB Service Status (we use GSLB for site fail-over)
3. Service/Service Group Status
NOTE: This article only covers the SQL part of making your own Dashboard, I will leave the web page design to my readers as I’ve only worked on IIS (unless there are a lot of requests for this).
My first task was to get my head around the database schema for Command Center, thanks to the wonder of Visio I “reverse engineered” the database into a Visio diagram so I could refer to it without having to go through each table. The database schema can be found HERE to save you the trouble (it’s a PNG to save any issues with not having Visio installed).
Right so we have our database, copy of the database schema and we know what we are looking for. Time to find that data and put it in the format I want (feel free to change this).
NOTE: I’ve started and ended each query with [Query Start] and [Query End] you do not need to include these in your query. Where I have entered something in UPPERCASE with a _ separating words needs to be replaced with your relevant information (just query the table to see all the results to get a better idea).
1. Last 20 Events – This is a very useful report, not only does it show the state changes but it also any config changes, logins etc etc. If someone reports a “Netscaler Issue” this is the first place I check and you can change to show as many events as you want. The SQL Query for this is a straight forward one as seen below.
[Query Start]
–Netscaler Command Center
–Last Top 50 Events displayed in date order (most recent first)
–Written by IT Geek 20/10/2011
select Top 50
–The +3600 on the DATEADD is to allow for Timezone change, it might not be necessary for your appliance
DATEADD(s, TTime/1000+3600, ’19700101′) as [Date & Time],
–Within this CASE statement I change the native IP address of the Netscaler Appliance to a more “Friendly Name”
case Source
WHEN ‘NETSCALER_IP’ THEN ‘FRIENDLY_NAME’
–I’ve changed the headers to more friendly headings using the AS statement
End as [Source], text as [Events], entity as [Description]
–The table for the Events is called “Event”
from Event
–You can change this WHERE statement to exclude entries you don’t want to see or aren’t interested in or you can just remove it.
where entity not like ‘Power%’ and text not like ‘User: #nsinternal#’
order by [Date & Time] desc
[Query End]
Hopefully (and I have tested them) this should display in SQL Query as the last 50 events from Command Center.
2. GSLB Service Status – So in our configuration we have GSLB configured to allow our Active/Passive configuration to be failed over between our data centres. The GSLB dashboard shows which service on which site is either UP, Down, Out of Service or Going Out Of Service (these are the reported status for the Netscaler).
The SQL query for this is a bit more complex, on my dashboard I use one query for one site and another for the remote site and then just display them side by side.
[Query Start]
–Netscaler Command Center
–GSLB Service Status
–Written by IT Geek 20/10/2011
SELECT
*
FROM
(
SELECT
*,
ROW_NUMBER() OVER (PARTITION BY [Netscaler], [GSLB Name] ORDER BY [Last Polled Time] DESC) AS RecentFirst
FROM
(
Select DISTINCT
–Within this CASE statement I change the native IP address of the Netscaler Appliance to a more “Friendly Name”
–because they are a HA pair they are displayed as 2 IP’s for each site
case NSIP
WHEN ‘NETSCALER_IP’ THEN ‘FRIENDLY_NAME’
WHEN ‘NETSCALER_IP’ THEN ‘FRIENDLY_NAME’
ELSE ‘UNKNOWN’
END AS [Netscaler],
–The +3600 on the DATEADD is to allow for Timezone change, it might not be necessary for your appliance
DATEADD(s, EPTime/1000+3600, ’19700101′) as [Last Polled Time],
SVCFULLNAME as [GSLB Name],
case svcstate
WHEN ’4′ THEN ‘Out of Service’
WHEN ’1′ THEN ‘Down’
WHEN ’7′ THEN ‘Up’
WHEN ’5′ THEN ‘Going Out of Service’
ELSE ‘UNKNOWN’
END AS Health,
SVCIP as [Internal IP],
SVCPORT as [Port]
from MESERVICES
) RAWDATA
) SEQUENCED
WHERE
SEQUENCED.RecentFirst = 1
AND
(
CASE
–Within this CASE I tell my SQL query to ignore GSLB services that below to the remote site and then
–vice versa (trust me it works)
WHEN [Netscaler] = ‘REMOTE_FRIENDLY_NAME’ AND [GSLB Name] NOT LIKE ‘GSLB_SERVICE_NAME_LOCAL_SITE’ THEN 1
WHEN [Netscaler] = ‘LOCAL_FRIENDLY_NAME’ AND [GSLB Name] NOT LIKE ‘GSLB_SERVICE_NAME_REMOTE_SITE’ THEN 1
ELSE 0 END
) = 1
AND
–This AND statement is used to only show the site you are interested in, I use a ‘%name%’ query to specify
–but that depends on your naming convention
[GSLB Name] like ‘DEFINE_WHICH_SITE YOU CAN TO CHECK AGAINST’
order by [GSLB Name], [Netscaler]
[Query End]
I admit this query might not make sense when you look at it here, but if you want to use it then drop me an email and I would be happy to help sort out my ramblings into something sensible.
3. Service/Service Group Status – This last query allows me to check service group members status, as well as showing me the relevant server IP and port details. It comes in handy when we get complaints about something not working.
[Query Start]
–Netscaler Command Center
–Service Group member status
–Written by IT Geek 20/10/2011
SELECT
*
FROM
(
SELECT
*,
ROW_NUMBER() OVER (PARTITION BY [Netscaler], [Service Group Name], [Server IP] ORDER BY [Last Polled Time] DESC) AS RecentFirst
FROM
(
Select DISTINCT
–Within this CASE statement I change the native IP address of the Netscaler Appliance to a more “Friendly Name”
–because they are a HA pair they are displayed as 2 IP’s for each site
case NSIP
WHEN ‘NETSCALER_IP’ THEN ‘FRIENDLY_NAME’
WHEN ‘NETSCALER_IP’ THEN ‘FRIENDLY_NAME’
WHEN ‘NETSCALER_IP’ THEN ‘FRIENDLY_NAME’
WHEN ‘NETSCALER_IP’ THEN ‘FRIENDLY_NAME’
ELSE ‘UNKNOWN’
END AS [Netscaler],
–The +3600 on the DATEADD is to allow for Timezone change, it might not be necessary for your appliance
DATEADD(s, EPTime/1000+3600, ’19700101′) as [Last Polled Time],
SVCGRPFULLNAME as [Service Group Name], SVCGRPMMBRIP as [Server IP], SVCGRPMMBRPORT as [Server Port],
case SVCGRPMMBRSTATE
WHEN ’4′ THEN ‘Out of Service’
WHEN ’1′ THEN ‘Down’
WHEN ’7′ THEN ‘Up’
WHEN ’5′ THEN ‘Going Out of Service’
ELSE ‘UNKNOWN’
END AS Health
from MESVCGROUP
) RAWDATA
) SEQUENCED
WHERE
SEQUENCED.RecentFirst = 1
AND
[Netscaler] not like ‘UNKNOWN’
order by [Service Group Name], [Netscaler], [Last Polled Time] desc
[Query End]
You will have to excuse me if my commenting isn’t up to standard but as I’m not use to doing it I wasn’t sure what to include. Any questions please let me know and I will be happy to help.
Hope this can be of help to you (only if you have Netscalers).
The Geek
Linkedin Profile
