Category: Network Monitoring

Feb 08 2011

Network Miner 1.0 released

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

Now that we have the explanation out of the way, I would like to really start by saying how excited I was when I saw an announcement on the Pauldotcom mailing list about version 1.0 being released. I have been using this tool for a while after being introduced to it on an episode of hak5 a while back, and since then its been one of my favorite applicatioin of choice for parsing PCAP files and looking for goodies.

This new release has  lots of new features to keep you busy for a while:

  • Support for Per-Packet Information header (WTAP_ENCAP_PPI) as used by Kismet and sometimes Wireshark WiFi sniffing.
  • Extraction of Facebook as well as Twitter messages into the message tab. Added support to extract emails sent with Microsoft Hotmail (I.e.windows Live) into Messages tab.
  • Extraction of twitter passwords from when settings are changed. Facebook user account names are also extracted (but not Facebook passwords).
  • Extraction of gmailchat parameter from cookies in order to identify users through their Google account logins.
  • Protocol parser for Syslog. Syslog messages are displayed on the Parameter tab.

You can read the complete change-log here for more details here.

If that is not enough to make you want to try this application out, I don’t know what else is. I  fired-up  version 1.0 for a few mins  before writing this article and I was pretty impressed with my results. I was able to quickly and easily harvest all images browsed from my PC, IRC chat logs, identify key information about hosts on my network (ports, OS type, service version numbers) and much more without needing to run a noisy port scanner.

Q&A with Main developer of NetworkMiner

Question: What was the purpose behind developing NetworkMiner?

Answer: I started developing NetworkMiner back in 2006 while I was working with SCADA security for a major electric utility company in Europe. My idea was to give network admins and process control engineers a view of what hosts that are actually on the network as opposed to what their documentation said. The reason for building a passive sniffer instead of yet another port scanner was that SCADA and process control networks tend not to handle port scans very well, and I sure didn’t
wanna bring down the network of a running plant!

Q: How many core developers are involved with this project?
A: I’m the only developer of NetworkMiner.

Q: Which group of individuals do you think can benefit mostly from this application (Forensics investigators, pentesters, network admins, etc)?

A: NetworkMiner today is primarily designed for computer security incident responders and law enforcement who need to do forensic analysis of network traffic.

Q: How long has version 1.0 been in development?

A: I’ve been working on the 1.0 release of NetworkMiner since June 2010. The last three months before the release were spent on testing and validating the release. I also have a beta testing group,
consisting of talented network forensics professionals, who have provided additional validation of the release.

Q: What key features would you like highlight in this release; free as well as the paid version.

A: Some of the major improvements are:
In addition to whats listed about, the Professional version of NetworkMiner also includes a protocol identification feature, which can identify what application layer protocol that is being used in order to apply the appropriate protocol parser. This means that running an FTP or web server on a non-standard port will not be sufficient to fool NetworkMiner Professional.

You can also export the results from the various tabs in NetworkMiner Professional into a CSV file that can be opened with Excel or OpenOffice. The Professional release also includes a command line version of NetworkMiner, which comes in very handy when you need to wrap the pcap parsing functionality into a shell script or an automatized environment for traffic analysis.

Q: Are there any plans to make a Nix version of this application?

A: I have plans to look further into Mono (http://www.mono-project.com ) to build cross-platform support for NetworkMiner, but implementing new features have to this date had higher priority for me. It is, however, possible to run NetworkMiner from Linux by using Wine already today.

Q: What is the recommended deployment strategy to properly maximize NetworkMiner’s potential (GB nic, dual nic, physical vs vmware guest etc)?

A: My recommendation for achieving reliable and fast traffic capture solution is to use a physical FreeBSD machine running dumpcap for traffic capture. You can then open the pcap files from dumpcap with NetworkMiner for analysis on a Windows machine. When analyzing malware I actually recommend running NetworkMiner on a virtualized Windows machine without any network support, in order to minimize the risk of spreading the malware. NetworkMiner does not use much RAM, but can be fairly CPU and disk intensive. So make sure you have a fast processor and an HDD with fast access times and high write speed.

Q: If someone wants to learn more about this application, provide feedback or report bugs what’s the best way to go about this?

A: The best way to learn more about NetworkMiner is to follow my blog on http://www.netresec.com/?page=Blog .Feedback in the form of for example help or feature requests can be posted
to SourceForge on http://sourceforge.net/projects/networkminer/support

You can download NetworkMiner from any of the following urls,so go get your copy and start to spread the word:
http://www.netresec.com/?page=NetworkMiner
http://sourceforge.net/projects/networkminer/
http://networkminer.sourceforge.net/

I must give a special THANK You to Erik Hjelmvik, developer of NetworkMiner for taking time out of his busy week to help us understand a little bit more about this awesome project.

categories Infosec News, Network Monitoring | | comments Comments (0)

categories , , , , , , , ,

Jul 09 2010

Cleaning up your access list

As a Network Admin you would soon realize after a few months of adding various  ACL rules there comes a time when you need to go back and consolidate those rules before it gets out of hand.

Now that most cloud providers are moving away from the traditional (80, 443) TCP ports and moving towards your none standard (8800, 3995) ports, your job as a Network admin requires you to now plan a bit more.

Normally if I got a call that a users is unable to access a certain web, I would first verify if its a “URL filtering issue” or a “Firewall” access issue. If I determined that its the latter, I would then write a typical ACL and grant the user access after the requested service has been test.

For instance if you receive a call about not being able to access a website X on port 5454, you can write a basic ACL rule:

access-list external_access extended permit tcp 192.168.10.5 255.255.255.0 69.196.224.24 255.255.255.0 eq 5454

Now the above rule would work just fine, but think about it if you recieve about 10-15 of those request a day, your firewall will be a mess after a while. The way to take care of this is by using Using Network Objects and Groups in a Rule.

Network objects let you predefine host and network IP addresses so that you can streamline subsequent configuration. When you configure the security policy, such as an access rule or a AAA rule, you can choose these predefined addresses instead of typing them in manually. Moreover, if you change the definition of an object, the change is inherited automatically by any rules using the object.

Below is how you would accomplish this if you reieved say three request  for web related access all on different ports:

======================================
Creating Object group and adding ports Cisco ASA Firewall
======================================

config t
object-group service External_Acess tcp
description Access to external websites
port-object eq 7778
port-object eq 5454
port-object eq 3322

object-group network External_Access_Users
description Access to external websites
network-object host 192.168.10.5
network-object host 192.168.10.7
network-object host 192.168.10.9

=======================================
Creating ACL and applying object group
========================================
access-list acl_inside remark ***** External  Websites Access *****
access-list acl_inside extended permit tcp object-group External_Access_Users any object-group External_Acess

Now the next time you receive a request for external website access on a none standard port you simply add the port to the service group, and the Host IP to the network access group and you are set. Now that’s much more easy on the eyes to look at!

If you have another way of achieving the same outcome don’t hesitate to leave a comment, in the end its all about learning.

categories Cisco ASA, Firewall, Network Monitoring | | comments Comments (0)

categories

May 19 2010

DMZ does not stand for Dont Monitor Zone

Too many times we tend to deploy a DMZ host then just forget about it, we tend not to apply security patches, software updates, or even setup any form of monitoring. Contrary we spend most of our efforts monitoring and analyzing our internal network.

I am aware that many factors such as man power, budgeting or other things can affect this decision. Don’t get me wrong I am not choosing one side over the other; I just think we should place an equal among of importance on both. I was faced with the same challenges until I had a chat with Mick  http://twitter.com/bettersafetynet .

I will be showing how you can start monitoring your DMZ servers by simply installing Splunk free version of course, and SNARE event log forward for windows. The idea is simple just follow this link to assist you with getting Splunk up and running, next install Snare by following the instructions in the manual over at  http://www.intersectalliance.com/projects/SnareWindows/.

From here you just have to point your Snare client to your Splunk box and let the monitoring begin.

Testing:

After you are finish with your deployment the next thing you want to do is fire-off a few test alerts so you can understand so you can be familiar with the results. To achieve this I logged into one of the Servers that I am monitoring and restarted a few services, launch cmd.exe, and ran a few commands. The commands and results are displayed below.

Fig1 Restarting Apache web server.

Fig2 Splunk Output

Fig3 Launching cmd.exe and executing a few commands

Fig4 Splunk Output

As you can see from the above example the event logs that are being forwarded to Splunk can serve as a good source for tracking any potential compromise . Offloading your event logs to another servers can  come in handy if someone try to cover there tracks by wiping the logs.

So start monitoring and have fun with it!

categories Network Monitoring, Networking and Security | | comments Comments (0)

Apr 22 2010

NetMRI Configuration Management

Below are the necessary steps needed to backup the configuration on a router or switch using the NetMRI appliance. Steps 1-4 are the starting point for executing any jobs via the configuration manger, other scripts might require a few more steps.

  1. Log into the NetMRI appliance http://netmri
  2. Click on the “Configuration Management” tab

  3. Click on the “Job Management” sub tab on the left à then select the scripts tab and the script to backup the IOS config is called “Backup IOS Config”.

  4. Before you execute this you have to ask yourself if you want to create a schedule job or if you want to just run the job right now. If you chose to run the job right now follow the below steps:
    1. Click on the “Run Now” action
    2. Select the devices that you would like backup by either choosing the group “routing/switching” under the “Device Groups” tab or select the one or multiple devices from the “Devices” tab the select the “Run” button.

      Option A

    Option B

Click on the device tab and select the devices manually that would like the script to target.

  1. Lastly enter the name/IP Address of the TFTP server that you would like to backup the config files too, and press OK.

    Click OK to proceed!

  2. Once the job has been completed you will either see a red X in the status tab and the message error indicating that one or more jobs has not been processed.

Just click on the job name ,then the details tab and look for the device that has the error. You can then click on the “error” link for further details as to why the job did not run on the device in question.

Next click on the status log tab to  look at the detail error, in this case the NetMRI appliance was unable to connect to SW02 via SSH since this switch does not support SSH.

Note:

You can also schedule these jobs instead of running then manually, have fun and remember to backup your configs, cause you never know when you will need them.

categories Application Support, Netcordia NetMRI, Network Monitoring | | comments Comments (4)

Mar 18 2010

Troubleshooting Configuration Management NetMRI


Problem: While configuring our NetMRI appliance I notice that I was unable to view the configuration for serveral of our Routers and Switches, if I looked under Network Explorer –> Devices à Entire Netork I can see I have 20 devices but under the “Configuration Management” tab I am only able to see 6 devices.



Fig 1

Fig2


After clicking on one of the devices from within the “Network Configuration” tab, and selecting the “Errors” option I was greeted with the below message:

Fig 3
Solution:
After receiving the above error I knew it was time to log into this Switch and re-configure the SSH RSA key.

Switch Commands to delete the SSH rsa key then recreate a new one:

config tno crypto key rsa (naturally you would think this is the command, but it's not instead it tells you the correct command)crypto key zeroize rsacrypto key generate rsa1024 (when ask for the RSA key bit)wr mem      
Once that's done the next step is the log into the NetMRI appliance to reset the authentication information and update the device. This will occur automatically after 24 hours, or you can do it manually but navigating to Network Explorer --> Devicesthen click on the device in question and go to the "Settings" tab -->"Config File Collection" and click "Reset Authentication info" then "Update" and lastly "Get Configs".

Check your error tab again for good measure if all goes well look under the config tab and you should now be able to manage the configuration on this device.

categories Network Monitoring | | comments Comments (0)

Mar 15 2010

All Things SNMP

I am working on a project whereby I have to configure our entire Network Infrastructure and a few high profile servers to be monitors by NetMRI and our Orion. Now since most of our devices are already being monitored by several other devices in the pass, I will try to illustrate the approach I took while doing this project.
Phase 1 (Backup and Cleanup)
It’s extremely important to make sure you backup your current running configuration before making any changes, and if you do have to make changes try to do them off hours so if something does goes wrong you wouldn’t get a million calls coming into the HelpDesk from angry workers. Before attempting the below you will need to first setup a TFTP server on your computer, here is a link to one of my favorites à http://tftpd32.jounin.net/.
Use a TFTP Server to Backup and Restore a Configuration
  1. At the Router> prompt, issue the enable command, and provide the required password when prompted.
The prompt changes to Router#, which indicates that the router is now in privileged mode.
  1. Copy the running configuration file to the TFTP server:
3. CE_2#copy running-config tftp:
4. Address or name of remote host []? 64.104.207.171
5. Destination filename [ce_2-confg]? backup_cfg_for_my_router
6. !!
7. 1030 bytes copied in 2.489 secs (395 bytes/sec)
CE_2#
  1. Open the configuration file with a text editor. Search for and remove any line that starts with “AAA”.
Note: This step is to remove any security commands that can lock you out of the router.
  1. Copy the configuration file from the TFTP server to a new router in privileged (enable) mode which has a basic configuration.
10.Router#copy tftp: running-config
11.Address or name of remote host []? 64.104.207.171
12.Source filename []? backup_cfg_for_my_router
13.Destination filename [running-config]?
14.Accessing tftp://10.66.64.10/backup_cfg_for_my_router…
15.Loading backup_cfg_for_router from 64.104.207.171 (via FastEthernet0/0): !
16.[OK - 1030 bytes]
17.

18.1030 bytes copied in 9.612 secs (107 bytes/sec)
CE_2#

Phase 2 (Configuring Routers/Switches/WLAN Controller)
During this phase, I first logged into each appliance and run the following commands just to get a quick idea of what user accounts are configured on the device, and what are the SNMP settings.
sh run | inc snmp
sh run | inc user
Once I have gotten the above information I can build my configuration file. In our case we are removing old community strings and SNMP host while at the same thing updating the devices with the new information.
=============================
Updating Configuration on Cisco 3560
==============================
Config t
no snmp-server community public RO
no snmp-server community private RW
no snmp-server user pubic pubic v1
no snmp-server user pubic pubic v2c
snmp-server community $y$10g
username L0gg3r password P@$$\/\/0rd
snmp-server host 192.168.3.6  $y$10g

===================================
Configuring SNMP on Cisco WLAN
====================================

SSH into
config  snmp version v2c enable
config snmp community create $y$10g
config logging syslog host 192.168.3.6  (maximum number of host this controller supports is one)
save config (answer Y)
you are set!

Once that’s all setup its time to log back into both Orion, and the NetMRI appliance and verify it configured correctly but triggering a few test alerts.

Additional Information
In the end your logs are only as useful to you if someone looks at it!

categories Network Monitoring | | comments Comments (0)

Feb 05 2010

Configuring a NetMRI Appliance

I am currently in the middle of working on a project that involves configuring a NetMRI appliance and a accompanying event collector. So far I am finish configuring the appliance along with a test switch “Cisco 3560″.This blog posting will briefly go over some of the steps I took to accomplish this task.

What is NetMRI?
NetMRI enables organizations to take control of network configurations
and changes–making it easy to identify hard-to-find configuration
problems that are lurking in the network and meet internal standards and
external compliance requirements. Instead of just logging changes,
NetMRI utilizes built-in subject matter expertise to audit, analyze and
automate network change.

Prior
to starting the configuration process for the NetMRI appliance you need to
install an SSH client and have a cross over cable, or a switch with the correct VLAN configured. NetMRI always listens on the private IP address 169.254.1.1,with
subnet 255.255.255.0. Simply configure your machine to 169.254.1.3 or any
address in that range within this range that’s lower than .254 with a subnet of
255.255.255.0.
Once
you are finish try to ping 169.254.1.1 if you are able to communicate with the
appliance you can use your favorite SSH client and connect to the appliance on
port 22 using  the following credentials
admin/admin and from there run the “configure server” command.
During
this process you will be asked several questions:
·        
Network , Server and Domain name
·        
Two DNS address
·        
Time server/ time zone
·        
Management port IP address and gateway
·        
Scanning port IP address an gateway if you choose to use both
ports

Once you are
finish you can now login into the appliance using the newly assigned IP address
that was selected during the setup above. Ex http://172.29.19.4




Select next to continue. 
Step 1:   Chose a new admin password.
Choose a
difficult password, since the username cant be changed its advisable to use a password that’s not easily guessed.
Step 2:
License file
Browse to
the location on your computer where you have the file and click next.


 Step 3: IP
Addresses/CIDR Blocks
You can
either add a whole subnet or individual IP addresses using a /32 at the end of
the IP address.


Setp 4:
Community Strings
Here is
where you will enter the string that you will be configuring on your router and
switches.
Step 5: CLI
Credentials
Here
is where you need to enter the user name and password that the NetMRI appliance
is going to be using to access your infrastructure devices; you will also need
to enter your Enable password here to. 
Once
you are done click finish.
After the NetMRI setup process
has been completed, review the Network Explorer tab > Inventory tab
> Devices / Interfaces section > Devices page. If the
Default Gateway, CIDR blocks, SNMP credentials and Telnet/SSH credentials were
entered correctly, you should start to see devices listed in this table within
a few minutes. Periodically refresh your browser to see the progress of the
discovery process.

Troubleshooting

If you don’t see any devices
within a few minutes, you should verify the accuracy of the network information
added during the configuration process as follows:

1. In the NetMRI header panel,
click the Settings button. In the menu along the right side of the Settings
window, click the Setup section, then click Discovery Settings.
Ensure that the given CIDR blocks cover the desired parts of your network.
Also, ensure that the Default Gateway is covered by one of the Included CIDR
blocks, but not by one of the Excluded CIDR blocks.

2. In the menu along the right
side of the Settings window, click Collectors and Groups (just
above Discovery Settings). Ensure that SNMP collection is
Enabled. In the Settings window, click SNMP Credentials and
verify that the community strings for your network devices are entered properly
(e.g., check spelling and case-sensitivity).

3. If NetMRI was configured using
a crossover Ethernet cable and NetMRI was not on the network following
completion of the configuration process, then NetMRI may not have been
successful in its initial probes of the network. Navigate to Settings >
Settings section > Discovery Settings page and click the Reset
Discovery Counters button (below the table) to kick off the initial network
probes again, then continue to monitor the discovery process as before.
Any changes made using the forms described
above will be automatically used by the discovery process. If the new
information is correct, you should start to see devices appearing in the table
at Network Explorer tab > Inventory tab > Devices /
Interfaces section > Devices
  
Cisco Device Configuration
Create Username on the Cisco 3560
switch
======================================
username mriuser password 7
aaa new-model
aaa authentication login default
local
Configure SNMP Cisco Catalysis
3560
===================================
config t
snmp-server group nmri v2c read mrigp
snmp-server community mr131 RO
snmp-server user mriuser nmri
v2c
snmp-server enable traps syslog
Doing an SNMP Walk


In order to do a SNMP walk you
need to replace the Root OID system with 1.3.6.1.2.1.1.
Reference links:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_20_se/configuration/guide/swsnmp.html 
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=system&translate=Translate&submitValue=SUBMIT&submitClicked=true   


categories Network Monitoring | | comments Comments (3)

Alibi3col theme by Themocracy