Monday, 28 May 2018

BGP route injection - extending VIRL externally


This simulation a demonstration of route injection in a BGP network with 6 AS' - which I demonstrated at CrikeyCon 2018. However, at that time I hadn't been able to extend outside of the VIRL environment so had to browse via wget commands on the server CLI.

Today I had the time to configure my VIRL instance to extend to outside the environment to external devices (in this case a Windows VM).

In retrospect, this wasn't very difficult. But there is very little clear documentation on how to do this. The steps to achieve this were.

1. Configure the flat network under the VIRL Web GUI. Here we specify the IP address range of the external network and the interface on the VIRL VM/machine that we want to link to the external connection. Note down the flat network address.



3. On the VIRL CLI we now find the bridged interface that has been allocated the flat IP Address 172.16.1.254

 virl@virl:~$ ifconfig
br1       Link encap:Ethernet  HWaddr 00:0c:29:37:1c:0e
          inet addr:172.16.1.254  Bcast:172.16.1.255  Mask:255.255.255.0


4. Then make sure eth1 has been associated to the appropriate bridge

virl@virl:~$ brctl show
bridge name     bridge id               STP enabled     interfaces
br1             8000.000c29371c0e       no              dummy1
                                                        eth1


if this isn't the case use the command brctl addif br1 eth1 and check again

5. Add a flat device to your simulation. If connecting to a linux server and wanting to access the rest of the network, make sure you enable routing (ipv4_forward & iptables rules).


6. Ensure the network is configured to use the flat network that you've just setup


7. When the simulation starts you should be able to attach to eth2 however you intend to, and ping/ssh to every device in your simulation (provided you have setup routing within the simulation to enable this)



I wish someone had walked me through this last Feb when I was fairly time poor - but now it's done. I hope it helps someone. Happy simulating!!

Sunday, 6 May 2018

Getting Familiar with Scapy

Getting Familiar with Scapy

https://blogs.sans.org/pen-testing/files/2016/04/ScapyCheatSheet_v0.2.pdf

Navigating Classes/Layers:

Check the details of each class/layer using ls():

>>> ls(IP)
version    : BitField             = (4)
ihl        : BitField             = (None)
tos        : XByteField           = (0)
len        : ShortField           = (None)
id         : ShortField           = (1)
flags      : FlagsField           = (0)
frag       : BitField             = (0)
ttl        : ByteField            = (64)
proto      : ByteEnumField        = (0)
chksum     : XShortField          = (None)
src        : Emph                 = (None)
dst        : Emph                 = ('127.0.0.1')
options    : PacketListField      = ([])


Check commands available using lsc()

Format is command(packet)

Sending a Packet:


>>> pkt=IP(dst="google.com")/ICMP()

sr - send & receive
srp - send & receive layer 2

>>> sr1(pkt)
Begin emission:
..................Finished to send 1 packets.
........................................................................................................................................................................................................................................................................................................................................................................................................................^C
Received 426 packets, got 0 answers, remaining 1 packets

sr1 = send and receive 1 packet, will send one and wait for one response

Using just send will just send and not wait for a response
>>> send(pkt)
.
Sent 1 packets.


Using sendp will send the packet at layer 2 (all classes with p are at the layer 2 level)
>>> sendp(pkt)
.
Sent 1 packets.

To see the result, sr always has tuples
>>> (ans,unans) = sr(IP(dst='google.com')/ICMP())

Iterations:
>>> pkts = IP(dst='192.168.0.0/28')
>>> [pkt for pkt in pkts]
[<IP  dst=192.168.0.0 |>, <IP  dst=192.168.0.1 |>, <IP  dst=192.168.0.2 |>, <IP  dst=192.168.0.3 |>, <IP  dst=192.168.0.4 |>, <IP  dst=192.168.0.5 |>, <IP  dst=192.168.0.6 |>, <IP  dst=192.168.0.7 |>, <IP  dst=192.168.0.8 |>, <IP  dst=192.168.0.9 |>, <IP  dst=192.168.0.10 |>, <IP  dst=192.168.0.11 |>, <IP  dst=192.168.0.12 |>, <IP  dst=192.168.0.13 |>, <IP  dst=192.168.0.14 |>, <IP  dst=192.168.0.15 |>]
>>>
 

Reading/logging traffic:


Sniff packets on the interface:

>>> pkts = sniff(count=24)>>> pkts
<Sniffed: TCP:19 UDP:4 ICMP:0 Other:1>






Write the packets to a pcap file:

>>> wrpcap('./cap.pcap', pkts)
 

Write the pcap file back to a rpkts variable:

>>> rpkts = rdpcap('./cap.pcap')
>>> rpkts
<cap.pcap: TCP:19 UDP:4 ICMP:0 Other:1>








Use str() and hexdump() to also see the raw packet


Fuzzing:

verify which fields will be fuzzed by doing something similar to:




>>> (IP(dst='8.8.8.8')/fuzz(UDP()/BOOTP())).show()


State machine!!
http://www.secdev.org/projects/scapy/doc/advanced_usage.html#automata


Network Fuzzing with AFL

Download, extract and make afl:
tar xvzf afl-latest.tgz
cd afl-2.35b/
make
Download, extract and make wireshark with afl:

tar xaf wireshark-2.2.1.tar.bz2

cd /usr/bin
ln -s /usr/libexec/gcc/x86_64-redhat-linux/5.3.1/cc1 cc1plus


CC=/root/afl-2.35b/afl-gcc CXX=/root/afl-2.35b/afl-g++ ./configure
make clean all

Capture and save SNMP packets with wireshark on alternate box:



/root/afl-2.35b/afl-fuzz -m 500 -f /root/afl-2.35b/mutated-data/data.pcap -i /root/afl-2.35b/testcases/pcap/snmp/ -o /root/afl-2.35b/findings_dir/ .libs/tshark -a @@


First appearance, it seems afl is mutating the PCAP structure not the SNMP structure:
 :((
Look at dictionary definitions for snmp and let it run for longer to see if some better results are generated.

Get better input via using snmpwalk

Photo Journey


2016 - Opening Ceremony of the first BSides Canberra

2016 - Opening Ceremony of the first BSides Canberra

2015 - Sydney CCIE bootcamp:



2012 - Participating in my first CTF - Ruxcon

2012 - Participating in my first CTF - Ruxcon

1995 - ANU hosting Women in Engineering

Me on far left in black