Friday, September 6, 2013

Cisco SNMP v3 settings for PacketFence using clogin via Rancid

First off, could I really fit any more key words into the post title?

Secondly, I'm fairly new to scripting and linux in general. So forgive me if I get some terms or other stuff way wrong. I've recently been tasked with setting up a NAC (Network Access Control) for our network. We're starting small, only conference rooms at first. We have around 40 or so conference rooms, I think.... The goal is to use PacketFence by Inverse to allow guests and vendors access to our guest network, and employees access to our internal network.

PF will allow you to push switch vlan changes via snmp, but one of the big hurdles for me was the SNMP v3 setup since I've never set it up before. After figuring it out on a single switch I realized that I didn't want to manually make changes to all of our Cisco switches. Which lead me to clogin that comes with Rancid (Really Awesome New Cisco confIg Differ). clogin will allow you to make multiple changes using a command file to the switch(es) of your choosing.

Third, I hope you enjoy my liberal use of smudgery.

Step 1: Install Rancid: http://www.shrubbery.net/rancid/RhysEvans_overview_0.3.pdf
Step 2: Setup switch in PF:

Step 3: Setup the .cloginrc file
This file (under root) holds all of the usernames/passwords that clogin will use when attempting to auth to a device. We use ssh on everything and setup a TACACS account specifically for packetfence testing. This is what I've added to the bottom of ./cloginrc


add user * {PFTestAccount}
add userpassword * {TermPassword} {EnablePassword}
add password * {TermPassword} {EnablePassword}
add method * ssh telnet


Step 4: Send global switch commands via clogin. In the default setup clogin is located under /usr/local/rancid/bin and must be ran as the user rancid if you've followed the instructions above.

Global commands, saved in SNMPv3.txt:


snmp-server engineID local 123450000000000000000000
snmp-server group PFREADGROUP v3 priv notify *tv.00000000.00000000.00000000.0
snmp-server group PFWRITEGROUP v3 priv read PFREADVIEW write PFWRITEVIEW
snmp-server community PFREADWRITESTRING RW
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 2
snmp-server host 172.16.x.x OtherCorpReadOnlyString
snmp-server host 172.16.x.y version 3 priv PFREADUSER port-security

Clogin command: 

 ./clogin -x /usr/local/rancid/scripts/SNMPv3.txt 172.16.x.y

Result:



Step 5: Interface config:
Now there are a couple ways we could go with this. We could include this config in with clogin as long as we could pick the same port on ever switch. I have yet to find a way to prompt for each switch with my limited knowledge. Or the way I'll be doing it, going through and finding out which port on which switch I need setup, and creating a different command file for clogin to pull from. It's probably not the best way, but still better than logging manually into each switch and running every command.


## mac-address should follow this format: fa0/1...fa0/48 = 10001...10048
## or gi0/1.....gi0/48 = 10101....10148
## vlan 311 is the PF Registration vlan



int fa1/0/46
 switchport access vlan 311
 switchport mode access
 switchport port-security maximum 2 vlan access
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address 0200.0001.0046 vlan access





Posted by at 3 comments:
Labels: , , ,

Wednesday, August 14, 2013

1-2-3 SET

So yesterday was my second SE campaign to enlighten a subset of our users. Here is a n00b's guide written by a self proclaimed n00b....

Intro:

So using The Social Engineering Toolkit has been most of my hands-on knowledge when it comes to anything SE. I've only been using it for around 8 months at this point, and I've learned a little bit. When our company decided that it would be too expensive for regular user training we decided to try and make things interesting instead. The plan is still forming, but we've gotten good feedback so far.

The Plan:

The idea is to run a blatantly obvious SE attempt at a subset of users each month from a gmail account. I made the account ourITdepartment@gmail.com. SET will allow you to auth to gmail to send out the campaign email. The targets will receive a plain html email with a link that takes them to a credential harvester embedded in a cloned website of my choosing. After we obtain their credentials this is what they see:


This slideshow takes them through some normal "don't click shit" information, just in a professional format. I may upload the full slide deck, but it still needs a little work. As time goes on and we get less hits, we'll up the complexity.


First Attempt:

Using ./theHarvester.py from Marcus Carey (@marcusjcarey) I scanned for our domain to pull the first list of users, which got me about 50.

 ./theHarvester.py -d mydomain.com -l 500 -b google

 Every year we fill out an employee survey with a third party company. Since we had just completed it I figured an email about the survey results being in would yield a good hit rate.

The link took them to a clone of Survey Monkey's login page. Which yielded a surprising 15/50 credentials being harvested, 3/50 reports of a suspicious email to our helpdesk, and 1 call from a nurse letting us know that she no longer has any respect for us and has lost our trust.

Second Attempt:

 To gather a list of users that are more likely to be targeted from the outside we have an active sender list on our postfix mail filtering box. There are about 600 or so that normally get email from outside addresses, out of the 1,400 total mailboxes we have. I took the first 200 this month and will continue on until everyone has been hit with an easy campaign.

At the beginning of the year we switched to an HR system "in the cloud" that uses AD Federated Services to auth our users. I figured a clone of that site would work well, accompanied with this email.


So far we are at 47/200 and they are still rolling in.


 1-2-3 SET:








What Comes Next?
So we're currently working on a database to bind to MS Active Directory and store the results of each month. It would allow us to run reports on most phished users, who each campaign hits, etc. All the data from the xml report will be pulled in also.


Posted by at No comments:
Labels: ,

Wednesday, August 7, 2013

ldap on Apache to MS Active Directory


So I've recently struggled with ldap syntax in several different programs. Most recently I have setup viewvc on a Centos box to see config diffs easier in RANCID. After going around and around, knowing that I've done this in the past and struggled. I finally figured I should have a central repository for all the random things that I do and forget. So here it is. Part of my httpd.conf that allows for ldap to MS Active Directory.

I have yet to understand why some things have quotes and some don't....but it works...so whatever


<Directory "/var/www/cgi-bin">
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<Location "/">
    AuthType Basic
    AuthName "Whatever You Want Here"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPBindDN "CN=ldapuser,OU=Service Accounts,OU=IT,OU=Users,DC=domain,DC=local"
    AuthLDAPBindPassword "InsertPasswordHere"
    AuthLDAPURL "ldap://domain.local/OU=IT,OU=Users,DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)"
    Require ldap-group CN=GroupNameHere,CN=Users,DC=domain,DC=local
</Location>
Posted by at No comments:
Labels: , , , , ,

Hello World

Creating this blog to document some of the practices, procedures, and tech solutions that I've put into place working in Healthcare IT and IT in general.

I'm a n00b at a lot of things, especially anything *nix related. But through Twitter, Vimeo, and a load of other online help I'm getting a little smarter. One step at a time. :)

You can follow me on Twitter @Infosystir
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)