Penetration Test results (interpreting results) Open-Filtered Ports

Penetration Test results (interpreting results) Open-Filtered Ports

 

Recently we had a penetration test done. I am not going to mention company names here, I’ll write just about the results.

 

I asked them to check out Public IPs and all services which face the Internet, I also asked them to check our WIFI and finally our internal office Windows domain.

 

I knew there were many problems and potentially many holes. I have inherited this network and I don’t think things were set with security in mind. But something also important to note is; if the any company is not willing to participate and embrace security there is very little which can be done, directories and all managers at the top need to accept security as an important step. Security is not for preventing anyone from working, but to give companies a degree of digital/online stability. Knowing where the holes are surely is better than not knowing; at least you won’t be caught by surprises.

 

The test took around three days and literally the only information I provided was the public IP addresses.

 

Port 445 Open-Filtered

One thing in specific I want to talk about is; our office firewall has been diagnosed with port 445 (SMB) Open-Filtered.

I asked the security team which did the pen test and they said; “if the port is filtered, it does mean it is open. Maybe nothing is listening but the port is definitively opened”.

 

This is a serious discovery and it needs a full investigation. My boss and Operations pushed me to dig this out and get it sorted.

 

Action Plan

Review the firewall configuration thoroughly and check any references to port 445.

Disabled all unnecessary rules and checked open ports once again with nmap. Once again, this time I could verify myself, the result was Port 445 Open-Filtered. I could not believe it.

I could not find anywhere in the firewall a rule which explicitly opened, forward, or NATTED port 445.

 

I downloaded a program called Nipper see: https://www.titania-security.com/, exported the configuration from the firewall, parsed the config and I did not find any indication port 445 was actually opened.

 

Block Port 445

I decided to explicitly create a rule to block port 445. Rule in place, once again I used nmap to check for open ports and, once again for my surprise, nmap showed port 445 Open-Filtered.

 

There is no way port 445 was open! I decided to Google and I vaguely remember this, something to do with ISPs filtering port 445.

In 2004 there was an outbreak of a virus which propagated itself through exploiting port 445 (SMB). This is how Microsoft Windows for communicate with each other on a network and access shares.

 

Because of this outbreak Firewall vendors decided it was a good approach to just filter this port, instead of blocking it. This is because by blocking it the firewall has to use more CPU and memory.

 

So finally I got to the bottom and I understand the real result. Port 445 was actually being filtered at a higher level by our ISP, which is good.

 

So if you come across ports being Open-filtered, I would recommend the following:

1.    Review your firewall configuration

2.    Check with your ISP

3.    Get in touch with your Firewall vendor and ask them to clarify it for you

 

Some links for you to research

http://www.speedguide.net/port.php?port=445

 

http://www.securitymanagement.com/archive/library/Sans_Ulrich1203.pdf

 

By Renato Oliveira

How to compress on the fly with maximum compression (Linux)

How to compress on the fly with maximum compression

for example

# tar cvf - /etc | gzip -c -9 > etc.tar.gz

Explain what the command above is doing.

TAR - Command to pack files and directories into a single package.
CVF are flags passed to the tar command to: Create, Verbose, File
/ETC is the folder to be tarred-up
| (Pipe) symbol to pass result to another command
GZIP is a compressing tool
-C flag to compress
-9 is a flag to use maximum compression
> this symbol is used to redirect output to a file, in this case "etc.tar.gz"

I hope this will be helpful to you and the explanation makes sense.

by Renato de Oliveira

Red Hat CDRom repository

How to setup a local repository to fetch packages from CDRom

Sometimes you want to install a package and want the dependencies to be resolved automatically. If you don't have a server which can be used as a repository. You can use your media or install CD as a repository.

# mkdir /media/cdrom
# mount /dev/cdrom /media/cdrom
# vi /etc/yum.repos.d/cdrom-repo


Now type in the following text and save the file:

 [cdrom-repo]
 name=CDRom-Repo
 baseurl=file:"///media/cdrom/"
 enabled=1
 gpgcheck=0


# yum repolist

Melado de Branco

Melado de Branco

Hoje eu acordei
Olhei pela janela
Vi tudo melado de branco
Tudo parecia adormecido
Tudo parecia, calmo e tranquilo
O chao, as arvores, o ceu
Tudo tava pintado de branco
a visao e diferente da realidade
Onde a Natureza se acalma
e tempo passa de vagar
Cada animal se agasalha
e se prepara pra descansar
As arvores perdem as folhas
pra nao desperdicar energia
O sol diz um oi timidamente
desaparece rapidamente
e a noite toma conta do dia
Animais se agasalham
Se escondem e se preparam
para mais um ciclo da vida
Vida que nos seguimos num ritmo differente
Um passo acelerado
Pensamento apressado
Muitas vezes atormentado
Pela rapidez do progresso
esquecemos a natureza
Ignoramos a beleza
Ignoramos o nosso ciclo
e apressamos o passo
Nem sabemos aonde vamos
Ou onde queremos chegar
Carros, transito, bozinas
Trabalho, estress, vida!
Vida?! O que e vida?
Sera a natureza melada
e pintada de branco
Com seu ciclo calmo
e seu passo lento
Ou essa modernidade
Com pressa de chegar a nenhum lugar
essa obssessao de ter
de possuir
De sair por ai
Ver o que nao se conhece
Quando nao se conhece a si mesmo
Tudo ta melado de branco
sao dois mundos
Sao tao desiguais
Um cultiva o caaos
o outro cultiva a paz
Eu queria ta melado de branco
Como as arvores la fora
queria seguir o ciclo da vida
e me sentir em harmonia com a natureza

A young Linux consultant on the Newspaper





 

Back in 1998 I migrated around 100 NT servers and workstations to Linux. This was a big achievement in my career, but it was just 2 years away of moving to England.
It was on first page of  IT news of major papers in my city, see below:

 
Renato de Oliveira

 

Set-UP a LAB with Juniper SRX

Set-UP a LAB with Juniper SRX

Recently I had to setup a Lab environment and our Firewall is a Juniper SRX 240.
These devices have 16 Giga Bit Interfaces and believe it or not you can set each interface with its own IP and in a completely separate network. I think it is great!
 

In my LAB I am using an SRX100 which comes with 8 Fast Ethernet Interfaces. This is a very good, cheap and reliable device for branch offices and also very suitable or LAB environment.

Setting up Interface - Separate Network on Juniper SRX

I decided to use the interface fe-0/0/3 which is free, so we need to check if there is any existing configuration already applied to that specific interface.
To configure a Giga Bit interface you will need to replace fe-0/0/3 with ge-0/0/3 for example.
 

Check existing config

admin@srx100-01# run show configuration | display set | match fe-0/0/3
 

You should see the following output:

set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic protocols all
 

Delete existing configuration

delete interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
delete interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
delete security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic system-services all
delete security zones security-zone trust interfaces fe-0/0/3.0 host-inbound-traffic protocols all

 

Save Config

admin@srx100-01# commit

 

Check interface config once more

admin@srx100-01# run show configuration | display set | match fe-0/0/3

You should see the following output:

set interfaces fe-0/0/3 unit 0 family ethernet-switching
set security zones security-zone trust interfaces fe-0/0/3.0

Delete the config once more

admin@srx100-01# delete interfaces fe-0/0/3 unit 0 family ethernet-switching
admin@srx100-01# delete security zones security-zone trust interfaces fe-0/0/3.0
 

Save Config

admin@srx100-01# commit

Check the config for once more

admin@srx100-01# run show configuration | display set | match fe-0/0/3
 

You should see the following output:

set interfaces fe-0/0/3 unit 0
 

Delete the config once more

admin@srx100-01# delete interfaces fe-0/0/3 unit 0

Save config

admin@srx100-01# commit

Finally let’s config our Interface for our LAB

Set an IP for the Interface

admin@srx100-01# set interfaces fe-0/0/3 unit 0 family inet address 192.168.20.1/24

Set a Security ZONE for the Interface

Set a security ZONE called LAB

set security zones security-zone LAB interfaces fe-0/0/3.0
admin@srx100-01# set security zones security-zone LAB interfaces fe-0/0/3.0

Create Security POLICY to allow Internet Access or any other ZONE you need access

set security policies from-zone LAB to-zone untrust policy LABPol match source-address any
set security policies from-zone LAB to-zone untrust policy LABPol match destination-address any
set security policies from-zone LAB to-zone untrust policy LABPol match application any
set security policies from-zone LAB to-zone untrust policy LABPol then permit

Create a NAT Policy to allow Access from Zone LAB to Untrust

set security nat source rule-set LABNatOut from zone LAB

set security nat source rule-set LABNatOut to zone untrust
set security nat source rule-set LABNatOut rule LABNatrule match source-address 0.0.0.0/0
set security nat source rule-set LABNatOut rule LABNatrule match destination-address 0.0.0.0/0
set security nat source rule-set LABNatOut rule LABNatrule then source-nat interface

Save config

admin@srx100-01# commit

Once the configuration has been commited, you are ready to start using it. You can plug a server directly to the new Interface you have just set-up or plug it to a switch, to give you more available ports.

Just set any server or PC connected to with any IP within the same range 192.168.20.0/24, the gateway will be 192.168.20.1.

 

That is it you should have a brand new isolated network within your Juniper SRX.